Click here to monitor SSC
  • Av rating:
  • Total votes: 13
  • Total comments: 1
Joseph Moody

Getting Better Mileage by Extending Active Directory Users and Computers

15 February 2013

Active Directory has more uses than it is usually credited with. The 'Active Directory Users and Computers' console can even be extended with whatever PowerShell tasks you need to make routine administrative tasks easier.

Active Directory (AD) is one of the most underused technologies from Microsoft. At its core, Active Directory is simply a replicated database. By nature, Active Directory contains computers, users, contacts, groups, any many other objects. Most organizations take AD a bit further by including the DNS role on any domain controller (which in stores DNS information in AD) But Active Directory can do so much more! This can be seen by Microsoft’s recent influx of information into AD such as the storage of BitLocker encryption information and licensing for Windows 8.

Because Active Directory Users and Computer (ADUC) is one of the core tools in any Windows Administrator’s belt, we are going to extend ADUC by automating four common tasks!

Getting Started

Expanding AD involves the creation of a custom Microsoft Management Console, (MMC) that includes the Active Directory Users and Computers (ADUC) Snap-in. First, fire up MMC.exe. Select 'File' and then 'Add or Remove Snap-ins'. Add 'Active Directory Users and Computers' to the list of selected snap-ins.

add or remove snap-ins

Because your co-workers will be wanting to get their hands on your MMC, go ahead and save it in a common share.

Task 1: Jumping Around

Regardless of your domain and hierarchy setup, you are likely to have found yourself jumping around between Organization Units (OUs). In our environment, we separate computers and users for each site into separate Organization Units. Because of the number of groups that we have and rights delegation, we further divide our groups into two separate OUs. After all of this, each site has 4 main OUs. With 22 sites, that equates to a lot of jumping around and navigation in ADUC!

Using Favorites will make a world of difference! Make a list of all of your common OUs that you access in a week and group them by function (or what objects they store). In your custom ADUC MMC, select Favorites and then Organize Favorites. Expand the Favorites Folder and create organization folders for each OU group (ex: Computer OUs).

organize favorites

Now, navigate to each OU that you regularly visit. Once there, select 'Favorites', 'Add to Favorites', and then add the OU to the correct folder. After a few minutes, you should have a quick jump list of all common OUs.

ADUC console

Instead of finding yourself 3 levels deep in an array of OUs, you can quickly jump around your domain structure for your common tasks!

Task 2: Resetting Passwords

A wise man once said, "Show me an IT Pro who cannot script and I will show you one that grinds too many hours". By bringing in external scripts into your MMC, you'll find yourself automating problems you never knew existed.

A nearly universal problem in IT is a user forgetting their password. A common response to this problem would be to look up the user in Active Directory and select Reset Password. You would then type in a default password, prompt them to change it on the next logon, and probably unlock their account.

Find users, contacts, and groups

PowerShell can make this process easier by presenting you with relevant information and standardizing on password resets. Let’s take a look at a script that makes use of the Quest AD CMDLETs:

Add-PSSnapin Quest.ActiveRoles.ADManagement

 

$User=Read-Host "Search for a User by: First, Last, or UserName"

 

if ((get-qaduser $User) -eq $null){

$User=Read-Host "No Users Found. Please specify a valid user"

}

 

Get-QADUser $User | Format-Table Name, UserPrincipalName,PasswordAge,PasswordLastSet,PasswordExpires,AccountisLockedOut -AutoSize

 

 

function isNumeric ($User) {

    try {

        0 + $User | Out-Null

        return $true

    } catch {

        return $false

    }

}

 

if ($user -match "[\d\.]+$"){

Set-QADUser $User -UserPassword defaultpassword -confirm

Unlock-QADUser $User

}

 

else {

$UserPrincipalName= Read-Host "What is the user's Pin number?"

Set-QADUser $UserPrincipalName -UserPassword defaultpassword -confirm

Unlock-QADUser $UserPrincipalName

}

 

pause

This script starts by prompting for input from you and searches AD for your input. It will then return any user matching your input and generates a table for you containing the Password Age, the last time the password was set, when the password will expire, and the account lock status.

PowerShell Window

This information allows you to gain a lot of insight into a normal operation. For example, if you see that the password was set on Friday and a user calls on a Monday, you could simply remind the user that they changed their password last week.

Depending on your input, the script may prompt you for the username of the user. Once entered, the script will reset their password to a default value and unlock their user account. This step eliminates confusion between you and the user. If you include personal attributes of your users in AD (such as a date of birth or phone number), you could modify the default password to those attributes. For even the smallest of organizations, this shared information provides additional security.

Task 3: Comparing Group Membership

Managing security groups can be a pain, especially when you start diving into nested groups. If your organization makes heavy use of Group Policy and filtering, you will likely have to compare membership of nested groups. The hard way of doing this is to open both groups up at the same time and recursively go through them. Once you start dealing with overlapping members and multiple layers, this will get old in a hurry.

With PowerShell, this is incredibly easy. Once again, we will make use of the Quest CMDLets. If your organization has at least one Windows Server 2008 R2 domain controller running AD Web Services, you can simulate these same scripts with the Active Directory module.

Add-PSSnapin Quest.ActiveRoles.ADManagement

 

$Group1=Read-Host "What is the first group?"

$Group2=Read-Host "What is the second group?"

 

compare-object -ReferenceObject $(Get-QADGroupMember $Group1 -type computer -Indirect -SizeLimit 6000) -DifferenceObject $(Get-QADGroupMember $Group2 -type computer -Indirect -SizeLimit 6000) -IncludeEqual

 

pause

 

This script works by using the Compare-Object CMDLET against two commands that determine group membership. By using the –IncludeEqual option, we will also see a list of computers that are in both groups specified.

