Maintain System Administration Tasks in Windows PowerShell

Introduction

    Active Directory Domain Services (AD DS) is part of Windows Server–based networks. The Active Directory module speeds up administration tasks.

    Download the Remote Server Administration Tools (RSAT) package to obtain the Active Directory module. Then, open Optional Features in Settings and select the RSAT: Active Directory Domain Services and Lightweight Directory Services Tools.

    To find Active Directory cmdlets, search for the prefix "AD," which most Active Directory cmdlets have in their names' noun part.


Manage user accounts in PowerShell

    The Active Directory module contains cmdlets that create, modify, and delete user accounts. User account cmdlets have the word "User" or "Account" in the noun part of the name.


Cmdlets for user account management:

New-ADUser  -  Creates a user account

Get-ADUser  -  Retrieves a user account

Set-ADUser  -  Modifies a user account's properties

Remove-ADUser  -  Deletes a user account

Set-ADAccountPassword  -  Resets a user account's password

Unlock-ADAccount  -  Unlocks a user account after the user exceeds the allowed number of incorrect sign-in attempts

Enable-ADAccount  -  Enables a user account

Disable-ADAccount  -  Disables a user account


Retrieving users

    Get-ADUser retrieves a user account with the -Identity parameter and the account's domain name. Get-ADUser only returns a default set of properties. To review other properties, use the -Properties parameter with a comma-separated list of properties or the "*" wildcard. For example, include the department and email address of user anabowman in the results, enter:

Get-ADUser -Identity anabowman -Properties Department,EmailAddress


    The -Filter parameter also specifies a user or users. It accepts a query based on regular expressions. For example, the following command retrieves all AD DS users and their properties:

Get-ADUser -Filter * -Properties *


Creating new user accounts

The New‑ADUser cmdlet requires the -Name parameter to create new user accounts. You can also set a password and other user properties. Consider the following points:

  • If you don't use the -AccountPassword parameter, the user account is disabled. Without a password, you can't set the -Enabled parameter to $true.
  • Enter a password using the -AccountPassword parameter. PowerShell stores the password as an encrypted string.
  • Once you set a password, you can enable the user account by setting the -Enabled parameter to $true.

Common parameters for New-ADUser:

-AccountExpirationDate defines the expiration date for a user account

‑AccountPassword defines the password for a user account

‑ChangePasswordAtLogon requires a user account to change passwords at the next logon

‑Department defines the department for a user account

‑DisplayName defines the display name for a user account

‑HomeDirectory defines the location of the home directory for a user account

‑HomeDrive defines the drive letters that map to the home directory for a user account

‑GivenName defines the first name of a user account


    To add a user account, set its Department attribute to IT, add a secure password, and enable the account, enter the following command:

New-ADUser "Ana Bowman" -Department IT -Accountpassword (Read-Host -AsSecureString "AccountPassword") -Enabled $true


Manage groups and group memberships in PowerShell

    The Active Directory module has cmdlets for creating and deleting groups, modifying group properties, and changing group membership.


Managing groups

    Group-modifying cmdlets have the text "group" in their names. For example, cmdlets that add group members have "groupmember" in their names. Cmdlets that modify a user's, computer's, or other Active Directory object's group have "principalgroupmembership" in their name.


Cmdlets for group management:

New-ADGroup  -  Creates a new group

Set-ADGroup  -  Modifies a group's properties

Get-ADGroup  -  Displays a group's properties

Remove-ADGroup  -  Deletes a group

Add-ADGroupMember  -  Adds members to a group

Get-ADGroupMember  -  Displays a group's members

Remove-ADGroupMember  -  Removes members from a group

Add-ADPrincipalGroupMembership  -  Adds group membership to an object

Get-ADPrincipalGroupMembership  -  Displays an object's group membership

Remove-ADPrincipalGroupMembership - Removes group membership from an object


Creating new groups

The New‑ADGroup cmdlet creates groups using the -GroupScope parameter and the group name.


