15 February 2013

Getting Better Mileage by Extending Active Directory Users and Computers

Active Directory has more uses than it is usually credited with. The 'Active Directory Users and Computers' console can even be extended with whatever PowerShell tasks you need to make routine administrative tasks easier.

Active Directory (AD) is one of the most underused technologies from Microsoft. At its core, Active Directory is simply a replicated database. By nature, Active Directory contains computers, users, contacts, groups, any many other objects. Most organizations take AD a bit further by including the DNS role on any domain controller (which in stores DNS information in AD) But Active Directory can do so much more! This can be seen by Microsoft’s recent influx of information into AD such as the storage of BitLocker encryption information and licensing for Windows 8.

Because Active Directory Users and Computer (ADUC) is one of the core tools in any Windows Administrator’s belt, we are going to extend ADUC by automating four common tasks!

Getting Started

Expanding AD involves the creation of a custom Microsoft Management Console, (MMC) that includes the Active Directory Users and Computers (ADUC) Snap-in. First, fire up MMC.exe. Select ‘File‘ and then ‘Add or Remove Snap-ins‘. Add ‘Active Directory Users and Computers‘ to the list of selected snap-ins.

1748-add-remove-snap-ins.png

Because your co-workers will be wanting to get their hands on your MMC, go ahead and save it in a common share.

Task 1: Jumping Around

Regardless of your domain and hierarchy setup, you are likely to have found yourself jumping around between Organization Units (OUs). In our environment, we separate computers and users for each site into separate Organization Units. Because of the number of groups that we have and rights delegation, we further divide our groups into two separate OUs. After all of this, each site has 4 main OUs. With 22 sites, that equates to a lot of jumping around and navigation in ADUC!

Using Favorites will make a world of difference! Make a list of all of your common OUs that you access in a week and group them by function (or what objects they store). In your custom ADUC MMC, select Favorites and then Organize Favorites. Expand the Favorites Folder and create organization folders for each OU group (ex: Computer OUs).

1748-organize-fav.png

Now, navigate to each OU that you regularly visit. Once there, select ‘Favorites‘, ‘Add to Favorites‘, and then add the OU to the correct folder. After a few minutes, you should have a quick jump list of all common OUs.

1748-66c132fd-93c3-4814-a6c2-b514947b718

Instead of finding yourself 3 levels deep in an array of OUs, you can quickly jump around your domain structure for your common tasks!

Task 2: Resetting Passwords

A wise man once said, “Show me an IT Pro who cannot script and I will show you one that grinds too many hours”. By bringing in external scripts into your MMC, you’ll find yourself automating problems you never knew existed.

A nearly universal problem in IT is a user forgetting their password. A common response to this problem would be to look up the user in Active Directory and select Reset Password. You would then type in a default password, prompt them to change it on the next logon, and probably unlock their account.

1748-find-users.png

PowerShell can make this process easier by presenting you with relevant information and standardizing on password resets. Let’s take a look at a script that makes use of the Quest AD CMDLETs:

This script starts by prompting for input from you and searches AD for your input. It will then return any user matching your input and generates a table for you containing the Password Age, the last time the password was set, when the password will expire, and the account lock status.

1748-powershell-admin.png

This information allows you to gain a lot of insight into a normal operation. For example, if you see that the password was set on Friday and a user calls on a Monday, you could simply remind the user that they changed their password last week.

Depending on your input, the script may prompt you for the username of the user. Once entered, the script will reset their password to a default value and unlock their user account. This step eliminates confusion between you and the user. If you include personal attributes of your users in AD (such as a date of birth or phone number), you could modify the default password to those attributes. For even the smallest of organizations, this shared information provides additional security.

Task 3: Comparing Group Membership

Managing security groups can be a pain, especially when you start diving into nested groups. If your organization makes heavy use of Group Policy and filtering, you will likely have to compare membership of nested groups. The hard way of doing this is to open both groups up at the same time and recursively go through them. Once you start dealing with overlapping members and multiple layers, this will get old in a hurry.

With PowerShell, this is incredibly easy. Once again, we will make use of the Quest CMDLets. If your organization has at least one Windows Server 2008 R2 domain controller running AD Web Services, you can simulate these same scripts with the Active Directory module.

This script works by using the Compare-Object CMDLET against two commands that determine group membership. By using the -IncludeEqual option, we will also see a list of computers that are in both groups specified.

