How-To Administer Active Directory Domain Services Computers Using Windows PowerShell

Learn how-to administer Active Directory Domain Services computers using Windows PowerShell in Windows Server 2008 R2

The Active Directory Module for Windows PowerShell, which is included with Windows Server 2008 R2, can be used to administer Active Directory Domain Services (AD DS) objects, including computer objects. For an overview of the Active Directory Module for Windows PowerShell, please see Introducing the Active Directory Module for Windows PowerShell.

What follows is an in-depth look at administering AD DS computers by using the Active Directory Module for Windows PowerShell.

Overview

There are a number of tasks that can be performed on computers objects by using the cmdlets included with the Active Directory Module for Windows PowerShell, such as:

  • Get-ADComputer
  • Get-ADComputerServiceAccount
  • New-ADComputer
  • Remove-ADComputer
  • Remove-ADComputerServiceAccount
  • Set-ADComputer
  • Add-ADComputerServiceAccount
  • Disable-ADAccount
  • Enable-ADAccount
  • Move-ADObject
  • Rename-ADObject

Retrieving AD DS Computers

Get-ADComputer can be used to retrieve AD DS computer objects. Get-ADComputer allows you to find one or more AD DS computer objects that meet criteria you specify.

Get-ADComputer allows you to specify the search criteria in multiple formats, including:

  • Distinguished name
  • GUID
  • SID
  • SAM account name
  • CN

One of the advantages of Get-ADComputer is that it automatically recognizes the format of the criteria for all but LDAP filter. In other words, you do not have include a parameter in the command to tell it which format you are using. The table below shows the different formats that can be used to find the same AD DS computer objects:

Criteria

Command

Distinguished name

Get-ADComputer CN=WS08R2RCDC1,OU=Domain Controllers,DC=domain,DC=local

GUID

Get-ADComputer 737cf589-9b1d-4533-959c-813b75321f8e

SID

Get-ADComputer S-1-5-21-236992988-293544445-1879654059-1000

SAM account name

Get-ADComputer WS08R2RCDC1$

CN

Get-ADComputer WS08R2RCDC1

The LDAP filter format is particularly useful when you need to find more than one AD DS computer objects. You can use this parameter to specify any LDAP supported filter format. For example, to find all AD DS computer objects that have a name that contains WS08R2, you can use the following command:

  • Get-ADComputer -LDAPFilter "(cn=*WS08R2*)"

Get-ADComputer will return a default list of computer object properties.

However, you can control which computer object properties are returned by Get-ADComputer. To control which computer object properties are returned by Get-ADComputer, you need to use the Properties parameter. As shown in the figure below, you can use a wildcard with the Properties parameter to return all properties for the AD DS computer(s) found:

As shown in the figure below, you can also expand the list of properties you want returned for the AD DS computers(s) found using a comma-separated list of the names of the properties you want returned:

You can also specify the search base and search scope by using the -SearchBase and -SearchScope parameters, respectively.

If you want to limit your search to a particular Organizational Unit, you can use the –SearchBase parameter and specify the distinguished name of the OU. The following command sets the search base to the Toronto OU:

  • Get-ADComputer -LDAPFilter "(cn=*WS08R2*)" -searchBase “OU=Toronto,DC=domain,dc=local”

The -SearchScope parameter allows you to control the scope of the search. The scope can be set to Base, OneLevel, or SubTree. Base searches the current path/object; OneLevel searches the immediate children of the path/object; SubTree searches the current path/object and its children.

Adding the to above example, you can refine the command so that it only searches the Toronto OU, and no child-OUs by typing the following command:

  • Get-ADComputer -LDAPFilter "(cn=*WS08R2*)" -SearchBase “OU=Toronto,DC=domain,dc=local” -SearchScope Base

Creating AD DS Computer Objects

New-ADComputer can be used to create an AD DS computer object. At minimum, you must specify the name of the computer. The command to create a computer account with a name of TetsPC is:

  • New-ADComputer TestPC

The above command will create the AD DS computer object in the default container for computers, which is the Computers container by default.

