popunder new

https://www.blogger.com/blog/posts/1739890295310631346

Friday, January 13, 2012

Installing the Active Directory Module for Windows PowerShell 2.0

With the release of PowerShell 2.0, we now have a PowerShell module that we can use to administer Active Directory. The Active Directory Module for Windows PowerShell runs on Windows Server 2008 R2 and on Windows 7 and relies on a web service that is hosted on one or more domain controllers in your environment. In this post I'll go over what you need in order to install and use the Active Directory Module for PowerShell, also known as AD PowerShell.
 

Setting up your Domain Controllers

In order to use the Active Directory Module for Windows PowerShell on 2008 R2 and Windows 7, you first need to be running Active Directory Web Services (ADWS) on at least one Domain Controller. To install Active Directory Web Services (ADWS) you'll need one of the following:

1. Windows Server 2008 R2 AD DS

You can load Active Directory Web Services (ADWS) on a Windows Server 2008 R2 Domain Controller when you install the AD DS role. The AD PowerShell module will also be installed during this process. Active Directory Web Services (ADWS) will be enabled when you promote the server to a DC using DCPromo.

2. Active Directory Management Gateway Service

If you cannot run Windows Server 2008 R2 Domain Controllers, you can install the Active Directory Management Gateway Service. Installing this will allow you to run the same Active Directory web service that runs on Windows Server 2008 R2 DC's. You can download the Active Directory Management Gateway Service here. Make sure you read the instructions carefully, there are several hotfixes that need to be applied depending on the version of Windows you are running. You can install the Active Directory Management Gateway Service on DC's running the following operating systems:
  • Windows Server 2003 R2 with Service Pack 2
  • Windows Server 2003 SP2
  • Windows Server 2008
  • Windows Server 2008 SP2
Note: You can also use AD PowerShell to manage AD LDS instances on Windows Server 2008 R2. If you plan on using AD LDS, Active Directory web services will be installed with the AD LDS role, the AD PowerShell module will also be installed during this process. The ADWS service will be enabled when your LDS instance is created.

Once you've got Active Directory web services up and running on your Domain Controller(s), you'll notice you now have an ADWS service as shown here:



At this point, you should be ready to install the AD PowerShell module. You can run AD PowerShell on all versions of Windows Server 2008 R2 (except the Web Edition) and on Windows 7.

Installing the Active Directory Module for Windows PowerShell on 2008 R2 member servers

You can install the Active Directory Module on Windows 2008 R2 member servers by adding the RSAT-AD-PowerShell feature using the Server Manager. I usually use the ServerManager module to do this because it is quick and easy. To install the feature using the ServerManager module, launch PowerShell and run the following commands:

Import-Module ServerManager
Add-WindowsFeature RSAT-AD-PowerShell



Remember, this only needs to be done on Windows Server 2008 R2 member servers. The RSAT-AD-PowerShell feature will be added to 2008 R2 DC's during the DCPromo process.

Installing the Remote Server Administration Tools (RSAT) feature on Windows 7

In order to install the Active Directory Module for Windows PowerShell you need to download the RSAT tools for Windows 7 here. Once this is installed you are still not finished, you need to enable the Active Directory module. Navigate to Control Panel > Programs and Features > Turn Windows Features On or Off and select Active Directory Module for Windows PowerShell as show here:



Once you have Active Directory web services running on at least one domain controller and the AD PowerShell module is installed, you are ready to run the AD PowerShell module. You can do this in one of two ways. First, you can access the "Active Directory Module for Windows PowerShell" shortcut in Administrative Tools as shown here:



Right click the shortcut and select "Run as administrator" in order to start PowerShell with elevated permissions.

You can also simply import the AD PowerShell module in your existing PowerShell session. Just use the Import-Module ActiveDirectory command:

Import-Module ActiveDirectory



That's all that needs to be done to get up and running.

 
Below is a list of the new AD cmdlets that will be available and a synopsis of what they do.