Common parameters for New-ADGroup:

‑Name  -  defines the name of a group

‑GroupScope  -  defines the scope of a group as DomainLocalGlobal, or Universal; you must provide this parameter

‑DisplayName  -  defines the Lightweight Directory Access Protocol (LDAP) display name for an object

‑GroupCategory  -  defines whether a group is a security group or a distribution group; if you don't specify either, a security group is created

‑ManagedBy  -  defines a user or group that can manage a group

‑Path  -  defines the OU or container in which a group is created

‑SamAccountName  -  defines a name that is backward-compatible with older operating systems


For example, to create a new group named FileServerAdmins, enter the following command:

New-ADGroup -Name FileServerAdmins -GroupScope Global


Managing group membership

    The *-ADGroupMember and *-ADPrincipalGroupMembership cmdlets help manage groups in two ways:

  • modify the groups an object belongs to
  • modify a group's members

*-ADGroupMember cmdlets modify the membership of a group. You can't pipe a list of members to these cmdlets, but you can:

  • add or remove members of a group
  • pass a list of groups to these cmdlets

*-ADPrincipalGroupMembership cmdlets modify a user's or other object's group membership. You can't provide a list of groups to these cmdlets, but you can pipe a list of members to them. You can also:

  • add a user account as a member of a group

Manage computer accounts in PowerShell

    The Active Directory module also has cmdlets to create, modify, and delete computer accounts. The cmdlets for managing computer objects have the text "computer" in their names.


Cmdlets for computer account management:

New-ADComputer  -  creates a new computer account

Set-ADComputer  -  modifies properties of a computer account

Get-ADComputer  -  displays properties of a computer account

Remove-ADComputer  -  deletes a computer account

Test-ComputerSecureChannel  -  verifies or repairs the trust relationship between a computer and the domain

Reset-ComputerMachinePassword  -  resets the password for a computer account


Creating new computer accounts

    The New-ADComputer cmdlet helps create a new computer account in the correct OU before you join the computer to the domain.


Common parameters for New-ADComputer:

‑Name  -  defines the name of a computer account

‑Path  -  defines the OU or container where a computer account is created

‑Enabled  -  defines whether the computer account is enabled or disabled; computer accounts are enabled, and random passwords are generated by default


The following example is a command that you can use to create a computer account:

New-ADComputer -Name LON-CL10 -Path "ou=marketing,dc=adatum,dc=com" -Enabled $true


Repairing the trust relationship for a computer account

    The Test-ComputerSecureChannel cmdlet uses the -Repair parameter to repair a lost trust relationship between a computer and a domain. You must run the cmdlet on the computer with the lost trust relationship.


Account vs. device management cmdlets

    The AD-Computer cmdlets are part of the Active Directory module and manage the computer object, not the physical device or operating system. Use the -Computer cmdlets to manage the properties of the physical computer and its operating system. For example, the Add‑Computer cmdlet joins a computer to a domain.


Manage organizational units and Active Directory objects in PowerShell

    Windows PowerShell provides cmdlets for creating, modifying, and deleting Organizational Units (OUs). OU management cmdlets have the word "organizationalunit" in their names.


Cmdlets for OU management:

New-ADOrganizationalUnit  -  creates an OU

Set-ADOrganizationalUnit  -  modifies properties of an OU

Get-ADOrganizationalUnit  -  displays properties of an OU

Remove-ADOrganizationalUnit  -  deletes an OU


Creating new OUs

You can use the New‑ADOrganizationalUnit cmdlet to make a new OU.


Parameters for New‑ADOrganizationalUnit:

‑Name  -  defines the name of a new OU

‑Path  -  defines the location of a new OU

‑ProtectedFromAccidentalDeletion  -  prevents anyone from accidentally deleting an OU; the default value is $true


The following example is a command to create a new OU:

New-ADOrganizationalUnit -Name Sales -Path "ou=marketing,dc=adatum,dc=com" -ProtectedFromAccidentalDeletion $true


Active Directory object cmdlets

    You may need to use the Active Directory module to create, delete, and modify these objects and their properties:

  • Active Directory objects that don't have their own management cmdlets (such as contacts)
  • multiple object types in a single operation, such as moving users and computers from one OU to another

    *-ADObject cmdlets sometimes perform faster than cmdlets specific to an object type. Cmdlets for changing generic Active Directory objects have the text "Object" in the noun part of the name.


