What is PowerShell
A scripting language, PowerShell is commonly used for automating the management of systems. It is also used to build, test, and deploy solutions. This is not a course for PowerShell scripting but will start to introduce you to the "Shell" similar to that of DOS or LINUX/UNIX. You are not expected to be able to understand powershell scripts but simply feel comfortable executing commands you will be suppplied with.
PowerShell Scripts
Microsoft PowerShell has many uses as discussed during this course. For this exercise we have the following script available. The details are not important unless you have an interest in PowerShell or creating PowerShell scripts. To View the script open it from this link. To see the CSV file of users, open this link. Remember to use the back button to return.
Using the script supplied to create multiple users in our training company.
You will be using the 2 following files.
The "Create AD from CSV.ps1" is the script - all powershell scripts have .ps1 extension.
The "CanonTrainingUsers.csv" file is a list of users and their default passwords.
1. Start the AMS-DC1 virtual machine if not already started.
2. Login with the credentials canon\administrator and password supplied by your trainer.
3. Copy the CanonTrainingUsers.CSV file to the root C: drive of the server you are using if is not already placed there.
4. To run the PowerShell script from the desktop, Right Click the Powershell script. Select Edit.
Note: This will open PowerShell in a mode named ISE. The script will open in the top part of the screen and the bottom section will show the result when the script is run. Details of the script are listed at the bottom of this page if you have a further interest in how the scrip works.
5. Select the green run button to execute the script. It will then change to a stop button. Do not stop the script.
6. Enter the domain name canon.training, and hit return.
7. If all has worked as expected, you should see the screen below. Confirming the creation of all the users.
8. Select N for NO to add new users manually. Unless you want to add another user for you own testing
9. Confirm the users are created using the AD Users and Computers Snap In. You may need to refresh the view.
1. Add powershell to your task bar, using the search function of windows.
2. Right click to open PowerShell (not ISE) as an administrator.
NOTE: The first time you access PowerShell you will not get the right click menu option for Administrator. Simply open and close PowerShell and then repeat to see the option.
3. Type "Get-ADUser (username)" Here you can see the unique SID which makes every user unique in AD. Use you user using the format J.Thomas as shown in the screenshot below.
4. Try this command to see all the available properties. It will display all the atributes for the selected user.
Get-ADUser (username) -properties *
If you saved a .txt copy of the script from the Build of the DC you can try opening it in powershell ISE.
1. From server manager select View and enable file extensions.
2. Change the extension for text document to PS1.
3. Right Click the file and select edit, to use ISE. You can also use a simple notepad application to edit scripts or ideally an extended one like notepad ++.
4. You can the run the script in the same way you did the User creation script. Below is a copy of the complete build script required. The one you download is only to promote the server to a domain controler. To run on a new server the aditional lines will install the AD DS service. This part of the script below is the one you had the option to copy from server manager, when you created to DC.
#
# Windows PowerShell script for AD DS Deployment
#
Add-WindowsFeature AD-Domain-Services
#
# Promote to DC for canon.training
#
Import-Module ADDSDeployment
Install-ADDSForest `
-CreateDnsDelegation:$false `
-DatabasePath "C:\Windows\NTDS" `
-DomainMode "WinThreshold" `
-DomainName "canon.training" `
-DomainNetbiosName "CANON" `
-ForestMode "WinThreshold" `
-InstallDns:$true `
-LogPath "C:\Windows\NTDS" `
-NoRebootOnCompletion:$false `
-SysvolPath "C:\Windows\SYSVOL" `
-Force:$true
# Connect to list of users to configure edit location as applicable.
$Users = import-csv C:\CanonTrainingUsers.csv
# Domain to connect to.
$Server = Read-Host What is the domain you wish to add the users to (EX. Training.local)?
# Loop through the list to collect all required user information into variables.
foreach($User in $Users)
{
$Detailedname = $User.firstname + " " + $User.name
$Password = $User.password
$UserFirstname = $User.firstname
$FirstLetterFirstname = $UserFirstname.substring(0,1)
$SAM = $FirstLetterFirstname + "." + $User.name
$firstname = $User.firstname
$name = $User.name
$email = $name + "" + $FirstLetterFirstname + "@" + $Server
$Description = $User.description
#Create a variable for the LDAP/AD path.
$arr = $Server -split "\."
$Path = "DC=" + $arr[0] + ",DC=" + $arr[1]
$OU = $user.ou
$FullPath = "OU=" + $OU +"," + $Path
#Check if OU exists create if not. Check the domain path is correct and error if not.
if (Test-Path ad:$FullPath) {}
else {
Try {
Write-Host $OU -ForegroundColor Yellow
New-ADOrganizationalUnit -Name $OU -Path $Path -ErrorAction Stop
}
Catch {
write-host "You have entered invalid domain details. Please restart with correct domain for the local computer." -ForegroundColor Yellow
Throw "AD does not exist"}
}
#Add users to domain using CSV supplied details
Write-host "$Detailedname ($OU)"
New-ADUser -Name $Detailedname -SamAccountName $SAM -UserPrincipalName $SAM -DisplayName $Detailedname -GivenName $firstname -Surname $name -AccountPassword (ConvertTo-SecureString $Password -AsPlainText -Force) -Enabled $true -path $FullPath -EmailAddress $email -PasswordNeverExpires $true -Description $Description
if ($OU -eq "IT")
{Add-ADGroupMember "Domain Admins" -Members $SAM
Write-host $SAM "Added to the Domain Administrators Group" }
else {
Add-ADGroupMember Administrators -Members $SAM
Write-host $SAM "Added to the Local Administrators Group"}
Get-ADUser -Filter * -SearchBase $fullPath -Properties userPrincipalName | foreach { Set-ADUser $_ -UserPrincipalName ("{0}@{1}" -f $_.name, $server)}
}
# Add new users if required
$additionalUsers = Read-Host "Do you want to add more users? (y/n)"
if ($additionalUsers -eq "y"){
# Loop to add new users
$additionalUsers = "Read-Host How many?"
for ($i=1; $i -le $additionalUsers; $i++)
{
$firstname = Read-Host "What is firstname of the new user $i ?"
