1. Automating Active Directory Domain Services Administration
Presentation: 45 minutes
Lab: 45 minutes
After completing this module, students should be able to:
Use command‑line tools for administration.
Use Windows PowerShell® for administration.
Perform bulk operations with Windows PowerShell.
Automate Active Directory® Domain Services (AD DS) administration by using Windows PowerShell.
Make sure that students are aware that the Course Companion contains additional module information and resources.
Required Materials
To teach this module, you need the Microsoft® Office PowerPoint® file 20410D_04.pptx.
Important: We recommend that you use Office PowerPoint 2007 or a newer version to display the slides for this course. If you use PowerPoint Viewer or an earlier version of Office PowerPoint, all the features of the slides might not display correctly.
Preparation Tasks
To prepare for this module:
Read all of the materials for this module.
Practice performing the demonstrations and the lab exercises.
Work through the Module Review and Takeaways section, and determine how you will use this section to reinforce student learning and promote knowledge transfer to on‑the‑job performance.
Module 4
Automating Active Directory Domain Services Administration

2. Performing Bulk Operations with Windows PowerShell
Module Overview
4: Automating Active Directory Domain Services Administration
Performing Bulk Operations with Windows PowerShell
Briefly describe the lessons that this module includes. Explain that this module focuses on using command‑line tools and Windows PowerShell to perform bulk administration.

3. Lesson 1: Using Command-line Tools for AD DS Administration
4: Automating Active Directory Domain Services Administration
What Are DS Commands?

4. Benefits of Using Command-Line Tools for AD DS Administration
4: Automating Active Directory Domain Services Administration
Command-line tools allow you to automate
AD DS administration
Benefits of using command-line tools:
Faster implementation of bulk operations
Customized processes for AD DS administration
AD DS administration on server core
Explain that command‑line tools are useful for bulk operations, such as creating 1,000 user accounts at once. Additionally, they are useful for any repetitive tasks. Explain to students that the main advantage of using these tools is that they can save the commands and reuse them later.

5. What Is Csvde? Use csvde to export objects to a .csv file: -f filename
4: Automating Active Directory Domain Services Administration
AD DS
Import
Export
csvde.exe
filename.csv
Explain to students that they can use the csvde command-line tool to create or export AD DS objects. However, they cannot use csvde to modify or delete existing objects. Point out that when they export objects without specifying which attributes to include, all attributes are included. They can use the resulting header row to identify the Lightweight Directory Access Protocol (LDAP) names of specific attributes that they want to include in a .csv file. Most organization use csvde primarily for exporting data.
Consider performing an export with csvde, and reviewing the contents of the .csv file.
Use csvde to export objects to a .csv file:
-f filename 
-d RootDN
-p SearchScope
-r Filter
-l ListOfAtrributes
Use csvde to create objects from a .csv file:
csvde –i –f filename –k

6. What Is Ldifde? Use ldifde to export objects to a LDIF file:
4: Automating Active Directory Domain Services Administration
Export
ldifde.exe
filename.ldif
Import
AD DS
The key to presenting this topic is to differentiate ldifde from csvde. The major differences are that:
Ldifde can modify and remove objects.
Far fewer programs and apps can export and import data in LDAP Data Interchange Format (LDIF).
Use ldifde to export objects to a LDIF file:
-f filename
-d RootDN
-r Filter
-p SearchScope
-l ListOfAttributesToInclude
-o ListOfAttributesToExclude
Use ldifde to create, modify, or delete objects:
ldifde –i –f filename –k

7. 20410D
What Are DS Commands?
4: Automating Active Directory Domain Services Administration
Windows Server 2012 includes ds* commands that are suitable for use in scripts
Examples
To modify the department of a user account, type:
To display the of a user account, type:
To delete a user account, type:
To create a new user account, type:
Describe the ds* commands that are available for manipulating AD DS objects. Use the examples on the slide to describe command syntax. Verify that students understand the format of a distinguished name. If necessary, explain that the format of a distinguished name is based on LDAP. Describe the:
Common name: cn
Organizational unit: ou
Domain component: dc
Explain to students that unlike csvde and ldifde, these tools are not designed explicitly for bulk management of objects. Instead, they manipulate individual objects or to perform bulk operations.
Consider demonstrating how to use the dsquery command to manage many objects at one time. For example, use the following command to change the department for all users in the IT organizational unit (OU):
Dsquery user “OU=IT, DC=Adatum,DC=com” | Dsmod user -dept IT
Question
What criteria would you use to select between using csvde, ldifde, and the ds* commands?
Answer
If you are using a data source that can export as a .csv file, you most likely will use csvde. However, csvde cannot modify existing objects. You are also likely to use csvde when exporting data from AD DS.
If you are using a data source that can export as an LDIF file, then you would most likely use ldifde. You would also use ldifde if you need to remove or modify existing objects.
If you are modifying individual objects, then you will most likely use the ds* commands if you have chosen not to use graphical tools.
Dsmod user "cn=Joe Healy,ou=Managers, dc=adatum,dc=com" –dept IT
Dsget user "cn=Joe Healy,ou=Managers, dc=adatum,dc=com" –
Dsrm "cn=Joe Healy,ou=Managers,dc=adatum,dc=com"
Dsadd user "cn=Joe Healy,ou=Managers,dc=adatum,dc=com"