Here is how the output looks:

output in PowerShell

Computers with == sign are in both groups. The <= symbol means the computer is in the first group and the => symbol shows a computer in the second group.

Task 4: Creating Computer Accounts

Each of these tasks so far have dealt with a different area of object management. Now let’s tackle a common complaint with computers, account creation. After your initial domain setup, most organizations will not need to massively create computer accounts. Instead, you might add three to this department or four to a room.

Scripting the addition of a handful of computers could easily take longer than manually creating them. That is not how scripting is supposed to work! Let’s look at a script that will automatically generate computers based on your input instead of a CSV file. Creation this way is much faster!

Add-PSSnapin Quest.ActiveRoles.ADManagement

 

 

$SourceComputer = Read-Host "What will be the computer template?"

$ParentContainer = (Get-QADComputer $SourceComputer).ParentContainer

$Groups = Get-QADComputer $SourceComputer | Get-QADMemberof

 

 

$prefix = Read-Host "What is the computer prefix? EX: GAMCN or GAMCLABN"

try { [int]$startnumber = Read-Host "What number would you like to start with? EX: 01 or 13" -ea "Stop"}

catch {"Need to enter a number"; break}

try { [int]$number = Read-Host "How many computer accounts do you want to create?" -ea "Stop"}

catch {"Need to enter a number"; break}

ForEach ($i in ($startnumber..($startnumber + $number -1)))

{

  $compName = $prefix + $i

  New-QADComputer -name $compName -ParentContainer $ParentContainer

 

  foreach ($Group in $Groups) {

  Add-QADGroupMember $Group $compName}

 

}

 

pause

 

As a practical example, we have an OU with 5 computers in it. We are wanting to add 7 more to it.

test computers

When we run this script, we will be prompted for a template. The new computers created will be based off this template. These computers will be created in the same OU and have the same group memberships as the template computer you specify.

Next, you will be prompted for a naming prefix (ex: Test-) and a starting computer number (ex: 06). Finally, you will be asked how many computer accounts need to be created (ex: 7). This script will dynamically create the new computers faster and more accurately than you could do yourself!

Adding our Tasks to AD

Our last step is to add each of these scripts into our custom MMC. Embedding each of these tasks into AD involves creating a Taskpad view. To do this, select any OU. Then go to Actions and New Taskpad view. Name your view and select your style. Personally, I prefer the vertical list.

domain site properties

Now select options and ensure that “All tree items that are the same type…” is marked and the checkbox is enabled.

taskpad options

Press ‘OK’ and navigate to the Tasks window. Select ‘New’ and ‘Shell Command’. For the command, enter c:\windows\System32\WindowsPowerShell\v1.0\powershell.exe. For your parameters, enter -command ""&" '"PATHTOSCRIPT"".

Next, name your task. For organization, I like to prefix my tasks with their function. This allows for me to quickly find the specific task I want.

new task wizard

Finally, pick your task icon and press ‘Next’. Check the “When I click finish” box and repeat until all of your tasks have been created.

You now have an extended Active Directory Users and Computers MMC customized for your common tasks. Through these customizations, you have: created Favorites, automated computer account creation, analyzed group membership, and made resetting passwords a piece of cake!

Domain Sites

Joseph Moody

Author profile:

Joseph is a desktop administrator for a public school system, helping manage 5,500 computers. He specializes in Active Directory, Group Policy, deployment and software management. His blog can be found at DeployHappiness.com.

Search for other articles by Joseph Moody

Rate this article:   Avg rating: from a total of 13 votes.


Poor

OK

Good

Great

Must read
Have Your Say
Do you have an opinion on this article? Then add your comment below:
You must be logged in to post to this forum

Click here to log in.


Subject: this is awesome
Posted by: cmartin (view profile)
Posted on: Thursday, June 20, 2013 at 9:29 AM
Message: I like this. it works great other than one thing I think you have a typo I had issues getting the powershell scripts to run it needs to be like this

-command ""&" '"PATHTOSCRIPT'""

 

Top Rated

Migrating to Microsoft BPOS - Part II
 In his last article, Johan gave us a crystal clear guide to preparing to migrate from an on-premises... Read more...

Emulating the Exchange 2003 RUS for Out-of-Band Mailbox Provisioning in Exchange 2007
 Exchange's Recipient Update Service was important in Exchange 2000 or 2003 in order to complete the... Read more...

The Postmasters
 The Exchange Team introduces themselves, and keeps you up-to-date Read more...

For this Exchange Server Archiver, “Transparency” Fits
 Sometimes, it is a great relief when a user of your software gives it a tough test and then reports... Read more...

Hunting in Packs, Seamless-ness and Happy Holidays
 I attended DevConnections (Exchange) last month and was blown away by the technical talks. Speakers... Read more...

Most Viewed

Upgrade Exchange 2003 to Exchange 2010
  In this article, the first of two in which Jaap describes how to move from Exchange Server 2003... Read more...

Upgrade Exchange 2003 to Exchange 2010 - Part II
 In Jaap's second article on upgrading straight from Exchange Server 2003 to 2010, he explains how to... Read more...

Goodbye Exchange ExMerge, Hello Export-Mailbox
 ExMerge was a great way of exporting a mailbox to an Exchange PST file, or for removing all occurences... Read more...

Exchange E-mail Addresses and the Outlook Address Cache
 Because Exchange auto-complete cache uses X.500 addresses for e-mail sent to addresses within the... Read more...

Using Exchange 2007 for Resource Booking
 The process of booking various resources to go with a meeting room just got a whole lot easier with... Read more...

Why Join

Over 400,000 Microsoft professionals subscribe to the Simple-Talk technical journal. Join today, it's fast, simple, free and secure.