PowerShell for SysAdmins: Automating Active Directory

In this lecture, we delve into managing Active Directory directly from PowerShell using the RSAT (Remote Server Administration Tools) Active Directory module. We'll guide you through the installation process and introduce key cmdlets for managing AD objects such as computers, users, and groups.

Learning Outcomes:

• Check if the RSAT Active Directory module is installed using Get-WindowsCapability.

• Install the RSAT Active Directory module with Add-WindowsCapability.

• Verify the installation of the Active Directory module using Get-Module.

• Explore computer-related cmdlets within the Active Directory module.

• Discover user-related cmdlets for managing AD users.

• Identify group-related cmdlets for managing AD groups.

By the end of this lecture, you will have the AD module installed and be familiar with essential cmdlets for managing Active Directory objects efficiently using PowerShell.

In this lecture, we'll dive into querying user accounts in Active Directory, focusing on various filtering techniques to pinpoint specific objects. This will enhance your ability to efficiently manage and retrieve detailed information from AD using PowerShell.

Learning Outcomes:

• Understand how to query a single user account using the Get-ADUser cmdlet with the -Identity parameter.

• Learn the flexibility of the -Identity parameter, allowing queries by SAM account name, UPN, DN, GUID, or SID.

• Discover how to retrieve additional AD attributes using the -Properties parameter.

• Explore the -Filter parameter to find users based on specific criteria, such as department or name patterns.

• Utilize comparison operators like -like and -eq within the -Filter parameter for precise searches.

• Combine multiple conditions with logical operators (-and, -or, -not) to refine your queries further.

• Get introduced to the Get-ADObject cmdlet for querying any type of AD object by specifying the ObjectClass.

By the end of this lecture, you will be proficient in querying and filtering Active Directory objects, making it easier to manage users, computers, and other objects efficiently.

In this lecture, we will explore the Search-ADAccount cmdlet, which simplifies filtering on various attributes in Active Directory. This cmdlet provides built-in parameters for common queries, making it easier to find specific accounts without complex filter syntax.

Learning Outcomes:

• Learn how to use the Search-ADAccount cmdlet to find inactive accounts with the -AccountInactive switch.

• Distinguish between user and computer accounts by using the -UsersOnly and -ComputersOnly switches.

• Understand what "inactive" means in terms of the last logon date.

• Use Get-Date to find the current date and compare it to account logon dates.

• Sort and filter accounts by their last logon date to determine the most recent activity.

• Implement the -TimeSpan parameter to find accounts inactive for a specific duration, such as 90 days.

• Discover additional helpful parameters of the Search-ADAccount cmdlet using the help command.

By the end of this lecture, you will be proficient in using the Search-ADAccount cmdlet to efficiently locate inactive accounts and other specific queries within Active Directory, streamlining your administrative tasks.

In this lecture, we will identify user accounts in Active Directory that haven't changed their passwords in the last 30 days. Although the Search-ADAccount cmdlet does not support this scenario, this will be good practice for crafting filters manually.

Learning Outcomes:

• Learn how to create a filter to find all enabled user accounts in Active Directory.

• Understand how to retrieve and utilize the passwordlastset attribute for users.

• Calculate the date 30 days prior to today for use in filtering.

• Apply a filter to find user accounts that haven't changed their passwords in the last 30 days.

• Combine multiple conditions in filters to ensure precision in querying enabled accounts with outdated passwords.

By the end of this lecture, you will be proficient in creating and applying custom filters in PowerShell to manage user account policies and enhance security by ensuring regular password updates.

In this lecture, we will create a PowerShell script to generate a report for HR that shows every employee in the company and their manager. We'll break down the process into manageable steps and demonstrate how to put it all together.

Learning Outcomes:

• Understand how to filter and retrieve user accounts from a specific Organizational Unit (OU) in Active Directory.

• Learn how to retrieve the Manager attribute for each user.

• Combine retrieved user and manager information into a custom PowerShell object.