8. Lesson 2: Using Windows PowerShell for AD DS Administration
4: Automating Active Directory Domain Services Administration
Using Windows PowerShell Cmdlets to Manage OUs
To help students understand how to use Windows PowerShell to perform AD DS administration, it is critical that they see examples of how the cmdlets are used. Many of the slides in this lesson provide examples. It is critical that you describe all of the examples on each slide, including the purpose of each parameter.

9. Using Windows PowerShell Cmdlets to Manage User Accounts
4: Automating Active Directory Domain Services Administration
Cmdlet
Description
New-ADUser
Creates user accounts
Set-ADUser
Modifies properties of user accounts
Remove-ADUser
Deletes user accounts
Set-ADAccountPassword
Resets the password of a user account
Set-ADAccountExpiration
Modifies the expiration date of a user account
Unlock-ADAccount
Unlocks a user account after it has become locked after too many incorrect login attempts
Enable-ADAccount
Enables a user account
Disable-ADAccount
Disables a user account
Describe each of the cmdlets on the slide to students. In addition, describe the example that uses the New‑ADUser cmdlet. Consider demonstrating the cmdlets. To avoid typing slide examples, you can use examples in E:\Labfiles\Mod04\Mod04Examples.ps1.
Question
Are all cmdlet parameters that you use to manage user accounts the same?
Answer
No. Many of the parameters are the same or similar, but each cmdlet has its own list of parameters.
New-ADUser "Sten Faerch" –AccountPassword (Read-Host –AsSecureString "Enter password") ‑Department IT

10. Using Windows PowerShell Cmdlets to Manage Groups
4: Automating Active Directory Domain Services Administration
Cmdlet
Description
New-ADGroup
Creates new groups
Set-ADGroup
Modifies properties of groups
Get-ADGroup
Displays properties of groups
Remove-ADGroup
Deletes groups
Add-ADGroupMember
Adds members to groups
Get-ADGroupMember
Displays membership of groups
Remove-ADGroupMember
Removes members from groups
Add-ADPrincipalGroupMembership
Adds group membership to objects
Get-ADPrincipalGroupMembership
Displays group membership of objects
Remove- ADPrincipalGroupMembership
Removes group membership from an object
Describe each of the cmdlets on the slide to students. Be sure to explain the difference between the *‑ADGroupMember cmdlets and the *‑ADPrincipalGroupMembership cmdlets. The easiest distinction to make for students is that the *‑ADGroupMember cmdlets are similar to modifying membership in the properties of a group, while the *‑ADPrincipalGroupMembership cmdlets are similar to modifying the Member Of property in the properties of an object, such as a user account.
Consider demonstrating how to create a group, and then add group members to it.
To avoid typing slide examples, you can use examples in E:\Labfiles\Mod04\Mod04Examples.ps1.
New-ADGroup –Name "CustomerManagement" –Path "ou=managers,dc=adatum,dc=com" –GroupScope Global –GroupCategory Security
Add-ADGroupMember –Name “CustomerManagement”
–Members "Joe"

11. Using Windows PowerShell Cmdlets to Manage Computer Accounts
4: Automating Active Directory Domain Services Administration
Cmdlet
Description
New-ADComputer
Creates new computer accounts
Set-ADComputer
Modifies properties of computer accounts
Get-ADComputer
Displays properties of computer accounts
Remove-ADComputer
Deletes computer accounts
Test-ComputerSecureChannel
Verifies or repairs the trust relationship between a computer and the domain
Reset
-ComputerMachinePassword
Resets the password for a computer account
Describe each of the cmdlets on the slide to students. Relate the use of these cmdlets back to the management information for computer accounts that Module 3 discussed.
Be sure to mention that the New‑ADComputer cmdlet does not offer the option to delegate permissions to join a computer to the new computer account. If these permissions are necessary, students need to assign those permissions manually.
The AD DS permissions required on the computer account are:
Reset Password
Validated write to Domain Name System (DNS) host name
Validated write to service principal name
Write Account Restrictions
Consider demonstrating the permissions differences when creating a computer account in Active Directory Users and Computers with delegation, and when using the New‑AdComputer cmdlet.
To avoid typing slide examples, you can use examples in E:\Labfiles\Mod04\Mod04Examples.ps1.
New-ADComputer –Name “LON-SVR8” -Path "ou=marketing,dc=adatum,dc=com" -Enabled $true
Test-ComputerSecureChannel -Repair

