{"id":79075,"date":"2016-06-29T00:01:29","date_gmt":"2016-06-29T07:01:29","guid":{"rendered":"https:\/\/blogs.technet.microsoft.com\/heyscriptingguy\/?p=79075"},"modified":"2019-02-18T09:10:33","modified_gmt":"2019-02-18T16:10:33","slug":"use-windows-powershell-as-an-administrative-console","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/scripting\/use-windows-powershell-as-an-administrative-console\/","title":{"rendered":"Use Windows PowerShell as an administrative console"},"content":{"rendered":"<p><strong>Summary<\/strong>: Honorary Scripting Guy, Sean Kearney, shares his early use of PowerShell as a network administrator.<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/29\/2019\/02\/q-for-powertip.jpg\" alt=\"Hey, Scripting Guy! Question\" \/> I have a simple but irritating task each day around lunch time. A handful of people usually lock themselves out of Active Directory. Can you help me find an easy way to deal with this?<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/29\/2019\/02\/a-for-powertip.jpg\" alt=\"Hey, Scripting Guy! Answer\" \/> Honorary Scripting Guy, Sean Kearney, is here to help you share the pain. I, too, once felt that prickly feeling on\u00a0the back of my neck near the end of lunch hour. \u201cLock out Hell\u201d, I called it.<\/p>\n<p>I know that everyone has experienced that, especially on Friday. A handful of people come in and for <u>whatever<\/u> reason have locked themselves out.<\/p>\n<p>We\u2019re not even going to get in to the root cause of this: the Shift key was stuck, there was a <em>soft lock<\/em> in the software, or their brains were sucked away by Martians.<\/p>\n<p>Perhaps they were showing off their \u2018R@s K001 P@$$w0rd skillz\u2019 to a co-worker and incorrectly typed\u00a0the last three punctuation marks in the password they invented.<\/p>\n<p>But, you would almost always get an onslaught of \u201cI locked myself out and NEED (not want \u2026 capital N*E*E*D) to get back in now.\u201d<\/p>\n<p>In the old world, I would have had to go to Active Directory <strong>Users and Computers<\/strong>, find the user, unlock the user, call the use, and then proceed to the next person.<\/p>\n<p>But, it never works like that, does it? Invariably, some of those users (or maybe all on a bad day) will lock themselves out again in that <u>same<\/u> 10-minute period. Thus the phrase, \u201cLock out Hell\u201d, as you waste half an hour going through the GUI to unlock users.<\/p>\n<p>People make mistakes, and there\u2019s no use getting angry with them. The process itself was just, well, lacking finesse.<\/p>\n<p>I had been using PowerShell earlier that month to migrate users to a new Active Directory and had been playing with the Quest cmdlets at the time. One lunch hour, I played with PowerShell and found the <strong>Unlock-QADUser<\/strong> cmdlet.<\/p>\n<p>After I found this cmdlet, the process was simply a matter of running something like the following for the five or six people:<\/p>\n<p style=\"padding-left: 60px\"><code>Unlock-QADUser jsmith<\/code><\/p>\n<p>Then I pressed an up arrow, entered the next name, and repeated the process for the next four or five. It was far less stressful. In the modern Windows Server 2008 R2 and higher environment, I would have used the following cmdlet:<\/p>\n<p style=\"padding-left: 60px\"><code>Unlock-ADAccount<\/code><\/p>\n<p>It accomplished the same result and, again, was far less aggravation for everyone\u2026including me. \ud83d\ude42<\/p>\n<p>Later on, I would have to start disabling users, often quietly and discreetly. Very much like \u201cShh\u2026when you see your phone ring from the VP Disable Mr. X.\u201d\u00a0 (Professor Xavier\u2019s evil cousin, you see.)<\/p>\n<p>For that, it was a matter of queuing up a cmdlet like <strong>Disable-QADUser<\/strong>. I would also correspondingly have an <strong>Enable-QADUser<\/strong> ready because sometimes it was actually Mrs. Y and not Mr. X so \u201cCould you please quickly flip that around?\u201d<\/p>\n<p>As result, it was very easy to deal with those situations by using PowerShell just as a management console.