Cmdlets for managing Active Directory objects

New-ADObject  -  Creates a new Active Directory object

Set-ADObject  -  Modifies properties of an Active Directory object

Get-ADObject  -  Displays properties of an Active Directory object

Remove-ADObject  -  Deletes an Active Directory object

Rename-ADObject  -  Renames an Active Directory object

Restore-ADObject  -  Restores a deleted Active Directory object from the Active Directory Recycle Bin

Move-ADObject  -  Moves an Active Directory object from one container to another container

Sync-ADObject  -  Syncs an Active Directory object between two domain controllers


Creating a new Active Directory object

    You can use the New‑ADObject cmdlet to create objects. When using New-ADObject, you must specify the name and the object type.


Parameters for New‑ADObject:

Name  -  Defines the name of an object

Type  -  Defines the LDAP type of an object

OtherAttributes  -  Defines properties of an object that aren't accessible from other parameters

Path  -  Defines the container in which an object is created


The following command creates a new contact object:

New-ADObject -Name "AnaBowmancontact" -Type contact


Manage IP addresses in PowerShell

   The NETTCPIP module consists of TCP/IP-specific cmdlets for managing Windows network settings. The NETTCPIP cmdlets help add, remove, change, and validate IP address settings.

    IP address management cmdlets use the noun "NetIPAddress" in their names. You can find them using the Get-Command command with the -Module NetTCPIP parameter.


Cmdlets for managing IP address settings:

New-NetIPAddress  -  Creates a new IP address

Get-NetIPAddress  -  Displays properties of an IP address

Set-NetIPAddress  -  Modifies properties of an IP address

Remove-NetIPAddress  -  Deletes an IP address


Creating new IP address settings

    The New-NetIPAddress cmdlet requires an IPv4 or IPv6 address and either the alias or index of a network interface. As a best practice, include the default gateway and subnet mask.


Parameters for New-NetIPAddress:

-IPAddress  -  Defines the IPv4 or IPv6 address to create

-InterfaceIndex  -  Defines the network interface, by index, for the IP address

-InterfaceAlias  -  Defines the network interface, by name, for the IP address

-DefaultGateway  -  Defines the IPv4 or IPv6 address of the default gateway host

-PrefixLength  -  Defines the subnet mask for the IP address


The following command creates a new IP address on the Ethernet interface:

New-NetIPAddress -IPAddress 192.168.1.10 -InterfaceAlias "Ethernet" -PrefixLength 24 -DefaultGateway 192.168.1.1


    The New-NetIPAddress cmdlet also accepts the -AddressFamily parameter, which defines the IPv4 or IPv6 IP address family. If you don't use this parameter, the address family property is detected automatically.


Manage IP routing in PowerShell

    IP routing forwards data packets based on their destination IP address. Routing tables contain IP routing information and update their entries automatically. Still, you might need to manually add, remove, or modify routing table entries. The NETTCPIP module includes cmdlets for managing Windows's routing table; the noun "NetRoute" is in the names.


Cmdlets for managing routing table entries and settings:

New-NetRoute  -  Creates an entry in the IP routing table

Get-NetRoute  -  Retrieves an entry from the IP routing table

Set-NetRoute  -  Modifies properties of an entry in the IP routing table

Remove-NetRoute  -  Deletes an entry from the IP routing table

Find-NetRoute  -  Identifies the best local IP address and route to reach a remote address


Creating an IP routing table entry

    The New-NetRoute cmdlet creates routing table entries. The New-NetRoute cmdlet requires you to identify the network interface and destination prefix.


Parameters for New-NetRoute:

‑DestinationPrefix  -  Defines the destination prefix of an IP route

‑InterfaceAlias  -  Defines the network interface, by alias, for an IP route

‑InterfaceIndex  -  Defines the network interface, by index, for an IP route

‑NextHop  -  Defines the next hop for an IP route

‑RouteMetric  -  Defines the route metric for an IP route


The following command creates an IP routing table entry:

New-NetRoute -DestinationPrefix 0.0.0.0/24 -InterfaceAlias "Ethernet" -DefaultGateway 192.168.1.1


Manage DNS clients in PowerShell

    PowerShell offers cmdlets for managing DNS client settings, DNS name resolution, and securing DNS clients. DNS client management cmdlets are part of the DNSClient PowerShell module and have the text "DnsClient" in the noun part of the name.