• Export the data into a CSV file for easy sharing and analysis.

• Implement error handling and logging for a robust script.

By the end of this lecture, you will have a comprehensive script that can generate a detailed report on user-manager relationships in your organization, ensuring you can meet the needs of HR efficiently and effectively.

n this lecture, we'll walk through the process of creating a new user account in Active Directory for a new employee, John Doe, using PowerShell. We'll cover identifying the appropriate cmdlets, specifying the necessary parameters, and ensuring the account is fully functional with a set password.

Learning Outcomes:

• Identify the appropriate cmdlet for creating a new AD user account using the Get-Command cmdlet.

• Understand the essential parameters needed to create a comprehensive user account with New-ADUser.

• Execute the creation of a new user account with attributes such as name, department, title, and OU path.

• Set a password for the new user account using Set-ADAccountPassword with secure string conversion.

• Verify the creation and configuration of the new user account.

By the end of this lecture, you will be proficient in using PowerShell to create and configure new user accounts in Active Directory, ensuring new employees can start using their accounts immediately upon joining.

In this lecture, we will cover how to update existing user accounts in Active Directory using PowerShell. Specifically, we'll handle a scenario where an employee, Alice, has changed her last name due to marriage and received a promotion. We'll update her AD user account with these new details.

Learning Outcomes:

• Learn how to query Active Directory for a specific user using Get-ADUser with filters.

• Understand how to update user attributes using the Set-ADUser cmdlet.

• Verify updates to user accounts by querying Active Directory again.

By the end of this lecture, you will be able to confidently query, update, and manage user accounts in Active Directory using PowerShell, ensuring that user details are always current and accurate.

In this lecture, we'll cover how to audit the Active Directory group structure using PowerShell's Get-ADGroup cmdlet. This will help you gather detailed information about various groups across different departments and organizational units (OUs).

Learning Outcomes:

• Learn how to filter and retrieve groups in Active Directory based on specific criteria.

• Understand how to narrow down results to only security groups within a specific department.

• Identify groups within a specific OU using the SearchBase parameter.

• Discover how to find groups created recently by filtering based on the whenCreated attribute.

By the end of this lecture, you will be proficient in using the Get-ADGroup cmdlet to audit and analyze the Active Directory group structure in your organization.

In this lecture, we'll cover how to create new Active Directory groups to reflect the new departmental organization using PowerShell's New-ADGroup cmdlet. This will allow you to efficiently manage group creation and streamline the restructuring process.

Learning Outcomes:

• Understand how to create a new security group using the New-ADGroup cmdlet.

• Learn how to create a distribution group for email purposes.

• Automate the creation of multiple groups using a loop.

By the end of this lecture, you will be proficient in using the New-ADGroup cmdlet to create various types of groups in Active Directory, ensuring your organizational structure is accurately represented.

In this lecture, we'll cover how to modify existing Active Directory groups using PowerShell. Specifically, we will rename a group, update its description, and change its scope to accommodate changes in your organization.

Learning Outcomes:

• Learn how to rename an Active Directory group.

• Update the description of a group to reflect its new role.

• Change the group scope to Universal for cross-domain collaboration.

By the end of this lecture, you will be proficient in modifying Active Directory groups to reflect organizational changes and support a broader scope of members.

In this lecture, we will cover how to manage group memberships in Active Directory using PowerShell. Specifically, we'll onboard a new employee, Jane Doe, by adding her to several groups and ensure the synchronization of group memberships across different projects.

Learning Outcomes:

• Add a new user to multiple groups using the Add-ADGroupMember cmdlet.

• Remove a user from a group using the Remove-ADGroupMember cmdlet.

• Create a reusable script to synchronize group memberships between two groups.

By the end of this lecture, you will be proficient in managing Active Directory group memberships efficiently with PowerShell.

In this lecture, we focus on the initial planning phase for building a reusable tool. We'll create a rough outline of the workflow and features for our PowerShell script, which will automate the creation of Active Directory (AD) users and computer accounts based on company policy.

