Categories

Windows 2008 R2 PowerShell for AD

Back in this post http://richardsiddaway.spaces.live.com/default.aspx?_c01_BlogPart=blogentry&_c=BlogPart&handle=cns!43CFA46A74CF3E96!2214 we looked at creating OUs using the AD cmdlets in Windows 2008 R2. 

We may want to look at the OUs we have in our domain

Get-ADOrganizationalUnit -Filter {Name -like "*"} | Format-Table name, distinguishedname -AutoSize

or we may want to search for a user

Get-ADUser -Identity Richard

As regular readers will be aware I am a big fan of the Quest AD cmdlets – so I wanted to see how the Win08R2 cmdlets compared.

Creating a new user is relatively straight forward

New-ADUser -SamAccountName "fdrake" -Name "DRAKE Francis" -AccountPassword (ConvertTo-SecureString -AsPlainText "Passw0rd!" -Force) -Enabled $true -ChangePasswordAtLogon $true -GivenName "Francis" -Surname "Drake" -Path "OU=England,OU=AllUsers,DC=grayson,DC=test"

I like the ability to enable the account at the same time as we create it.  I don’t like the convolutions with the password I would probably look to move that part to a separate statement and use a variable as the value for the cmdlet if I was bulk creating users.   For creating users the two sets of cmdlets are comparable. The differences are more or less balanced.  I would be happy using either.

Searching for users is another matter.  These variants work

Get-ADUser -Filter {Name -like "*drake*"}
Get-ADUser fdrake

Some other options such as using the name don’t.  My feeling is that the Quest tool is better at this aspect of working with AD.

The AD provider I find very clumsy at first impression.  Using the distinguished name involves a lot more work than seems necessary. I’ve used the PowerShell Community Extensions provider in the past and the navigation in that does seem neater.  However, the advantage of the R2 provider is that I get access to the configuration and schema partitions as well so maybe it isn’t all bad. Need to do some more work with this one.

One feature that I am excited about in R2 is the recycle bin for AD.  The forest & domain level need raising to Windows 2008 R2 and then we can run

Enable-ADOptionalFeature 'Recycle Bin Feature' -Scope Forest -Target 'grayson'

where the target is the name of the forest.

Next job is to look at using the recycle bin.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>