{"id":12501,"date":"2011-10-04T00:01:00","date_gmt":"2011-10-04T00:01:00","guid":{"rendered":"https:\/\/blogs.technet.microsoft.com\/heyscriptingguy\/2011\/10\/04\/use-powershell-active-directory-cmdlets-without-installing-any-software\/"},"modified":"2011-10-04T00:01:00","modified_gmt":"2011-10-04T00:01:00","slug":"use-powershell-active-directory-cmdlets-without-installing-any-software","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/scripting\/use-powershell-active-directory-cmdlets-without-installing-any-software\/","title":{"rendered":"Use PowerShell Active Directory Cmdlets Without Installing Any Software"},"content":{"rendered":"

Summary:<\/strong> Learn how to use Windows PowerShell remoting to manage user objects without installing software on the client.<\/p>\n

 <\/p>\n

\"Hey,Hey, Scripting Guy! I was reading your article about using the Microsoft Active Directory Windows PowerShell cmdlets,<\/a> and it looks really cool. The problem is that I do not want to install the Windows Remote Server Administration tools just to be able to use the Microsoft cmdlets. I guess what I am asking is this: “Is there a way to use the Microsoft Active Directory Windows PowerShell cmdlets without having to install anything extra?” If it helps you any, I am using Windows 7 Professional (64-bit) and our domain controllers are all running Windows 2008 R2. We even promoted our Active Directory so that it is in Windows 2008 R2 mode.<\/p>\n

—KL<\/p>\n

 <\/p>\n

\"Hey,Hello KL,<\/p>\n

Microsoft Scripting Guy Ed Wilson here. Last week’s Windows PowerShell workshop in Seattle was a lot of fun. The students were really engaged and asked some great questions. My friend from Philadelphia, Pennsylvania, is out there this week doing an Exchange workshop. Anyway, during the class, I decided it would be a good idea to use Windows PowerShell remoting to perform Active Directory administration. In this way, I avoided the need to install the Remote Server Administration Tools (RSAT) on the client machine.<\/p>\n

The first thing to do is to enter a remote Windows PowerShell session. To do this I use the Enter-PSSession<\/b> cmdlet. I specify the computername<\/b> <\/i>and the credentials<\/b> for the remote session. The credentials<\/b> is an account that has the administrator rights on the remote machine. This command is shown here:<\/p>\n

Enter-PSSession -ComputerName dc1 –credential nwtraders\\administrator<\/p>\n

If I the account I am using for my client computer also has administrator rights on the remote machine, I can leave off the credential <\/i>parameter. After I have entered the session, I generally set my working location to the root of the drive so that I have more space for my commands. I then import  the ActiveDirectory<\/b> module. These commands appear are shown here:<\/p>\n

Set-Location c:\\<\/p>\n

Import-Module activedirectory<\/p>\n

The commands and the associated output are shown in the following image. Note how I use the aliases for the commands because it makes it easier to type.<\/p>\n

\"Image<\/a><\/p>\n

Now I will create a new user in Active Directory. I think I will name the user ed<\/b>. The command to create a new user is simple; it is New-ADUser<\/b> and the user name. The command to create a disabled user account in the users<\/b> container in the default domain is shown here:<\/p>\n

new-aduser -name ed<\/p>\n

When the preceding command that creates a new user has completed, nothing is returned to the Windows PowerShell console. To check to ensure the user is created, use the Get-ADUser<\/b> cmdlet to retrieve the user object:<\/p>\n

Get-aduser ed<\/p>\n

When I am certain my new user is created, I decide to create an organizational unit (OU) to store the user account. The command to create a new OU off the root of the domain is shown here:<\/p>\n

new-ADOrganizationalUnit scripting<\/p>\n

Just as with the previously used New-ADUser cmdlet, nothing is returned to the Windows PowerShell console. If I use the Get-ADOrganizationalUnit<\/b> cmdlet, I must use a different methodology. A simple Get-ADOrganizationalUnit<\/b> command returns an error; therefore, I use an LDAPFilter<\/i> parameter to find the OU. The command using the LDAPFilter<\/i> parameter to find my newly created OU is shown here:<\/p>\n

Get-ADOrganizationalUnit –LDAPFilter “(name=scripting)”<\/p>\n

The commands and associated output to create the user, get the user, create the OU, and get the OU are shown in the following figure.<\/p>\n