Learning Outcomes:

• Learn the importance of planning before coding to ensure a clear understanding of the tool's objectives and functionality.

• Understand how to create a back-of-the-napkin plan by outlining the key tasks and workflow the tool will perform.

• Develop a comment block in PowerShell to document the initial workflow and requirements of the tool.

• Identify specific company policies and requirements that the script needs to adhere to, such as naming conventions and organizational unit (OU) assignments.

• Recognize the importance of a flexible and iterative approach to building and refining the tool as new requirements and challenges arise.

In this lecture, we start implementing the code to define the username for new Active Directory (AD) accounts based on our rough plan. We'll begin by working directly in the PowerShell console to test the code, which will later be refined and moved into our script.

Learning Outcomes:

• Learn how to import and inspect data from a CSV file to understand the structure and fields.

• Practice creating a variable to store a single employee's data for testing.

• Implement the logic to generate a username based on company policy.

• Handle potential conflicts by checking for existing usernames and modifying the username format if necessary.

• Understand how to use the Get-AdUser cmdlet with filters to avoid errors when checking for existing accounts.

In this lecture, we build the code to create a computer account for an employee, following company policies. We will use PowerShell to name the computer account, place it in the appropriate organizational unit (OU), and verify its creation.

Learning Outcomes:

• Learn how to generate a computer account name dynamically using PowerShell.

• Understand how to determine the correct OU distinguished name based on department information.

• Discover how to explore and identify the correct Active Directory command for creating a computer account.

• Implement the creation of a computer account in Active Directory using the New-ADComputer command.

• Verify the existence of the newly created computer account using the Get-ADComputer command.

In this lecture, we dive into creating a user account using PowerShell. This process involves several steps, including generating a secure password and ensuring compliance with company policies. We will explore the necessary cmdlets, parameters, and custom functions required to complete this task.

Learning Outcomes:

• Understand how to use the New-AdUser cmdlet to create a user account in Active Directory.

• Learn how to generate a secure random password that complies with specific company policies using a custom PowerShell function.

• Convert a plain text password to a secure string suitable for use with New-AdUser.

• Identify and use the required parameters for New-AdUser to create a new user account.

• Simplify long PowerShell commands using splatting to enhance readability and maintainability.

• Add the newly created user account to the appropriate department group using the Add-ADGroupMember cmdlet.

• Verify the creation of the user account and its membership in the specified group using Get-AdUser and Get-ADGroupMember.

In this lecture, we focus on scaling our script to process multiple employee records from a CSV file simultaneously. We'll build on our existing code and introduce a loop to handle multiple rows, ensuring that our script can create multiple Active Directory (AD) user accounts in one go.

Learning Outcomes:

• Understand how to modify a script to process multiple CSV records using a foreach loop.

• Learn to transition from processing a single record to handling multiple records by iterating through the employee data.

• Implement a test setup to verify the script with a limited number of records.

• Adapt the script by changing references from a single employee to a variable representing each employee in the loop.

• Test the script to ensure it successfully creates multiple AD user accounts based on the CSV data.

• Verify the creation of AD user accounts through manual checks using PowerShell commands.

In this lecture, we focus on refactoring our PowerShell script to make it more professional and reusable. We'll remove planning comments, define parameters, and ensure the script processes all employees. Additionally, we'll enhance the script to provide a standard output with login details for each employee, and discuss adding error handling for robustness.

Learning Outcomes:

• Understand the importance of refactoring code to enhance readability and reusability.

• Learn how to define parameters in PowerShell to make scripts adaptable to future changes.

• Refactor a PowerShell script to use parameter values dynamically.

• Modify the script to process all employees from a CSV file, removing test-specific code.

• Generate a standard output with login details for each employee to facilitate their onboarding process.

• Recognize the need for error handling and planning for common issues such as missing Organizational Units (OUs) or incorrect department names.