NameCategorySynopsis
Add-ADComputerServiceAccountCmdletAdds one or more service accounts to an Active Directory computer.
Add-ADDomainControllerPasswordReplicationPolicyCmdletAdds users, computers, and groups to the allowed or denied list of a read-only domain controller password replication policy.
Add-ADFineGrainedPasswordPolicySubjectCmdletApplies a fine-grained password policy to one more users and groups.
Add-ADGroupMemberCmdletAdds one or more members to an Active Directory group.
Add-ADPrincipalGroupMembershipCmdletAdds a member to one or more Active Directory groups.
Clear-ADAccountExpirationCmdletClears the expiration date for an Active Directory account.
Disable-ADAccountCmdletDisables an Active Directory account.
Disable-ADOptionalFeatureCmdletDisables an Active Directory optional feature.
Enable-ADAccountCmdletEnables an Active Directory account.
Enable-ADOptionalFeatureCmdletEnables an Active Directory optional feature.
Get-ADAccountAuthorizationGroupCmdletGets the accounts token group information.
Get-ADAccountResultantPasswordReplicationPolicyCmdletGets the resultant password replication policy for an Active Directory account.
Get-ADComputerCmdletGets one or more Active Directory computers.
Get-ADComputerServiceAccountCmdletGets the service accounts hosted by a computer.
Get-ADDefaultDomainPasswordPolicyCmdletGets the default password policy for an Active Directory domain.
Get-ADDomainCmdletGets an Active Directory domain.
Get-ADDomainControllerCmdletGets one or more Active Directory domain controllers based on discoverable services criteria, search parameters or by providing a domain controller identifier, such as the NetBIOS name.
Get-ADDomainControllerPasswordReplicationPolicyCmdletGets the members of the allowed list or denied list of a read-only domain controller's password replication policy.
Get-ADDomainControllerPasswordReplicationPolicyUsageCmdletGets the Active Directory accounts that are authenticated by a read-only domain controller or that are in the revealed list of the domain controller.
Get-ADFineGrainedPasswordPolicyCmdletGets one or more Active Directory fine grained password policies.
Get-ADFineGrainedPasswordPolicySubjectCmdletGets the users and groups to which a fine grained password policy is applied.
Get-ADForestCmdletGets an Active Directory forest.
Get-ADGroupCmdletGets one or more Active Directory groups.
Get-ADGroupMemberCmdletGets the members of an Active Directory group.
Get-ADObjectCmdletGets one or more Active Directory objects.
Get-ADOptionalFeatureCmdletGets one or more Active Directory optional features.
Get-ADOrganizationalUnitCmdletGets one or more Active Directory organizational units.
Get-ADPrincipalGroupMembershipCmdletGets the Active Directory groups that have a specified user, computer, group, or service account.
Get-ADRootDSECmdletGets the root of a Directory Server information tree.
Get-ADServiceAccountCmdletGets one or more Active Directory service accounts.
Get-ADUserCmdletGets one or more Active Directory users.
Get-ADUserResultantPasswordPolicyCmdletGets the resultant password policy for a user.
Install-ADServiceAccountCmdletInstalls an Active Directory service account on a computer.
Move-ADDirectoryServerCmdletMoves a directory server in Active Directory to a new site.
Move-ADDirectoryServerOperationMasterRoleCmdletMoves operation master roles to an Active Directory directory server.
Move-ADObjectCmdletMoves an Active Directory object or a container of objects to a different container or domain.
New-ADComputerCmdletCreates a new Active Directory computer.
New-ADFineGrainedPasswordPolicyCmdletCreates a new Active Directory fine grained password policy.
New-ADGroupCmdletCreates an Active Directory group.
New-ADObjectCmdletCreates an Active Directory object.
New-ADOrganizationalUnitCmdletCreates a new Active Directory organizational unit.
New-ADServiceAccountCmdletCreates a new Active Directory service account.
New-ADUserCmdletCreates a new Active Directory user.
Remove-ADComputerCmdletRemoves an Active Directory computer.
Remove-ADComputerServiceAccountCmdletRemoves one or more service accounts from a computer.
Remove-ADDomainControllerPasswordReplicationPolicyCmdletRemoves users, computers and groups from the allowed or denied list of a read-only domain controller password replication policy.
Remove-ADFineGrainedPasswordPolicyCmdletRemoves an Active Directory fine grained password policy.
Remove-ADFineGrainedPasswordPolicySubjectCmdletRemoves one or more users from a fine grained password policy.
Remove-ADGroupCmdletRemoves an Active Directory group.
Remove-ADGroupMemberCmdletRemoves one or more members from an Active Directory group.
Remove-ADObjectCmdletRemoves an Active Directory object.
Remove-ADOrganizationalUnitCmdletRemoves an Active Directory organizational unit.
Remove-ADPrincipalGroupMembershipCmdletRemoves a member from one or more Active Directory groups.
Remove-ADServiceAccountCmdletRemove an Active Directory service account.
Remove-ADUserCmdletRemoves an Active Directory user.
Rename-ADObjectCmdletChanges the name of an Active Directory object.
Reset-ADServiceAccountPasswordCmdletResets the service account password for a computer.
Restore-ADObjectCmdletRestores an Active Directory object.
Search-ADAccountCmdletGets Active Directory user, computer, or service accounts.
Set-ADAccountControlCmdletModifies user account control (UAC) values for an Active Directory account.
Set-ADAccountExpirationCmdletSets the expiration date for an Active Directory account.
Set-ADAccountPasswordCmdletModifies the password of an Active Directory account.
Set-ADComputerCmdletModifies an Active Directory computer object.
Set-ADDefaultDomainPasswordPolicyCmdletModifies the default password policy for an Active Directory domain.
Set-ADDomainCmdletModifies an Active Directory domain.
Set-ADDomainModeCmdletSets the domain mode for an Active Directory domain.
Set-ADFineGrainedPasswordPolicyCmdletModifies an Active Directory fine grained password policy.
Set-ADForestCmdletModifies an Active Directory forest.
Set-ADForestModeCmdletSets the forest mode for an Active Directory forest.
Set-ADGroupCmdletModifies an Active Directory group.
Set-ADObjectCmdletModifies an Active Directory object.
Set-ADOrganizationalUnitCmdletModifies an Active Directory organizational unit.
Set-ADServiceAccountCmdletModifies an Active Directory service account.
Set-ADUserCmdletModifies an Active Directory user.
Uninstall-ADServiceAccountCmdletUninstalls an Active Directory service account from a computer.

 

No comments:

Post a Comment