12. Using Windows PowerShell Cmdlets to Manage OUs
4: Automating Active Directory Domain Services Administration
Cmdlet
Description
New-ADOrganizationalUnit
Creates OUs
Set-ADOrganizationalUnit
Modifies properties of OUs
Get-ADOrganizationalUnit
Views properties of OUs
Remove-ADOrganizationalUnit
Deletes OUs
Describe each of the cmdlets on the slide to students. Mention that the default value for the ProtectedFromAccidentalDeletion parameter is $true.
Consider doing a demonstration where you:
Create a new OU.
Attempt to remove the OU, which fails due to protection from accidental deletion.
Set the ProtectedFromAccidentalDeletion parameter to $false.
Again attempt to remove the OU. This time you should be successful.
To avoid typing slide examples, you can use the examples in E:\Labfiles\Mod04\Mod04Examples.ps1.
Question
In the slide example, is the ProtectedFromAccidentalDeletion parameter required?
Answer
No. The default value is set to $true. The same result occurs if the ProtectedFromAccidentalDeletion parameter is not used.
New-ADOrganizationalUnit –Name “Sales” –Path "ou=marketing,dc=adatum,dc=com" –ProtectedFromAccidentalDeletion $true

13. Lesson 3: Performing Bulk Operations with Windows PowerShell
4: Automating Active Directory Domain Services Administration
Demonstration: Performing Bulk Operations with Windows PowerShell
To help students understand how to use Windows PowerShell to perform bulk operations, it is critical that they see examples of how to use the cmdlets. Many of this lesson’s slides provide such examples, and it is critical that you describe all of the examples on each slide, including each parameter’s purpose.

14. What Are Bulk Operations?
20410D
What Are Bulk Operations?
4: Automating Active Directory Domain Services Administration
A bulk operation is a single action that changes multiple objects
Sample bulk operations
Create user accounts based on data in a spreadsheet
Disable all accounts not used in six months
Rename the department for many users
You can perform bulk operations by using:
Graphical tools
Command-line tools
Script
Define a bulk operation for students and provide some examples, such as:
Moving multiple user accounts to a new OU.
Changing the department name for a set of user accounts.
Disabling a set of user accounts.

15. Demonstration: Using Graphical Tools to Perform Bulk Operations
4: Automating Active Directory Domain Services Administration
In this demonstration, you will see how to:
Create a query for all users
Configure the Company attribute for all users
Verify that the Company attribute has been modified
Preparation Steps
Start the 20410D‑LON‑DC1 virtual machine.
Demonstration Steps
Create a query for all users
Sign in to LON‑DC1 as Adatum\Administrator with the password Pa$$w0rd.
On LON‑DC1, in Server Manager, click Tools, and then click Active Directory Administrative Center.
In the Active Directory Administrative Center, in the navigation pane, click Global Search.
At the far right of the Global Search pane, click the down arrow that is displayed inside a circle to display Add criteria.
Click Add criteria, select the Object type is user/inetOrgPerson/computer/group/organization unit check box, and then click Add.
Verify that the criteria that you added is and The object type is: User.
Click the Search button.
Configure the Company attribute for all users
Press Ctrl+A to select all of the user accounts, and then click Properties.
In the Multiple Users pane, in the Organization section, select the Company check box.
In the Company text box, type A. Datum, and then click OK.
Verify that the Company attribute has been modified
In the Global Search pane, click Adam Barr, and then click Properties.
In the Adam Barr window, verify that the Company is A. Datum.
Click Cancel.
Close the Active Directory Administrative Center.
Leave the virtual machine running after you complete the demonstration.