Cmdlets for modifying DNS client settings:

Get-DnsClient  -  Gets details about a network interface

Set-DnsClient  -  Sets DNS client configuration settings for a network interface

Get-DnsClientServerAddress  -  Gets the DNS server address settings for a network interface

Set-DnsClientServerAddress  -  Sets the DNS server address for a network interface


    Set-DnsClient requires an interface referenced by an alias or index. The following command sets the connection-specific suffix for an interface:

Set-DnsClient -InterfaceAlias Ethernet -ConnectionSpecificSuffix "adatum.com"


Manage Windows Firewall settings in PowerShell

    The NetSecurity module contains cmdlets for managing local Network Security configurations, such as Windows firewall rules and IP security settings. To manage firewall settings, use cmdlets with the text "NetFirewall" in their names. To manage firewall rules, use cmdlets with the noun "NetFirewallRule."


Cmdlets for managing firewall settings and rules:

New-NetFirewallRule  -  Creates a new firewall rule

Set-NetFirewallRule  -  Sets properties for a firewall rule

Get-NetFirewallRule  -  Gets properties for a firewall rule

Remove-NetFirewallRule  -  Deletes a firewall rule

Rename-NetFirewallRule  -  Renames a firewall rule

Copy-NetFirewallRule  -  Makes a copy of a firewall rule

Enable-NetFirewallRule  -  Enables a firewall rule

Disable-NetFirewallRule  -  Disables a firewall rule

Get-NetFirewallProfile  -  Gets properties for a firewall profile

Set-NetFirewallProfile  -  Sets properties for a firewall profile


    The Get-NetFirewallRule cmdlet retrieves firewall rule settings. You can enable and disable rules by using one of the following cmdlets:

  • The Set-NetFirewallRule cmdlet with the -Enabled parameter
  • The Enable-NetFirewallRule or Disable-NetFirewallRule cmdlets.

The following commands enable firewall rules in the group Remote Access:

  • Enable-NetFirewallRule -DisplayGroup "Remote Access
  • Set-NetFirewallRule -DisplayGroup "Remote Access" -Enabled True

Automate management tasks using the Group Policy management cmdlets

    Windows PowerShell helps manage Group Policy Objects (GPOs), including creating, deleting, backing up, reporting, and importing GPOs. You can also associate GPOs with Active Directory Domain Services (AD DS) OUs, including setting GPO inheritance and permissions. Group Policy cmdlets require Remote Server Administration Tools (RSAT).


    The GroupPolicy module contains cmdlets for managing Group Policies. These cmdlet names include the prefix "GP," and most have "GPO" as the noun.


Cmdlets for managing GPOs:

New-GPO  -  Creates a new GPO

Get-GPO  -  Retrieves a GPO

Set-GPO  -  Modifies the properties of a GPO

Remove-GPO  -  Deletes a GPO

Rename-GPO  -  Renames a GPO

Backup-GPO  -  Backs up one or more GPOs in a domain

Copy-GPO  -  Copies a GPO from one domain to another domain

Restore-GPO  -  Restores a GPO from backup files

New-GPLink  -  Links a GPO to an AD DS container

Import-GPO  -  Imports GPO settings from a backed-up GPO

Set-GPRegistryValue  -  Configures one or more registry-based policy settings in a GPO


Creating a new GPO

    New-GPO requires only the -Name parameter, which must be unique in the GPO's domain. By default, the GPO is created in the domain of the user who is running the command. New-GPO also doesn't link the created GPO to an AD DS container. To link a GPO to a container, use the New-GPLink cmdlet.


The following command creates a new GPO from a starter GPO:

New-GPO -Name "IT Team GPO" -StarterGPOName "IT Starter GPO"

The following command links the new GPO to an AD DS organizational unit:

New-GPLink -Name "IT Team GPO" -Target "OU=IT,DC=adatum,DC=com"


Manage server roles and services using PowerShell cmdlets

    The ServerManager module contains cmdlets for managing server features, roles, and services. These cmdlets are equivalent to the Server Manager user interface. The Server Manager cmdlet names include the noun "WindowsFeature."