<\/p>\n<p>Later on in my IT life, we had to start producing some basic audits about\u00a0who had Domain Admin and Enterprise Admin access. I already knew that I could use PowerShell to ask Active Directory questions, such as, \u201cShow me all the members of this group.\u201d<\/p>\n<p>Auditors who saw the code that did the audit were very happy to see that it was PowerShell. The following cmdlet pulled up a list of Domain Admins and dumped it untouched to a CSV file.<\/p>\n<p style=\"padding-left: 60px\"><code>Get-ADGroupMember -Identity 'Domain Admins' | Export-CSV DomainAdmins.csv<\/code><\/p>\n<p>My environment actually had quite a few domains. Some were for the Development division, Vendor applications for a customer. Because of PowerShell, it was easy to pull the same data for any environment from the console.<\/p>\n<p>As my work progressed into other environments, including managing my remote workstations, PowerShell was my view into systems. Using Windows Management Instrumentation (WMI), I would easily query a remote system for its serial number by using <strong>Get-Wmiobject<\/strong>:<\/p>\n<p style=\"padding-left: 60px\"><code>(Get-WmiObject win32_bios \u2013computername PC123).serialnumber<\/code><\/p>\n<p>At the time, I didn\u2019t have tools like System Center Configuration Manager. Our Division was pretty small. I still needed to manage systems and ask questions.<\/p>\n<p>Those questions were readily answered by using PowerShell, even without scripts.<\/p>\n<p>It\u2019s just some food for thought if you\u2019re convincing yourself that PowerShell is only for scripters.<\/p>\n<p>Pop on in tomorrow. If you\u2019re curious, I\u2019ll show you some neat tricks that Microsoft offers to use PowerShell without actually have to learn it.<\/p>\n<p>Strange concept, eh?<\/p>\n<p>I invite you to follow the Scripting Guys on <a href=\"http:\/\/bit.ly\/scriptingguystwitter\" target=\"_blank\">Twitter<\/a> and <a href=\"http:\/\/bit.ly\/scriptingguysfacebook\" target=\"_blank\">Facebook<\/a>. If you have any questions, send email to them at <a href=\"mailto:scripter@microsoft.com\" target=\"_blank\">scripter@microsoft.com<\/a>, or post your questions on the <a href=\"http:\/\/bit.ly\/scriptingforum\" target=\"_blank\">Official Scripting Guys Forum<\/a>. See you tomorrow.<\/p>\n<p>Until then, always remember that with Great PowerShell comes Great Responsibility.<\/p>\n<p><strong>Sean Kearney\n<\/strong>Honorary Scripting Guy\nCloud and Datacenter Management MVP<\/p>\n<p style=\"padding-left: 90px\">\n","protected":false},"excerpt":{"rendered":"<p>Summary: Honorary Scripting Guy, Sean Kearney, shares his early use of PowerShell as a network administrator. I have a simple but irritating task each day around lunch time. A handful of people usually lock themselves out of Active Directory. Can you help me find an easy way to deal with this? Honorary Scripting Guy, Sean [&hellip;]<\/p>\n","protected":false},"author":596,"featured_media":87096,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[568,685,641],"tags":[56,154,45],"class_list":["post-79075","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-hey-scripting-guy","category-scripting-techniques","category-windows-powershell","tag-guest-blogger","tag-sean-kearney","tag-windows-powershell"],"acf":[],"blog_post_summary":"<p>Summary: Honorary Scripting Guy, Sean Kearney, shares his early use of PowerShell as a network administrator. I have a simple but irritating task each day around lunch time. A handful of people usually lock themselves out of Active Directory. Can you help me find an easy way to deal with this? Honorary Scripting Guy, Sean [&hellip;]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/79075","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/users\/596"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/comments?post=79075"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/79075\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media\/87096"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media?parent=79075"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/categories?post=79075"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/tags?post=79075"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}