16. Querying Objects with Windows PowerShell
4: Automating Active Directory Domain Services Administration
Parameter
Description
SearchBase
Defines the AD DS path to begin searching
SearchScope
Defines at what level below the SearchBase a search should be performed
ResultSetSize
Defines how many objects to return in response to a query
Properties
Defines which object properties to return and display
Filter
Defines a filter by using PowerShell syntax
LDAPFilter
Defines a filter by using LDAP query syntax
There are two slides for this topic.
Use this slide to introduce the Filter parameter as a method for performing queries with the Get‑AD* cmdlets. Make note of the operators that you can use. Students might be expecting to use mathematical operators, such as the equal sign (=), less than sign (<), and greater than sign (>). Let them know that they cannot use these operators. Additionally, highlight that you can use ‑like only with the asterisk (*) wildcard for matching strings.
Question
What is the difference between using ‑eq and ‑like when you are comparing strings?
Answer
The ‑eq operator finds an exact match, meaning that it is not case sensitive. However, you can use the ‑like operator with the asterisk (*) wildcard to find partial matches.
Descriptions of operators
-eq
Equal to
-gt
Greater than
-ne
Not equal to
-ge
Greater than or equal to
-lt
Less than
-like
Uses wildcards for pattern matching
-le
Less than or equal to

17. Querying Objects with Windows PowerShell
4: Automating Active Directory Domain Services Administration
Show all the properties for a user account: 
Show all the user accounts in the Marketing OU and all its subcontainers:
Show all of the user accounts with a last logon date older than a specific date:
Show all of the user accounts in the Marketing department that have a last logon date older than a specific date:
Get-ADUser –Name “Administrator” -Properties *
This is the second slide for this topic.
Use the examples to describe the parameters commonly used with the Get‑ADUser cmdlet.
To avoid typing slide examples, you can use examples in E:\Labfiles\Mod04\Mod04Examples.ps1.
Get-ADUser –Filter * -SearchBase "ou=Marketing,dc=adatum,dc=com" -SearchScope subtree
Get-ADUser -Filter {lastlogondate -lt "January 1, 2012"}
Get-ADUser -Filter {(lastlogondate -lt "January 1, 2012") -and (department -eq "Marketing")}

18. Modifying Objects with Windows PowerShell
4: Automating Active Directory Domain Services Administration
Use the pipe character ( | ) to pass a list of objects to a cmdlet for further processing
Explain to students how they can use the pipe character ( | ) to pass objects to another cmdlet for further processing. Use the examples on the slide to show that they can use either the results of a query or the content of a text file.
Stress to students that you cannot pass random data to another cmdlet. The objects being passed to a cmdlet must be of the correct type. For example, you can pass a list of user account objects to the Set‑ADUser cmdlet, but they cannot pass a list of groups to the Set‑ADUser cmdlet. The help documentation for each Set‑AD* cmdlet defines how the identity of the object being modified should be specified. If they are using a list of objects from a text file, this tells them how they need to format the data in the text file. For example, the Set‑ADUser cmdlet allows them to identify user objects by distinguished name, globally unique identifier (GUID), security identifier (SID), or Security Accounts Manager (SAM) account name.
To avoid typing slide examples, you can use examples in E:\Labfiles\Mod04\Mod04Examples.ps1.
Question
Which attributes of a user account can you use when creating a query by using the Filter parameter?
Answer
You can use any user account parameter that you can query. Use the Properties parameter with a value of * (‑Properties *) to identify all properties that can be retrieved.
Get‑ADUser ‑Filter {company ‑notlike "*"} | Set‑ADUser ‑Company "A. Datum"
Get‑ADUser ‑Filter {lastlogondate ‑lt "January 1, 2012"} | Disable‑ADAccount
Get-Content C:\users.txt | Disable-ADAccount

19. 20410D
Working with CSV Files
4: Automating Active Directory Domain Services Administration
The first line of a .csv file defines the names of the columns
A foreach loop processes the contents of a .csv that have been imported into a variable
FirstName,LastName,Department
Greg,Guzik,IT
Robin,Young,Research
Qiong,Wu,Marketing
Use the slide content to explain the following four key points:
The header in the .csv file defines the name of each column.
Import‑Csv reads the contents of the .csv file.
A foreach loop processes each row from the .csv file.
The $i represents each row as it is processed.
To avoid typing slide examples, you can use examples in E:\Labfiles\Mod04\Mod04Examples.ps1.
Question
In the foreach loop, how does $i change?
Answer
The foreach loop processes each row from the .csv file that is loaded into the $users variable. The loop is performed once for each row from the .csv file. The variable $i represents each row as it is processed.
$users=Import-CSV –LiteralPath “C:\users.csv”
foreach ($user in $users) {
Write-Host "The first name is:" $user.FirstName }

