Skip to main content

Moving from the DS DOS commands to PowerShell V2

In the original implementation of PowerShell, I was very discouraged with the lack of Active Directory support. SUre, you can create user accounts and Organizational units, but it was not easy.  With PowerShell V2, that all changed with the addition on the Active Directory module. For the Microsoft Exam 70-640, I’m seeing a couple of changes. In the Maintaining the Active Directory Environment, I’m seeing PowerShell listed with no mention of the DS commands that are taught in The instructor lead course 6425B.  Here are some tips on how to do the PowerShell equivalent of the DS commands.

 

DSQuery returns objects out of Active Directory.  With DSQuery you can return information on objects in Active Directory

DSGet returns specified attributes of an object.

DSMod modifies specified attributes of an object.

DSAdd creates an object in the directory.

DSMove moves an object to a new container or OU.

DSRM removes an object, all multiple objects, from the directory.

 

PowerShell, with the Active Directory module installed, you can do all these things.  So why make the change?  Well, Microsoft is making the change.  With the force the Microsoft is placing behind PowerShell, and how frequently it is listed on exam topics.

The first requirement is to install PowerShell V2.  V2 is installed by default on Windows 7 and Server 2008 R2.  This can be downloaded from Microsoft (http://support.microsoft.com/kb/968929). Once you have installed PowerShell V2, you also need to install the Remote Server Administrator Tools onto your client:

RSAT for VISTA :http://www.microsoft.com/downloads/details.aspx?familyid=9ff6e897-23ce-4a36-b7fc-d52065de9960&displaylang=en

RSAT for WINDOWS 7:http://www.microsoft.com/downloads/details.aspx?FamilyID=7d2f6ad7-656b-4313-a005-4e344e43997d&displaylang=en

 

OK, now that all that work is done, start PowrShell.  Type Import-Module ActiveDirectory.  This will add 76 new cmdlets specifically for active directory into your PowerShell session.  These cmdlets have a verb-noun syntax. For the verbs, you have:

Add – add an object to another object.

Enable – Enables an object

Get – returns an Active Directory object

Move – Moves an object

New – Creates as object.

Remove – Removes an object from Active Directory.

Set – Modifies the properties of an object.

For the Noun portion you have a lot more choices.  Here are a few of them:

Computer

Group

OrganizationalUnit

User

The DS commands were designed for command line / batch file management of Active Directory.  For daily use, the GUI is still the best method, unless you have a very specific need.  For example, let’s say you needed to move all the users from 5 different OUs to a single OU.  There are 500 user objects in each OU, but only about 15 of them are in the SalesTeam group.  How would you accomplish that with a GUI?  That is why we still use a shell environment.  For the sake of demonstration, the OU we want the user objects to end up in is called Indianapolis.  It does not matter what OU they reside in.  The group we want to filter on is called SalesTeam_GG.  Here is the PowerShell command that will make this happen:

Get-ADGroupMember –identity SalesTeam_GG | Move-ADObject –Targetpath “OU=Indianapolis,DC=MCTNET,DC=com”

 

That’s it! PowerShell will first enumerate all the users in Active Directory that are members of the SalesTeam_GG group.  Then those objects are sent to the Move-ADObject cmdlet and are sent to the Indianapolis OU.  Try that in a GUI!

How do you know what each of these PowerShell cmdlets can do?  Well, first let’s find them.  Type Get-Command *-AD* and press Enter  Most of the cmdlets listed here are Active Directory commands.  PowerShell also has a very good built in help structure.  Type in Get-Help Get-ADGroupMember –full.  This will give you a description of the cmdlet, its syntax, parameters, and examples on how to use it.

Here is a simple comparison of some of the PowerShell commands vs an equivalent DS command:

DSQuery

DS Command PowerShell (not all of them)
DSQuery Get-ADComputer
Get-ADUser
Get-ADGroup
Get-ADGroupMember
DSGet Same as above
DSAdd New-ADComputer
New-ADUser
New-ADGroup
New-ADOrganizationalUnit
DSMod Set-ADComputer
Set-ADUser
Set-ADGroup
DSRM Remove-ADComputer
Remove-ADUser
Remove-ADGroup
Remove-ADOrganizationalUnit

 

It would be a good idea to review these commands prior to taking the exam just to be safe.

Comments

Unknown said…
It's just a darn shame that these commands don't seem to exist for PowerShell on Windows XP -_-
Lars,

Take a look at Implicit remoting. This will allow your Windows XP client to utilize the Active Directory module on a Windows Server 2008 R2 domain controller.

Jason

Popular posts from this blog

Adding a Comment to a GPO with PowerShell

As I'm writing this article, I'm also writing a customization for a PowerShell course I'm teaching next week in Phoenix.  This customization deals with Group Policy and PowerShell.  For those of you who attend my classes may already know this, but I sit their and try to ask the questions to myself that others may ask as I present the material.  I finished up my customization a few hours ago and then I realized that I did not add in how to put a comment on a GPO.  This is a feature that many Group Policy Administrators may not be aware of. This past summer I attended a presentation at TechEd on Group Policy.  One organization in the crowd had over 5,000 Group Policies.  In an environment like that, the comment section can be priceless.  I always like to write in the comment section why I created the policy so I know its purpose next week after I've completed 50 other tasks and can't remember what I did 5 minutes ago. In the Group Policy module for PowerShell V3, th

Return duplicate values from a collection with PowerShell

If you have a collection of objects and you want to remove any duplicate items, it is fairly simple. # Create a collection with duplicate values $Set1 = 1 , 1 , 2 , 2 , 3 , 4 , 5 , 6 , 7 , 1 , 2   # Remove the duplicate values. $Set1 | Select-Object -Unique 1 2 3 4 5 6 7 What if you want only the duplicate values and nothing else? # Create a collection with duplicate values $Set1 = 1 , 1 , 2 , 2 , 3 , 4 , 5 , 6 , 7 , 1 , 2   #Create a second collection with duplicate values removed. $Set2 = $Set1 | Select-Object -Unique   # Return only the duplicate values. ( Compare-Object -ReferenceObject $Set2 -DifferenceObject $Set1 ) . InputObject | Select-Object – Unique 1 2 This works with objects as well as numbers.  The first command creates a collection with 2 duplicates of both 1 and 2.   The second command creates another collection with the duplicates filtered out.  The Compare-Object cmdlet will first find items that are diffe

How to list all the AD LDS instances on a server

AD LDS allows you to provide directory services to applications that are free of the confines of Active Directory.  To list all the AD LDS instances on a server, follow this procedure: Log into the server in question Open a command prompt. Type dsdbutil and press Enter Type List Instances and press Enter . You will receive a list of the instance name, both the LDAP and SSL port numbers, the location of the database, and its status.