IT Training Modules - Classroom Tasks

IT Training Module3 Homepage
Home | How To | Name & IP Address | Domain Service (ADDS) | Build a Company Structure | PowerShell AD Users | Administrative Centre | Sites & Services | Password Policy | Group Policy | LDAP | Back Up AD | Azure AD |

Active Directory - PowerShell Tools

What is PowerShell

A scripting language, PowerShell is commonly used for automating the management of systems. It is also used to build, test, and deploy solutions. This is not a course for PowerShell scripting but will start to introduce you to the "Shell" similar to that of DOS or LINUX/UNIX. You are not expected to be able to understand powershell scripts but simply feel comfortable executing commands you will be suppplied with.

PowerShell Scripts

Microsoft PowerShell has many uses as discussed during this course. For this exercise we have the following script available. The details are not important unless you have an interest in PowerShell or creating PowerShell scripts. To View the script open it from this link. To see the CSV file of users, open this link. Remember to use the back button to return.

Using the script supplied to create multiple users in our training company.

You will be using the 2 following files.

The "Create AD from CSV.ps1" is the script - all powershell scripts have .ps1 extension.

The "CanonTrainingUsers.csv" file is a list of users and their default passwords.

1.    Start the AMS-DC1 virtual machine if not already started.
2.    Login with the credentials canon\administrator and password supplied by your trainer.
3.    Copy the CanonTrainingUsers.CSV file to the root C: drive of the server you are using if is not already placed there.


4.   To run the PowerShell script from the desktop, Right Click the Powershell script. Select Edit. 

Note: This will open PowerShell in a mode named ISE. The script will open in the top part of the screen and the bottom section will show the result when the script is run. Details of the script are listed at the bottom of this page if you have a further interest in how the scrip works.

5.   Select the green run button to execute the script. It will then change to a stop button. Do not stop the script.
6.   Enter the domain name canon.training, and hit return.

7.   If all has worked as expected, you should see the screen below. Confirming the creation of all the users.

8.   Select N for NO to add new users manually. Unless you want to add another user for you own testing
9.   Confirm the users are created using the AD Users and Computers Snap In. You may need to refresh the view.

Using PowerShell to check user exists and get information from the AD database about the user.

1.   Add powershell to your task bar, using the search function of windows.

2.   Right click to open PowerShell (not ISE) as an administrator.

NOTE: The first time you access PowerShell you will not get the right click menu option for Administrator. Simply open and close PowerShell and then repeat to see the option.

3.   Type "Get-ADUser (username)" Here you can see the unique SID which makes every user unique in AD. Use you user using the format J.Thomas as shown in the screenshot below.

4.   Try this command to see all the available properties. It will display all the atributes for the selected user.

Get-ADUser (username) -properties *

Build a DC Using a PowerShell Script.

If you saved a .txt copy of the script from the Build of the DC you can try opening it in powershell ISE.  

1.   From server manager select View and enable file extensions. 

2.   Change the extension for text document to PS1.

3.   Right Click the file and select edit, to use ISE. You can also use a simple notepad application to edit scripts or ideally an extended one like notepad ++.

4.   You can the run the script in the same way you did the User creation script. Below is a copy of the complete build script required. The one you download is only to promote the server to a domain controler. To run on a new server the aditional lines will install the AD DS service. This part of the script below is the one you had the option to copy from server manager, when you created to DC.

#
# Windows PowerShell script for AD DS Deployment
#

Add-WindowsFeature AD-Domain-Services

#
# Promote to DC for canon.training
#

Import-Module ADDSDeployment
Install-ADDSForest `
-CreateDnsDelegation:$false `
-DatabasePath "C:\Windows\NTDS" `
-DomainMode "WinThreshold" `
-DomainName "canon.training" `
-DomainNetbiosName "CANON" `
-ForestMode "WinThreshold" `
-InstallDns:$true `
-LogPath "C:\Windows\NTDS" `
-NoRebootOnCompletion:$false `
-SysvolPath "C:\Windows\SYSVOL" `
-Force:$true

PowerShell Script for AD Build

# Connect to list of users to configure edit location as applicable.
$Users = import-csv C:\CanonTrainingUsers.csv

# Domain to connect to.
$Server = Read-Host What is the domain you wish to add the users to (EX. Training.local)?

# Loop through the list to collect all required user information into variables.
foreach($User in $Users)
{
$Detailedname = $User.firstname + " " + $User.name
$Password = $User.password
$UserFirstname = $User.firstname
$FirstLetterFirstname = $UserFirstname.substring(0,1)
$SAM = $FirstLetterFirstname + "." + $User.name
$firstname = $User.firstname
$name = $User.name
$email = $name + "" + $FirstLetterFirstname + "@" + $Server
$Description = $User.description

#Create a variable for the LDAP/AD path.
$arr = $Server -split "\."
$Path = "DC=" + $arr[0] + ",DC=" + $arr[1]
$OU = $user.ou
$FullPath = "OU=" + $OU +"," + $Path

#Check if OU exists create if not. Check the domain path is correct and error if not.
if (Test-Path ad:$FullPath) {}

else {

Try {
Write-Host $OU -ForegroundColor Yellow
New-ADOrganizationalUnit -Name $OU -Path $Path -ErrorAction Stop
}

Catch {
write-host "You have entered invalid domain details. Please restart with correct domain for the local computer." -ForegroundColor Yellow
Throw "AD does not exist"}

}

#Add users to domain using CSV supplied details

Write-host "$Detailedname ($OU)"