20. Demonstration: Performing Bulk Operations with Windows PowerShell
4: Automating Active Directory Domain Services Administration
In this demonstration, you will see how to:
Configure a department for users
Create an OU
Run a script to create new user accounts
Verify that new user accounts were created
Preparation Steps
For this demonstration, you need the 20410D‑LON‑DC1 virtual machine. It should be running after the previous demonstration.
Demonstration Steps
Configure a department for users
On LON‑DC1, on the taskbar, click the Windows PowerShell icon.
At the Windows PowerShell prompt, type the following command, and then press Enter:
Get‑ADUser ‑Filter * ‑SearchBase “ou=Research,dc=adatum,dc=com”
Type the following command, and then press Enter:
Get‑ADUser ‑Filter * ‑SearchBase “ou=Research,dc=adatum,dc=com” | Set‑ADUser ‑Department Research
Get‑ADUser ‑Filter ‘department ‑eq “Research”’ | Format‑Table DistinguishedName,Department
Get‑ADUser ‑Filter ‘department ‑eq “Research”’ ‑Properties Department | Format‑Table DistinguishedName,Department
Create an organizational unit (OU)
New‑ADOrganizationalUnit LondonBranch ‑Path “dc=adatum,dc=com”
(More notes on the next slide)

21. Lab: Automating AD DS Administration by Using Windows PowerShell
4: Automating Active Directory Domain Services Administration
Exercise 3: Using Windows PowerShell to Modify User Accounts in Bulk
Before the students begin the lab, read the lab scenario and display the next slide. Before each exercise, read the scenario associated with the exercise to the class. The scenarios give context to the lab and exercises, and help to facilitate the discussion at the end of the lab. Remind students to complete the discussion questions after the last lab exercise.
Exercise 1: Creating User Accounts and Groups by Using Windows PowerShell
A. Datum Corporation has a number of scripts that it has previously to create user accounts by using command‑line tools. However, an enterprise-wide mandate specifies that all future scripting will be done by using Windows PowerShell. As the first step in creating scripts, you need to identify the syntax required to manage AD DS objects in Windows PowerShell.
Exercise 2: Using Windows PowerShell to Create User Accounts in Bulk
You have a .csv file that contains a large list of new users for the branch office. It is inefficient to create these users individually with graphical tools, so you will use a Windows PowerShell script instead. A colleague that has experience with scripting has given you a script that she created. You need to modify the script to match the format of your .csv file.
Exercise 3: Using Windows PowerShell to Modify User Accounts in Bulk
You have received a request to update all user accounts in the new branch office OU with the correct address of the new building. Additionally, you have been asked to ensure that all of the new user accounts in the branch office are configured to force users to change their passwords the next time they sign in.
Logon Information
Virtual machines D‑LON‑DC1
20410D‑LON‑CL1
User name Adatum\Administrator
Password Pa$$w0rd
Estimated Time: 45 minutes

22. 20410D
Lab Scenario
4: Automating Active Directory Domain Services Administration
You have been working for A. Datum Corporation for several years as a desktop support specialist. In this role, you visited desktop computers to troubleshoot app and network problems. You have recently accepted a promotion to the server support team. One of your first assignments is configuring the infrastructure service for a new branch office.
As part of configuring a new branch office, you need to create user and group accounts. Creating multiple users with graphical tools is inefficient, so, you will use Windows PowerShell.

23. What file extension do Windows PowerShell scripts use?
Lab Review
4: Automating Active Directory Domain Services Administration
What file extension do Windows PowerShell scripts use?
Lab Review Questions
Question
By default, are new user accounts enabled or disabled when you create them by using the New-ADUser cmdlet?
Answer
By default, new user accounts are disabled when you create them by using the New-ADUser cmdlet.
What file extension do Windows PowerShell scripts use?
Windows PowerShell scripts use the .ps1 file extension.

24. Module Review and Takeaways
4: Automating Active Directory Domain Services Administration
Tools
Module Review Questions
Point students to the appropriate section in the course, so that they are able to answer the questions that this section presents
Question
A colleague is creating a Windows PowerShell script that creates user accounts from data in a .csv file. However, his script is experiencing errors when attempting to set a default password. Why might this be happening?
Answer
The most common source of errors received when setting passwords during user account creation is the format of the variable containing the password. The variable containing a user password must be a secure string. After importing default passwords from the .csv file, your colleague must convert the value to a secure string so that it is encrypted in memory.
Another common problem is trying to use passwords that do not meet complexity requirements. If you try to create a user account with the New‑ADUser cmdlets and use a password that does not meet complexity requirements, the user account is created but the password is not set, causing the user account to be disabled.
You are an administrator for a school district that creates 20,000 new user accounts for students each year. The administration system for students generates a list of the new students and then exports it as a .csv file. After the data is exported to a .csv file, what information do you need to work with the data in a script?
To work with a .csv file, you need to know the name and location of the .csv file. This information allows you to import the .csv file into a variable. You also need to know the name of each column in the .csv file. If there is no header row with column names, then you need to create one.
(More notes on the next slide)