$surname = Read-Host "What is surname of the new user $i ?"
$Detailedname = $firstname + " " + $surname
$Password = Read-Host "What is password for $Detailedname ?"
$UserFirstname = $firstname
$FirstLetterFirstname = $UserFirstname.substring(0,1)
$SAM = $FirstLetterFirstname + "." + $surname
$email = $surname + "" + $FirstLetterFirstname + "@" + $Server
$Description = Read-Host "Add a description if required for $Detailedname ?"
#Create a path variable
$arr = $Server -split "\."
$Path = "DC=" + $arr[0] + ",DC=" + $arr[1]
$OU = Read-Host "OU for the user? Note all users in (IT) OU will have Domain Admin rights"
$FullPath = "OU=" + $OU +"," + $Path
#Check if OU exists and create if not
if (Test-Path ad:$FullPath) {}
else {
New-ADOrganizationalUnit -Name $OU -Path $Path -ErrorAction Stop
}
Write-host "New User Added $Detailedname ($OU)" -ForegroundColor Yellow
#Add users to domain using CSV supplied details
New-ADUser -Name $Detailedname -SamAccountName $SAM -UserPrincipalName $SAM -DisplayName $Detailedname -GivenName $firstname -Surname $surname -AccountPassword (ConvertTo-SecureString $Password -AsPlainText -Force) -Enabled $true -path $FullPath -EmailAddress $email -PasswordNeverExpires $true -Description $Description
if ($OU -eq "IT")
{Add-ADGroupMember "Domain Admins" -Members $SAM
Write-host $SAM "Added to the Domain Administrators Group" }
else {
Add-ADGroupMember Administrators -Members $SAM
Write-host $SAM "Added to the Local Administrators Group"}
Get-ADUser -Filter * -SearchBase $fullPath -Properties userPrincipalName | foreach { Set-ADUser $_ -UserPrincipalName ("{0}@{1}" -f $_.name, $server)}
}
} else {
# Create a user report on c:\
Get-ADUser -Filter * -Properties Name,DisplayName,Description,EmailAddress |
Sort Name |
Select-Object -Property Name,DisplayName,Description,EmailAddress |
ConvertTo-Html –Property Name,DisplayName,Description,EmailAddress -PreContent User Accounts |
Out-File C:\UserReport.html
#Write out End message
Write-host "All done - Users Created from CSV and additional where selected." }
firstname | name | password | ou | description |
Mike | Smith | Canon-01 | Head Office | Office Manager |
Jane | Douglas | Canon-01 | Head Office | PA to MD |
Marie | Harper | Canon-01 | Head Office | HR Manager |
Sally | Summers | Canon-01 | Head Office | Secretary |
Clair | Wilson | Canon-01 | Head Office | Secretary |
Dave | Johnston | Canon-01 | Head Office | Managing Director |
Andy | Palmer | Canon-01 | Site Office | Site Manager |
Zoe | Atkins | Canon-01 | Site Office | Secretary |
Rachel | Clark | Canon-01 | Site Office | Advertising Manager |
Samantha | Ross | Canon-01 | Site Office | Orders Clerk |
Dave | Legg | Canon-01 | Site Office | Documentation |
Dave | Pipper | Canon-01 | Site Office | Documentation |
Andrew | Johnston | Canon-01 | Temp Office | Programmer |
Sam | Batchalor | Canon-01 | Temp Office | Programmer |
Adrian | Solar | Canon-01 | Temp Office | Programmer |
Trevor | Boffin | Canon-01 | Research | Research Assistant |
Lisa | Clever | Canon-01 | Research | Research Manager |
Keith | Pattinson | Canon-01 | IT | It Helpdesk |
John | Smith | Canon-01 | IT | It Helpdesk |
Rodger | Mickelson | Canon-01 | IT | IT Manager & Security Lead |
Video to explain the reason for a Managed Service Account
We will cover more on the use of managed service accounts later in the training but only briefly. These accounts can only be created using PowerShell so are included in this exercise. Understanding the powershell used to create a managed service account is not important to you as a Canon employee. You will however come accross managed accounts so that is why we are creating one here. Simply just copy the commands and execute them on your server to create an account.
1. Creating a Managed Service Account using PowerShell. Type the following in the windows PowerShell command window, and then press Enter:
Add-KdsRootKey -EffectiveTime ((get-date).addhours(-10))
2. Type the following in the windows PowerShell command window, and then press Enter:
New-ADServiceAccount -name Aservice -DNSHostName AMS-DC1 -ManagedPasswordIntervalInDays 30 -PrincipalsAllowedToRetrieveManagedPassword AMS-DC1$
3. Type the following in the windows PowerShell command window, and then press Enter:
Add-ADComputerServiceAccount -identity AMS-DC1 -ServiceAccount Aservice
4. Type the following in the windows PowerShell command window, and then press Enter:
Get-ADServiceAccount -Filter *
The screenshot below shows 2 accounts you will only create 1 named "Aservice".