\"Image<\/a><\/p>\n

Now that I have a new user and a new OU, I need to move the user from the users<\/b> container to the newly created scripting<\/b> <\/i>OU. To do that, I use the Move-ADObject<\/b> cmdlet. I first get the distinguishedname<\/b> <\/i>attribute for the scripting<\/b> <\/i>OU, and store it in a variable called $oupath<\/b>. Next, I use the Move-ADObject<\/b> cmdlet to move the ed<\/b> user to the new OU. The trick here is that, whereas the Get-ADUser<\/b> cmdlet is able to find a user with the name of ed<\/b>, the Move-ADObject<\/b> must have the distinguishedname<\/b> of the ed<\/b> user object in order to move it. The error that occurs when not supplying the distinguishedname<\/b> <\/i>appears in the following figure. I could have used the Get-ADUser<\/b> cmdlet to retrieve the distinguishedname<\/b> <\/i>in a similar method as I did with the scripting<\/b> <\/i>OU, but I wanted to illustrate what the distinguishedname<\/b> <\/i>would look like.<\/p>\n

\"Image<\/a><\/p>\n

The next thing I need to do is enable the user account. To do this, I need to first assign a password to the user account. The password must be a secure string. To do this, I can use the ConvertTo-SecureString<\/b> cmdlet. By default, warnings are displayed about converting text to a secure string, but these prompts are suppressible by using the force<\/i> parameter. Here is the command I use to create a secure string for a password:<\/p>\n

$pwd = ConvertTo-SecureString -String “P@ssword1” -AsPlainText –Force<\/p>\n

Now that I have created a secure string to use for a password for my user account, I call the Set-ADAccountPassword<\/b> cmdlet to set the password. Because this is a new password, I need to use the newpassword<\/i> parameter. In addition, because I do not have a previous password, I use the reset <\/i>parameter. This command is shown here:<\/p>\n

Set-ADAccountPassword -Identity ed -NewPassword $pwd –Reset<\/p>\n

When the account has a password, I can enable the account. To do this, I use the Enable-ADAccount<\/b> cmdlet and specify the user name to enable. This command is shown here:<\/p>\n

Enable-ADAccount -Identity ed<\/p>\n

As with the previous commands, none of the cmdlets returns any information. To ensure I have actually enabled the ed<\/b> user account, I use the Get-ADUser<\/b> cmdlet. In the output, I am looking for the value of the enabled<\/b> <\/i>property, which is a Boolean, so I am expecting the value to be true. The commands to create the secure string for a password, set the password, enable the account, and get the account are shown in the following figure along with associated output.<\/p>\n

\"Image<\/a><\/p>\n

 <\/p>\n

Well, KL, that is all there is to connecting to a domain controller, creating a user and OU, moving a user, and enabling the account. Join me tomorrow when I will continue talking about remote Active Directory management techniques.<\/p>\n

I invite you to follow me on Twitter<\/a> and Facebook<\/a>. If you have any questions, send email to me at scripter@microsoft.com<\/a>, or post your questions on the Official Scripting Guys Forum<\/a>. See you tomorrow. Until then, peace.<\/p>\n

Ed Wilson, Microsoft Scripting Guy<\/b><\/p>\n

 <\/p>\n

 <\/p>\n","protected":false},"excerpt":{"rendered":"

Summary: Learn how to use Windows PowerShell remoting to manage user objects without installing software on the client.   Hey, Scripting Guy! I was reading your article about using the Microsoft Active Directory Windows PowerShell cmdlets, and it looks really cool. The problem is that I do not want to install the Windows Remote Server […]<\/p>\n","protected":false},"author":596,"featured_media":87096,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[7,3,20,45],"class_list":["post-12501","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-scripting","tag-active-directory","tag-scripting-guy","tag-user-accounts","tag-windows-powershell"],"acf":[],"blog_post_summary":"

Summary: Learn how to use Windows PowerShell remoting to manage user objects without installing software on the client.   Hey, Scripting Guy! I was reading your article about using the Microsoft Active Directory Windows PowerShell cmdlets, and it looks really cool. The problem is that I do not want to install the Windows Remote Server […]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/12501","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/users\/596"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/comments?post=12501"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/12501\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media\/87096"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media?parent=12501"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/categories?post=12501"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/tags?post=12501"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}