The Active Directory Module for Windows PowerShell, which is included with Windows Server 2008 R2, can be used to administer Active Directory Domain Services (AD DS) objects, including computer objects. For an overview of the Active Directory Module for Windows PowerShell, please see Introducing the Active Directory Module for Windows PowerShell.
What follows is an in-depth look at administering AD DS computers by using the Active Directory Module for Windows PowerShell.
There are a number of tasks that can be performed on computers objects by using the cmdlets included with the Active Directory Module for Windows PowerShell, such as:
Retrieving AD DS Computers
Get-ADComputer can be used to retrieve AD DS computer objects. Get-ADComputer allows you to find one or more AD DS computer objects that meet criteria you specify.
Get-ADComputer allows you to specify the search criteria in multiple formats, including:
One of the advantages of Get-ADComputer is that it automatically recognizes the format of the criteria for all but LDAP filter. In other words, you do not have include a parameter in the command to tell it which format you are using. The table below shows the different formats that can be used to find the same AD DS computer objects:
|
Criteria |
Command |
|
Distinguished name |
Get-ADComputer CN=WS08R2RCDC1,OU=Domain Controllers,DC=domain,DC=local |
|
GUID |
Get-ADComputer 737cf589-9b1d-4533-959c-813b75321f8e |
|
SID |
Get-ADComputer S-1-5-21-236992988-293544445-1879654059-1000 |
|
SAM account name |
Get-ADComputer WS08R2RCDC1$ |
|
CN |
Get-ADComputer WS08R2RCDC1 |
The LDAP filter format is particularly useful when you need to find more than one AD DS computer objects. You can use this parameter to specify any LDAP supported filter format. For example, to find all AD DS computer objects that have a name that contains WS08R2, you can use the following command:
Get-ADComputer will return a default list of computer object properties.
However, you can control which computer object properties are returned by Get-ADComputer. To control which computer object properties are returned by Get-ADComputer, you need to use the Properties parameter. As shown in the figure below, you can use a wildcard with the Properties parameter to return all properties for the AD DS computer(s) found:
As shown in the figure below, you can also expand the list of properties you want returned for the AD DS computers(s) found using a comma-separated list of the names of the properties you want returned:
You can also specify the search base and search scope by using the -SearchBase and -SearchScope parameters, respectively.
If you want to limit your search to a particular Organizational Unit, you can use the –SearchBase parameter and specify the distinguished name of the OU. The following command sets the search base to the Toronto OU:
The -SearchScope parameter allows you to control the scope of the search. The scope can be set to Base, OneLevel, or SubTree. Base searches the current path/object; OneLevel searches the immediate children of the path/object; SubTree searches the current path/object and its children.
Adding the to above example, you can refine the command so that it only searches the Toronto OU, and no child-OUs by typing the following command:
New-ADComputer can be used to create an AD DS computer object. At minimum, you must specify the name of the computer. The command to create a computer account with a name of TetsPC is:
The above command will create the AD DS computer object in the default container for computers, which is the Computers container by default.
New-ADComputer has a default set of parameters that can be used to set attributes for the computer object. These include the following:
The following command uses some of these parameters to create an AD DS computer object:
The table below breaks down the above command. The Attributes column lists the attributes that were set by the above command. The Value column lists the value that was set for each attribute. The Cmdlet Parameter column lists the actual cmdlet parameter and value that was used to set the value for each attribute.
|
Attribute |
Value |
Cmdlet Parameter |
|
Name |
Server1 |
-Name Server1 |
|
Path |
Toronto OU |
-Path “OU=Toronto,DC=domain,dc=local” |
|
SAM account name |
Server1 |
-SAMAccountName Server1 |
|
Managed By |
JPOLICELLI |
-ManagedBy JPOLICELLI |
|
Description |
Test Computer |
-Description “Test Computer” |
You can also use the OtherAttributes parameter to specify values for attributes that are not represented by the default parameters.
Remove-ADComputer can be used to delete AD DS computer objects. Remove-ADComputer simply requires that you specify the object you want to delete. This can be specified in the following formats:
The table below shows the different formats that can be used to delete the same AD DS computer account:
|
Criteria |
Command |
|
Distinguished name |
Remove-ADComputer “CN=Server1,OU=Toronto,DC=domain,DC=local” |
|
GUID |
Remove-ADComputer b8c3ac0f-8878-415f-a32a-4daa54ec562b |
|
SID |
Remove-ADComputer S-1-5-21-236992988-293544445-1879654059-1124 |
|
SAM account name |
Remove-ADComputer Server1$ |
|
CN |
Remove-ADComputer Server1 |
As shown in the figure below, Remove-ADComputer will prompt you to confirm the deletion.
Modifying AD DS Computer Objects
Set-ADComputer can be used to modify the properties of an AD DS computer objects. Set-ADComputer has a predefined list of properties that can modified, including the following:
When using Set-ADComputer, you must specify the computer that you want to modify. You can use the following formats to specify the computer you want to modify:
To change the SPN of a computer account, you can use the following command:
To change the location for a computer account, you can use the following command:
Wrapping Up
The Active Directory Module for Windows PowerShell provides a powerful solution for managing Active Directory Domain Services computers with PowerShell. This module can be used to perform virtually every task on AD DS computer objects. What’s more, the cmdlets specific to AD DS computers are robust and easy to learn.
John Policelli (Microsoft MVP for Directory Services, MCTS, MCSA, ITSM, iNet+, Network+, and A+) is a solutions-focused IT consultant with over a decade of combined success in architecture, security, strategic planning, and disaster recovery planning. John has designed and implemented dozens of complex directory service, e-Messaging, web, networking, and security enterprise solutions.
John has spent the past nine years focused on Identity and Access Management and providing thought leadership for some of the largest installations of Active Directory in Canada. He has been involved as an author, technical reviewer, and subject matter expert for over 50 training, exam writing, press, and whitepaper projects related to Windows Server 2008 Identity and Access Management, networking, and collaboration.
John’s was awarded the Microsoft Most Valuable Professional designation in the Directory Services technical expertise in 2008 and 2009. John’s MVP profile can be read here.
John's is the co-author of MCITP Self-Paced Training Kit (Exam 70-647): Windows Server Enterprise Administration. His latest book Active Directory Domain Services 2008 How-To has been selected as Microsoft Subnet's June, 2009, book giveaway.
To enter to win a copy of the book-of-the-month book giveway, visit the Microsoft Subnet home page.
Read a free chapter from Active Directory Domain Services 2008 How-To hosted by Microsoft Subnet.
The Leader in Network Knowledge
Post new comment