New-ADComputer has a default set of parameters that can be used to set attributes for the computer object. These include the following:

  • Path
  • ManagedBy
  • DisplayName
  • ChangePasswordAtLogon
  • PasswordNotRequired
  • TrustedForDelegation
  • ServicePrincipalNames
  • OperatingSystemVersion
  • OperatingSystemServicePack
  • UserPrincipalName
  • Location
  • DNSHostName
  • OperatingSystemHotfix
  • OperatingSystem
  • SAMAccountName
  • HomePage
  • Description
  • Enabled
  • AccountNotDelegated
  • PasswordNeverExpires
  • AccountPassword
  • AccountExpirationDate
  • AllowReversiblePasswordEncryption
  • Certificates
  • CannotChangePassword
  • Name

The following command uses some of these parameters to create an AD DS computer object:

  • New-ADComputer -Name Server1 -path “OU=Toronto,DC=domain,DC=local” -SAMAccountName Server1 -ManagedBy JPOLICELLI -Description “Test Computer”

The table below breaks down the above command. The Attributes column lists the attributes that were set by the above command. The Value column lists the value that was set for each attribute. The Cmdlet Parameter column lists the actual cmdlet parameter and value that was used to set the value for each attribute.

Attribute

Value

Cmdlet Parameter

Name

Server1

-Name Server1

Path

Toronto OU

-Path “OU=Toronto,DC=domain,dc=local”

SAM account name

Server1

-SAMAccountName Server1

Managed By

JPOLICELLI

-ManagedBy JPOLICELLI

Description

Test Computer

-Description “Test Computer”

You can also use the OtherAttributes parameter to specify values for attributes that are not represented by the default parameters.

Deleting AD DS Computer Objects

Remove-ADComputer can be used to delete AD DS computer objects. Remove-ADComputer simply requires that you specify the object you want to delete. This can be specified in the following formats:

  • Distinguished name
  • GUID
  • SID
  • SAM account name

The table below shows the different formats that can be used to delete the same AD DS computer account:

Criteria

Command

Distinguished name

Remove-ADComputer “CN=Server1,OU=Toronto,DC=domain,DC=local”

GUID

Remove-ADComputer b8c3ac0f-8878-415f-a32a-4daa54ec562b

SID

Remove-ADComputer S-1-5-21-236992988-293544445-1879654059-1124

SAM account name

Remove-ADComputer Server1$

CN

Remove-ADComputer Server1

As shown in the figure below, Remove-ADComputer will prompt you to confirm the deletion.

Modifying AD DS Computer Objects

Set-ADComputer can be used to modify the properties of an AD DS computer objects. Set-ADComputer has a predefined list of properties that can modified, including the following:

  • ManagedBy
  • DisplayName
  • ChangePasswordAtLogon
  • PasswordNotRequired
  • TrustedForDelegation
  • ServicePrincipalNames
  • OperatingSystemVersion
  • OperatingSystemServicePack
  • UserPrincipalName
  • Location
  • DNSHostName
  • OperatingSystemHotfix
  • OperatingSystem
  • SAMAccountName
  • HomePage
  • Description
  • Enabled
  • AccountNotDelegated
  • PasswordNeverExpires
  • AccountPassword
  • AccountExpirationDate
  • AllowReversiblePasswordEncryption
  • Certificates
  • CannotChangePassword
  • Name

When using Set-ADComputer, you must specify the computer that you want to modify. You can use the following formats to specify the computer you want to modify:

  • DN
  • GUID
  • SID
  • SAM account name

To change the SPN of a computer account, you can use the following command:

  • Set-ADComputer Server1 -ServicePrincipalName @{Replace="MSSQLSVC/Server1.DOMAIN.LOCAL:1456","MSOLAPSVC.3/Server1.DOMAIN.LOCAL:analyze"}

To change the location for a computer account, you can use the following command:

  • Set-ADComputer "Server1" -Location "NA/CA/Toronto/Building1"

Wrapping Up

The Active Directory Module for Windows PowerShell provides a powerful solution for managing Active Directory Domain Services computers with PowerShell. This module can be used to perform virtually every task on AD DS computer objects. What’s more, the cmdlets specific to AD DS computers are robust and easy to learn.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Related:

Copyright © 2009 IDG Communications, Inc.

IT Salary Survey: The results are in