Windows-centric teams reliant on Microsoft Active Directory (AD) sometimes need more functionality than the AD graphical user interface (GUI) can provide.
That’s according to Microsoft 365 (M365) management software company CoreView.
“AD underpins everything in a complex Microsoft environment, whether it’s an on-premise implementation or the Microsoft 365 cloud-based environment,” the team wrote in a blog post.
“In any Windows-centric environment, Microsoft AD is an indispensable tool for managing user accounts, device connectivity, security policies, folder access, and more.”
Yet many AD tasks are repetitive and cumbersome when executed with its GUI, which the CoreView team noted can result in errors and security breaches.
Luckily, knowing the right PowerShell commands can help, including to bridge gaps in reporting ability that in the past meant falling back on cobbled-together Excel spreadsheets incorporating exported data from assorted AD reports.
“And more AD functionality is being made available for PowerShell with each new version of the PowerShell framework,” the team added.
Of course, to use PowerShell the correct remote-server admin tools must be installed on client PCs and AD domain services on the relevant server. Windows Management Framework 3.0 at least, a user account with domain admin credentials and an appropriate PowerShell AD module import for every session are required.
Key PowerShell commands include the New-ADUser cmdlet, which can help automate user account creation if at least some of the parameters are the same for all users or derived from other information.
The command is:
New-ADUser -Name “User Account Name” -SamAccountName “UserAccountName” -AccountPassword (ConvertTo-SecureString “password” -AsPlainText -Force) -DisplayName “User Name” -Enabled $True -GivenName “FirstName” -Path “CN=Users,,DC=Domain,DC=com” -Server “controller.domain.com” -Surname “LastName” -UserPrincipalName “[email protected]”
Resetting a user’s password can be done with the Set-ADAccountPassword cmdlet:
Set-ADAccountPassowrd -Identity “Username” -Reset -NewPassword (ConvertTo-SecureString -AsPlainText “new_password” -Force)
“Of course, the administrator should verify that the person requesting a password reset is that actual user and not some impostor,” The CoreView team added.
Many other useful commands exist, including for creating a new computer object, joining a computer to a domain, unlocking accounts, adding or removing AD objects in groups, reporting on AD objects, and more. Read more from CoreView on this topic.
“Multiple cmdlets can be combined into powerful scripts that can save administrators time, reduce errors, maintain security, and increase customer satisfaction,” said CoreView.
However, building PowerShell scripts to automate AD tasks must be done with “extreme care”.
“It’s all too easy to mess up your AD environment beyond recognition if you aren’t careful. Every script should be reviewed and tested before deployment in the production environment,” warned the team.
The team pointed out that CoreView has been built to help solve these challenges with AD and the chaos that can ensue when M365 is not well managed. Teams with a single M365 tenant especially can find themselves having to make trade-offs against complex admin requirements.
“CoreView has identified numerous AD tasks that can be automated and has done the scripting and testing for you,” the CoreView team explained, adding that its platform can also provide advanced reports to deliver full visibility and improved control.
( Image © copyright Microsoft 2023 )