In this lecture, we focus on enhancing our PowerShell script by adding robust error handling. We ensure that the script can handle various scenarios that might occur in different environments, providing clear error messages and maintaining script stability.

Learning Outcomes:

• Understand the necessity of error handling in making tools reliable and adaptable to different environments.

• Learn how to use parameter validation to ensure required inputs are present and valid before script execution.

• Implement try-catch blocks to handle errors gracefully and prevent script termination on individual failures.

• Add checks to handle scenarios where user account names already exist, the Organizational Unit (OU) is missing, or the specified group doesn't exist.

• Create informative error messages to provide clarity on what went wrong during script execution.

• Test the script's error handling by simulating a missing group and observing the resultant error message.

In this lecture, we begin developing our PowerShell tool named Invoke-UserAdSync.ps1. We'll outline the basic structure and functionality of the tool

In this lecture, we'll begin developing our user sync script by reading our data source (a CSV file) and matching it with existing Active Directory (AD) information. We'll import employee data, identify unique identifiers, fetch corresponding AD users, and filter out employees who need AD accounts created.

Learning Outcomes:

• Learn how to import employee data from a CSV file into a PowerShell script.

• Understand how to define and use a unique identifier (e.g., employee number) for matching data between the CSV file and AD.

• Discover methods to retrieve AD user accounts and include specific properties using the Get-ADUser cmdlet.

• Implement logic to compare and filter employee data from the CSV file against existing AD users.

• Generate a list of employees from the CSV file who need new AD accounts created based on the absence of matching identifiers in AD.

In this lecture, we'll refactor our existing New-Employee script to make it more flexible and reusable. By modifying the script to accept objects directly from the pipeline instead of only reading from a CSV file, we'll be able to streamline the process of creating new AD user accounts. We'll also demonstrate how to integrate this refactored tool into our Invoke-UserAdSync.ps1 script.

Learning Outcomes:

• Refactor the New-Employee script to remove CSV file references and accept pscustomobject input directly.

• Understand the benefits of code reuse and refactoring for building flexible tools.

• Learn how to modify parameter definitions to accept pipeline input using the ValueFromPipeline attribute.

• Implement changes to replace loop references with direct parameter references in the script.

• Discover how to use a process block to ensure all pipeline objects are processed correctly.

• Integrate the refactored New-Employee script into the Invoke-UserAdSync.ps1 script to create new AD user accounts.

• Verify the creation of new AD users and understand the importance of iterative testing and validation.

In this lecture, we'll optimize our user matching process using hashtables to significantly improve the performance of our script. By refining how we check for existing AD user accounts, we can make the matching process faster and more efficient, especially when handling large datasets.

Learning Outcomes:

• Understand the limitations of the initial matching process and the need for optimization.

• Learn how to create a hashtable from CSV data using the Group-Object cmdlet to speed up lookups.

• Implement a hashtable to store employee numbers from the CSV file as keys for quick access.

• Discover the efficiency gains of using hashtables for data lookups compared to traditional methods.

• Refactor the script to use the hashtable for faster matching of CSV employee data with AD user accounts.

• Validate the optimized matching process by testing the script with sample data and ensuring accurate results.

• Appreciate the importance of revisiting and optimizing code for better performance in real-world scenarios.

In this lecture, we'll complete our script by transforming it into a reusable tool. We'll convert hardcoded values into parameters to make the script flexible and adaptable to different environments. This involves setting up parameters for the CSV file path and the matching property, and integrating the existing logic into a cohesive, reusable tool.

Learning Outcomes:

• Learn how to define parameters for a PowerShell script to enhance its flexibility and reusability.

• Understand the importance of parameterizing values that are likely to change, such as file paths and unique identifiers.

• Integrate existing script logic into a parameterized structure to create a reusable tool.

• Implement logging and verbose output to provide feedback and ensure the tool's operations are transparent.

• Validate the tool by running it with different parameter values and checking the output.