    The ServerManager module cmdlets only run on Windows Server operating systems. You'll receive an error message if you try to use them on a Windows client.


Server management cmdlets:

Get-WindowsFeature  -  Obtains and displays information about Windows Server roles, services, and features that are installed or are available for installation

Install-WindowsFeature  -  Installs one or more roles, services, or features

Uninstall-WindowsFeature  -  Uninstalls one or more roles, services, or features


The following command installs network load balancing on the local server:

Install-WindowsFeature "nlb"


Manage Hyper-V Virtual Machines using PowerShell cmdlets

    PowerShell offers more than 200 cmdlets for managing Hyper-V Virtual machines (VMs), virtual hard disks, and other components of a Hyper-V environment. The Hyper-V module contains Hyper-V cmdlets.

    The Hyper-V cmdlets are available when you install the Hyper-V Management tools feature on a Windows client operating system or the Hyper-V Module for Windows PowerShell feature on Windows Server.


Hyper-V cmdlets use one of three prefixes:

  • "VM" for virtual machine cmdlets
  • "VHD" for virtual hard disk cmdlets
  • "VFD" for virtual floppy disk cmdlets

Cmdlets for managing Hyper-V VMs:

Get-VM  -  Gets properties of a VM

Set-VM  -  Sets the properties of a VM

New-VM  -  Creates a new VM

Start-VM  -  Starts a VM

Stop-VM  -  Stops a VM

Restart-VM  -  Restarts a VM

Suspend-VM  -  Pauses a VM

Resume-VM  -  Resumes a paused VM

Import-VM  -  Imports a VM from a file

Export-VM  -  Exports a VM to a file

Checkpoint-VM  -  Creates a checkpoint of a VM


Manage Internet Information Services using PowerShell cmdlets

    The Web server role includes Internet Information Services (IIS), commonly used to manage websites and web-based applications. PowerShell cmdlets can configure and manage IIS application pools, websites, web applications, and virtual directories.

    IIS management cmdlets are available in the IISAdministration module for PowerShell and have the prefix "IIS" in the noun part of their names. Sites use the noun "IISSite".

    To manage web-based applications, use the WebAdministration PowerShell module, which includes cmdlets for managing web applications. These cmdlets use the noun "WebApplication," and cmdlets for managing application pools use the noun "WebAppPool."

 

    Since the IISAdministration module's updated features have mostly replaced the WebAdministration module, use the IISAdministration module for any IIS-related management tasks.


IIS and web application administration cmdlets:

New-IISSite  -  Creates a new IIS website

Get-IISSite  -  Gets properties and configuration information about an IIS website

Start-IISSite  -  Starts an existing IIS website on the IIS server

Stop-IISSite  -  Stops an IIS website

New-WebApplication  -  Creates a new web application

Remove-WebApplication  -  Deletes a web application

New-WebAppPool  -  Creates a new web application pool

Restart-WebAppPool  -  Restarts a web application pool


Manage Windows 10 using PowerShell

    The Microsoft.PowerShell.Management module includes cmdlets for obtaining information and performing operations on a local computer. To review the cmdlets included in this module, enter the following:

Get-command -module Microsoft.PowerShell.Management


Cmdlets included in the Microsoft.PowerShell.Management module:

Get-ComputerInfo  -  Retrieves all system and operating system properties from the computer

Get-Service  -  Retrieves a list of all services on the computer

Get-EventLog  -  Retrieves events and event logs from local and remote computers (only available in Windows PowerShell 5.1)

Get-Process  -  Retrieves a list of all active processes on a local or remote computer

Stop-Service  -  Stops one or more running services

Stop-Process  -  Stops one or more running processes

Stop-Computer  -  Shuts down local and remote computers

Clear-EventLog  -  Deletes all of the entries from the specified event logs on the local computer or remote computers

