Powershell Ad

POWERSHELL AD

Tips and Tricks in PowerShell to manage your AD Environment without breaking the bank! Graduate of the U.S. Naval Academy Aerospace Engineering (BS) U.S. Navy – Surface Warfare (IR) Mechanical Engineer – Kone Elevators Communications Engineer – Andrew Telecom Carpenter – ADI Granite and Tile Line Supervisor – The Boeing Company (various) – IT deploy / break-fix Benjamin Steel – Technical Support Mark Tinder Benjamin Steel – Network Administrator Benjamin Steel Company

#SPICEWORLD2017 Tools You Can Pay For

Manage Engine Solar Winds AD Manager Plus Server & Application Monitor ~ $500 (entry level) ~ $2900 (entry level)

Netwrix Auditor 5.0 ~ $10 (per user)

#SPICEWORLD2017 PowerShell AD - Setting Up the Environment

You need either: - server with the Active Directory role installed

- domain networked computer with Microsoft’s Remote Server Administration Tool (RSAT) for Windows installed. - Installation instructions and download link: https://support.microsoft.com/en- us/kb/2693643 - Note: Following installation on Windows Vista and 7, features are not available by default. • Control Panel >> Windows features on or off.

- Account with permissions to access Active Directory - Account Operators (Rob Dunn) - https://community.spiceworks.com/how_to/1464-how-to-delegate-password-reset- permissions-for-your-it-staff

#SPICEWORLD2017 Commands We Shall Cover

Get-Help Set-ADUser

Get-ADDomain Set-ADAccountPassword

Get-ADForest (similar to Get-ADDomain, but shorter) Others:

Get-ADComputer Get-Command

Get-ADGroup Get-Member

Get-ADGroupMember Get-Alias

Get-ADUser .GetType()

#SPICEWORLD2017 Get-Help Command Get-Help Get-AD* - returns all commands that begin with Get-AD

Some of the more useful: - Get-ADDomain - Get-ADComputer - Get-ADForest

- Similar to Get-ADDomain - Get-ADGroup - Get-ADGroupMember - Get-ADUser - (more info with -detail switch)

#SPICEWORLD2017 Get-ADDomain Get-ADDomain vs. Get-ADForest

- DomainMode / ForestMode - PDCEmulator - RIDMaster - UserContainer

- DomainNamingMaster - GlobalCatalogs - SchemaMaster

#SPICEWORLD2017 Get-ADComputer Get-ADComputer -Property * - Name - Enabled - IPv4Address - LastLogonDate - MemberOf - OperatingSystem - SamAccountName Logged on User (WMIC) Z-Ethan https://community.spiceworks.com/how _to/40336-use-cmd-to-return-the- logged-in-user-of-a-remote-computer

#SPICEWORLD2017 Get-ADGroup Get-ADGroup -Property * - Name - GroupScope - GroupCategory - mail - Members - MemberOf - SamAccountName

#SPICEWORLD2017 Get-ADGroupMember Get-ADGroupMember - name - SamAccountName

Col. Mustard, in the Conservatory, with the Lead Pipe

#SPICEWORLD2017 Get-ADUser Get-ADUser –Filter *

Note: this returns all User objects, regardless of what OU they are in.

To collect only domain users (i.e. not concerned with built-in accounts), use the –SearchBase property.

#SPICEWORLD2017 Get-ADUser -SearchBase Get-ADUser –SearchBase “OU=DomainUsers,DC=pshelldemo, DC=local” -Filter *

Note: this returns all User objects in the specified OU, and all sub-OUs.

Get-ADUser defaults to using –SearchScope Subtree so this property does NOT need to be specified in your command string.

#SPICEWORLD2017 Get-ADUser – Extended Details Get-ADUser -Property * - Name/DisplayName/SamAccountName - Enabled - StreetAddress/City/State/PostalCode - Department/Company/Manager - EmailAddress - Fax/OfficePhone/MobilePhone - Description/Title - LastLogonDate - LockedOut - MemberOf - PasswordLastSet/PasswordExpired

#SPICEWORLD2017 Set-ADUser Set-ADUser -Property * - Name/DisplayName/SamAccountName - Enabled - StreetAddress/City/State/PostalCode - Department/Company/Manager - EmailAddress - Fax/OfficePhone/MobilePhone - Description/Title - ChangePasswordAtLogon

#SPICEWORLD2017 New-ADUser New-ADUser –Name -GivenName -Surname -Path “OU=<>,DC=<>,DC=<>“ -Enabled $true (default is $false) -Password $password (“Demo1234” | ConvertTo-SecureString – AsPlainText –Force) (-ChangePasswordAtLogon $true) - No Copy-ADUser (need to use New- ADUser with –Instance property *issues)

#SPICEWORLD2017 Resetting an Existing User’s Password

$password = ConvertTo-SecureString –String “Psh3llDemo” –AsPlainText –Force

Set-ADAccountPassword –NewPassword $password -Reset

#SPICEWORLD2017 Fun With Scripts – new users

#SPICEWORLD2017 Fun With Scripts – update users

#SPICEWORLD2017 Fun With Scripts – the audit!!

#SPICEWORLD2017 Useful PowerShell Active Directory Scripts

Password Expiration Notification - Preston_Burk https://community.spiceworks.com/scripts/show/1482-password-expiration-notification

Password Expiry Reminders – Shads https://community.spiceworks.com/scripts/show/1038-password-expiry-reminders

Get Last Computer Logon Time – George E https://community.spiceworks.com/scripts/show/1097-get-last-computer-logon-time

Active Directory Last Logon - Twon of An (Function – not script) https://community.spiceworks.com/scripts/show/1888-active-directory-last-logon

Powershell: Email alert if key accounts become locked – Bodestone https://community.spiceworks.com/scripts/show/1782-powershell-email-alert-if-key-accounts- become-locked

Over 200 scripts posted in Spiceworks Community for Active Directory and PowerShell (1400).