New-ADUser -Name $Detailedname -SamAccountName $SAM -UserPrincipalName $SAM -DisplayName $Detailedname -GivenName $firstname -Surname $name -AccountPassword (ConvertTo-SecureString $Password -AsPlainText -Force) -Enabled $true -path $FullPath -EmailAddress $email -PasswordNeverExpires $true -Description $Description
if ($OU -eq "IT")
{Add-ADGroupMember "Domain Admins" -Members $SAM
Write-host $SAM "Added to the Domain Administrators Group" }
else {
Add-ADGroupMember Administrators -Members $SAM
Write-host $SAM "Added to the Local Administrators Group"}
Get-ADUser -Filter * -SearchBase $fullPath -Properties userPrincipalName | foreach { Set-ADUser $_ -UserPrincipalName ("{0}@{1}" -f $_.name, $server)}

}

# Add new users if required
$additionalUsers = Read-Host "Do you want to add more users? (y/n)"
if ($additionalUsers -eq "y"){

# Loop to add new users
$additionalUsers = "Read-Host How many?"
for ($i=1; $i -le $additionalUsers; $i++)
{

$firstname = Read-Host "What is firstname of the new user $i ?"
$surname = Read-Host "What is surname of the new user $i ?"
$Detailedname = $firstname + " " + $surname
$Password = Read-Host "What is password for $Detailedname ?"
$UserFirstname = $firstname
$FirstLetterFirstname = $UserFirstname.substring(0,1)
$SAM = $FirstLetterFirstname + "." + $surname
$email = $surname + "" + $FirstLetterFirstname + "@" + $Server
$Description = Read-Host "Add a description if required for $Detailedname ?"

#Create a path variable
$arr = $Server -split "\."
$Path = "DC=" + $arr[0] + ",DC=" + $arr[1]
$OU = Read-Host "OU for the user? Note all users in (IT) OU will have Domain Admin rights"
$FullPath = "OU=" + $OU +"," + $Path

#Check if OU exists and create if not
if (Test-Path ad:$FullPath) {}

else {

New-ADOrganizationalUnit -Name $OU -Path $Path -ErrorAction Stop

}

Write-host "New User Added $Detailedname ($OU)" -ForegroundColor Yellow

#Add users to domain using CSV supplied details
New-ADUser -Name $Detailedname -SamAccountName $SAM -UserPrincipalName $SAM -DisplayName $Detailedname -GivenName $firstname -Surname $surname -AccountPassword (ConvertTo-SecureString $Password -AsPlainText -Force) -Enabled $true -path $FullPath -EmailAddress $email -PasswordNeverExpires $true -Description $Description
if ($OU -eq "IT")
{Add-ADGroupMember "Domain Admins" -Members $SAM
Write-host $SAM "Added to the Domain Administrators Group" }
else {
Add-ADGroupMember Administrators -Members $SAM
Write-host $SAM "Added to the Local Administrators Group"}
Get-ADUser -Filter * -SearchBase $fullPath -Properties userPrincipalName | foreach { Set-ADUser $_ -UserPrincipalName ("{0}@{1}" -f $_.name, $server)}
}

} else {

# Create a user report on c:\
Get-ADUser -Filter * -Properties Name,DisplayName,Description,EmailAddress |
Sort Name |
Select-Object -Property Name,DisplayName,Description,EmailAddress |
ConvertTo-Html –Property Name,DisplayName,Description,EmailAddress -PreContent User Accounts |
Out-File C:\UserReport.html

#Write out End message
Write-host "All done - Users Created from CSV and additional where selected." }

CSV of Users.

firstname name password ou description
Mike Smith Canon-01 Head Office Office Manager
Jane Douglas Canon-01 Head Office PA to MD
Marie Harper Canon-01 Head Office HR Manager
Sally Summers Canon-01 Head Office Secretary
Clair Wilson Canon-01 Head Office Secretary
Dave Johnston Canon-01 Head Office Managing Director
Andy Palmer Canon-01 Site Office Site Manager
Zoe Atkins Canon-01 Site Office Secretary
Rachel Clark Canon-01 Site Office Advertising Manager
Samantha Ross Canon-01 Site Office Orders Clerk
Dave Legg Canon-01 Site Office Documentation
Dave Pipper Canon-01 Site Office Documentation
Andrew Johnston Canon-01 Temp Office Programmer
Sam Batchalor Canon-01 Temp Office Programmer
Adrian Solar Canon-01 Temp Office Programmer
Trevor Boffin Canon-01 Research Research Assistant
Lisa Clever Canon-01 Research Research Manager
Keith Pattinson Canon-01 IT It Helpdesk
John Smith Canon-01 IT It Helpdesk
Rodger Mickelson Canon-01 IT IT Manager & Security Lead

Optional Task - Managed Service Accounts Exercise.

Video to explain the reason for a Managed Service Account

We will cover more on the use of managed service accounts later in the training but only briefly. These accounts can only be created using PowerShell so are included in this exercise. Understanding the powershell used to create a managed service account is not important to you as a Canon employee. You will however come accross managed accounts so that is why we are creating one here. Simply just copy the commands and execute them on your server to create an account.

1.   Creating a Managed Service Account using PowerShell. Type the following in the windows PowerShell command window, and then press Enter:

Add-KdsRootKey -EffectiveTime ((get-date).addhours(-10))   

2.   Type the following in the windows PowerShell command window, and then press Enter:

New-ADServiceAccount -name Aservice -DNSHostName AMS-DC1 -ManagedPasswordIntervalInDays 30 -PrincipalsAllowedToRetrieveManagedPassword AMS-DC1$

3.   Type the following in the windows PowerShell command window, and then press Enter:

Add-ADComputerServiceAccount -identity AMS-DC1 -ServiceAccount Aservice

4.   Type the following in the windows PowerShell command window, and then press Enter:

Get-ADServiceAccount -Filter *   

The screenshot below shows 2 accounts you will only create 1 named "Aservice".

Footer