Here is how the output looks:

1748-windows-powershell.png

Computers with == sign are in both groups. The <= symbol means the computer is in the first group and the => symbol shows a computer in the second group.

Task 4: Creating Computer Accounts

Each of these tasks so far have dealt with a different area of object management. Now let’s tackle a common complaint with computers, account creation. After your initial domain setup, most organizations will not need to massively create computer accounts. Instead, you might add three to this department or four to a room.

Scripting the addition of a handful of computers could easily take longer than manually creating them. That is not how scripting is supposed to work! Let’s look at a script that will automatically generate computers based on your input instead of a CSV file. Creation this way is much faster!

As a practical example, we have an OU with 5 computers in it. We are wanting to add 7 more to it.

1748-test-computers.png

When we run this script, we will be prompted for a template. The new computers created will be based off this template. These computers will be created in the same OU and have the same group memberships as the template computer you specify.

Next, you will be prompted for a naming prefix (ex: Test-) and a starting computer number (ex: 06). Finally, you will be asked how many computer accounts need to be created (ex: 7). This script will dynamically create the new computers faster and more accurately than you could do yourself!

Adding our Tasks to AD

Our last step is to add each of these scripts into our custom MMC. Embedding each of these tasks into AD involves creating a Taskpad view. To do this, select any OU. Then go to Actions and New Taskpad view. Name your view and select your style. Personally, I prefer the vertical list.

1748-domain-site-prop.png

Now select options and ensure that “All tree items that are the same type…” is marked and the checkbox is enabled.

1748-taskpad.png

Press ‘OK‘ and navigate to the Tasks window. Select ‘New‘ and ‘Shell Command‘. For the command, enter c:\windows\System32\WindowsPowerShell\v1.0\powershell.exe. For your parameters, enter command “”&” ‘”PATHTOSCRIPT””.

Next, name your task. For organization, I like to prefix my tasks with their function. This allows for me to quickly find the specific task I want.

1748-new-task-wiz.png

Finally, pick your task icon and press ‘Next‘. Check the “When I click finish” box and repeat until all of your tasks have been created.

You now have an extended Active Directory Users and Computers MMC customized for your common tasks. Through these customizations, you have: created Favorites, automated computer account creation, analyzed group membership, and made resetting passwords a piece of cake!

1748-domain-site.png

Keep up to date with Simple-Talk

For more articles like this delivered fortnightly, sign up to the Simple-Talk newsletter

This post has been viewed 17430 times – thanks for reading.

  • Rate
    [Total: 17    Average: 4.5/5]
  • Share

Joseph Moody

View all articles by Joseph Moody

Related articles

Also in Active directory

Azure Active Directory Part 6: Schema Extensions

Continuing the series on Azure Active Directory, Rick Rainey walks through how to leverage schema extensions.… Read more

Also in Powershell

PowerShell Desired State Configuration: LCM and Push Management Model

PowerShell's Desired State Configuration (DSC) framework depends on the Local Configuration Manager (LCM) which has a central role in a DSC architecture. It runs on all nodes that have PowerShell 4.0 or above installed in order to control the execution of DSC configurations on target nodes. Nicolas Prigent illustrates the role of the LCM in the 'Push' mode of configuring nodes.… Read more

Also in Sysadmin

PowerShell Desired State Configuration: The Basics

'Desired State Configuration (DSC) is an essential part of the configuration, management and maintenance of Windows-based servers. It allows a PowerShell script to specify the configuration of the machine using a declarative model in a simple standard way that is easy to maintain and understand. Nicolas introduces the basic DSC concepts and provides a simple example of using the 'Push' model of DSC. … Read more

Also in PowerShell

PowerShell Desired State Configuration: Automating and Monitoring Pull mode

The Pull mode of Desired State Configuration (DSC) is more complicated to implement because you need to meticulously manage the MOF files and their naming conventions so as to ensure that you deploy your DSC configurations correctly. In this first article of a two-part series, Nicolas Prigent describes how you can best automate this, and then in a second part on monitoring DSC he describes techniques to help you to use the pull mode as a regular part of your admin work.… Read more
  • cmartin

    this is awesome
    I like this. it works great other than one thing I think you have a typo I had issues getting the powershell scripts to run it needs to be like this

    -command ""&" ‘"PATHTOSCRIPT’""

Join Simple Talk

Join over 200,000 Microsoft professionals, and get full, free access to technical articles, our twice-monthly Simple Talk newsletter, and free SQL tools.

Sign up