Clear-RecycleBin  -  Deletes the content of a computer's recycle bin

Restart-Computer  -  Restarts the operating system on local and remote computers

Restart-Service  -  Stop and then start one or more services


Running management cmdlets

The following are examples of how to use some of the management cmdlets in Windows 10:

  • To retrieve detailed information about the local computer, run Get-ComputerInfo
  • To retrieve the latest five error entries from the Application log, run Get-EventLog -LogName Application -Newest 5 -EntryType Error
  • To clear the Application log on the local computer, run Clear-EventLog -LogName Application

Manage permissions with PowerShell

    The Microsoft.PowerShell.Security module includes cmdlets for managing the basic security features in Windows. To review the cmdlets included in this module, enter the following command:

Get-command -module Microsoft.PowerShell.Security


Cmdlets included in the Microsoft.PowerShell.Security module:

Get-Acl  -  Gets objects that represent the security descriptor of a file or resource. The security descriptor includes the resource's access control lists (ACLs). The ACL lists permissions that users and groups have to access the resource.

Set-Acl   -  Changes the security descriptor of a specified item, such as a file, folder, or registry key, to match the values in a security descriptor you supply.


Retrieving access permissions

    The Get-Acl cmdlet displays the security descriptor for an object. For example, you can retrieve the security descriptor for C:\Folder1. By default, the output displays in a table format. If you pipe the output to a list format, you can review all the information in the security descriptor:

Get-Acl -Path C:\Folder1|Format-List


    The following command can retrieve a more verbose list of the access property with the file system rights, access control type, and inheritance settings for the specified object:

(Get-Acl -Path C:\Folder1).Access


You can also retrieve only specific Access properties formatted in a table format:

(Get-Acl -Path C:\Folder1).Access|Format-Table IdentityReference, FileSystemRights, AccessControlType, IsInherited


Updating file and folder access permissions

    The Set-Acl cmdlet helps apply changes to the ACL on a specific object. To modify file or folder permissions, follow these steps:

  1. Use Get-Acl to retrieve the existing ACL rules for the object.
  2. Create a new FileSystemAccessRule to be applied to the object.
  3. Add the new rule to the existing ACL permission set.
  4. Use Set-Acl to apply the new ACL to the existing file or folder.

The following example assigns the Modify permission to C:\Folder1 for a local user named User1.

  1. Declare a variable that includes the existing ACL rules for Folder1: $ACL = Get-Acl -Path C:\Folder1
  2. Create a new FileSystemAccessRule variable that specifies the access specifications to be applied: $AccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule("User1","Modify","Allow")
  3. Add the new access rule to the existing ACL rules for Folder1: $ACL.SetAccessRule($AccessRule)
  4. Apply the new ACL to Folder1: $ACL | Set-Acl -Path C:\Folder1
  5. NOTE: You can also configure an access rule to remove Folder1 permissions for User1 by simply changing step 3 to $ACL.RemoveAccessRule($AccessRule).

Copying a security descriptor to a new object

    Suppose you want to copy the exact security descriptor to a new object. In that case, you can use a combination of the Get-Acl and Set-Acl commands as follows:

Get-Acl -Path C:\Folder1|Set-ACL -Path C:\Folder2

These commands copy the values from the security descriptor of C:\Folder1 to the security descriptor of Folder2. When the commands are complete, the security descriptors for both folders are identical.

Comments

Post a Comment

Popular posts from this blog

Get started with Windows PowerShell

  Learn about Windows PowerShell      PowerShell consists of a command-line shell, a scripting language, and a configuration-management framework. A scripting language      Commands include cmdlets, functions, filters, scripts, applications, configurations, and workflows. Cmdlets use a Verb-Noun naming convention. For example,  Get-Command lists all the cmdlets and functions registered in the command shell. " Get " is the action the cmdlet performs, and " Command " is the resource it acts on. Installing and using PowerShell side-by-side with Windows PowerShell      PowerShell 7 can coexist with Windows PowerShell 5.1. To determine the current version, enter  $PSVersionTable and hit Enter. Identifying and modifying the execution policy in PowerShell      PowerShell's execution policy minimizes the risk of unintentionally running scripts. However, it isn't a security system that restricts user actions. Users ca...
Read more