Microsoft Offical Course 20410C_04

Editor's Notes

• #2: Presentation: 60 minutes Lab: 45 minutes After completing this module, students will be able to: Use command‑line tools for administration. Use Windows PowerShell® for administration. Perform bulk operations with Windows PowerShell. Automate Active Directory® Domain Services (AD DS) administration by using Windows PowerShell. Make sure that students are aware that the Course Companion contains additional module information and resources. Required Materials To teach this module, you need the Microsoft® Office PowerPoint® file 20410C_04.pptx. Important: It is recommended that you use Office PowerPoint 2007 or a newer version to display the slides for this course. If you use PowerPoint Viewer or an earlier version of Office PowerPoint, all the features of the slides might not display correctly. Preparation Tasks To prepare for this module: Read all of the materials for this module. Practice performing the demonstrations and the lab exercises. Work through the Module Review and Takeaways section, and determine how you will use this section to reinforce student learning and promote knowledge transfer to on‑the‑job performance.
• #3: Briefly describe the lessons that are included in this module. Explain that this module focuses on using command‑line tools and Windows PowerShell to perform bulk administration.
• #5: Explain that command‑line tools are useful for bulk operations, like creating 1,000 user accounts at once; and also for any repetitive tasks. Tell the students that the main advantage of using these tools is that they can save the commands that they use and re‑use them later.
• #6: Explain to students that they can use csvde to create or export AD DS objects. However, they cannot use csvde to modify or delete existing objects. Point out that when they export objects without specifying which attributes to include, all attributes are included. They can use the resulting header row to identify the Lightweight Directory Access Protocol (LDAP) names of specific attributes that they want to include in a .csv file. In most organization, csvde is used primarily to export data. Consider performing an export with csvde, and reviewing the contents of the .csv file.
• #7: The key to presenting this topic is to differentiate ldifde from csvde. The major differences are that: Ldifde can modify and remove objects. Far fewer programs and apps can export and import data in LDAP Data Interchange Format (LDIF).
• #8: Describe the DS commands that are available for manipulating AD DS objects. Use the examples on the slide to describe the syntax of the commands. Verify that students understand the format of a distinguished name. If necessary, explain that the format of a distinguished name is based on LDAP. Describe the: Common name: cn Organizational unit: ou Domain component: dc Explain to students that unlike csvde and ldifde, these tools are not designed explicitly for bulk management of objects. Instead, they are used to manipulate individual objects or to perform bulk operations. Consider demonstrating how to use the dsquery command to manage many objects at one time. For example, use the following command to change the department for all users in the IT organizational unit (OU): Dsquery user “OU=IT, DC=Adatum,DC=com” | Dsmod user -dept IT Question What criteria would you use to select between using csvde, ldifde, and the DS commands? Answer If you are using a data source that can export as a .csv file, you most likely will use csvde. However, csvde cannot modify existing objects. You are also likely to use csvde when exporting data from AD DS. If you are using a data source that can export as an LDIF file, then you would most likely use ldifde. You would also use ldifde if you need to remove or modify existing objects. If you are modifying individual objects, then you will most likely use the DS commands if you have chosen not to use graphical tools.
• #9: To help students understand how to use Windows PowerShell to perform AD DS administration, it is critical that they see examples of how the cmdlets are used. Examples are provided on many of the slides in this lesson. It is critical that you describe all of the examples on each slide, including the purpose of each parameter.
• #10: Describe each of the cmdlets on the slide to students. In addition, describe the example of using the New‑ADUser cmdlet. Consider demonstrating the cmdlets. To avoid typing slide examples, you can use examples in E:\Labfiles\Mod04\Mod04Examples.ps1. Question Are all cmdlet parameters that you use to manage user accounts the same? Answer No. Many of the parameters are the same or similar, but each cmdlet has its own list of parameters.
• #11: Describe each of the cmdlets on the slide to students. Be sure to explain the difference between the *‑ADGroupMember cmdlets and the *‑ADPrincipalGroupMembership cmdlets. The easiest distinction to make for students is that the *‑ADGroupMember cmdlets are similar to modifying membership in the properties of a group, while the *‑ADPrincipalGroupMembership cmdlets are similar to modifying the Member Of property in the properties of an object, such as a user account. Consider demonstrating how to create a group, and then add group members to it. To avoid typing slide examples, you can use examples in E:\Labfiles\Mod04\Mod04Examples.ps1.
• #12: Describe each of the cmdlets on the slide to students. Relate the use of these cmdlets back to the computer account management information in Module 3. Be sure to mention that the New‑ADComputer cmdlet does not offer the option to delegate permissions to join a computer to the new computer account; if these permissions are necessary, then students need to assign those permissions manually. The AD DS permissions required on the computer account are: Reset Password Validated write to Domain Name System (DNS) host name Validated write to service principal name Write Account Restrictions Consider demonstrating the permissions differences when creating a computer account in Active Directory Users and Computers with delegation, and when using the New‑AdComputer cmdlet. To avoid typing slide examples, you can use examples in E:\Labfiles\Mod04\Mod04Examples.ps1.
• #13: Describe each of the cmdlets on the slide to students. Mention that the default value for the ProtectedFromAccidentalDeletion parameter is $true. Consider doing a demonstration where you: Create a new OU. Attempt to remove the OU, which fails due to protection from accidental deletion. Set ProtectedFromAccidentalDeletion parameter to $false. Again attempt to remove the OU. This time you should be successful. To avoid typing slide examples, you can use the examples in E:\Labfiles\Mod04\Mod04Examples.ps1. Question In the slide example, is the ProtectedFromAccidentalDeletion parameter required? Answer No. The default value is set to $true. The same result occurs if the ProtectedFromAccidentalDeletion parameter is not used.
• #14: To help students understand how to use Windows PowerShell to perform bulk operations, it is critical that they see examples of how the cmdlets are used. Examples are provided on many of the slides in this lesson. It is critical that you describe all of the examples on each slide, including the purpose of each parameter.
• #15: Define a bulk operation for students and provide some examples, such as: Moving multiple user accounts to a new OU Changing the department name for a set of user accounts Disabling a set of user accounts
• #16: Preparation Steps Start the 20410C‑LON‑DC1 virtual machine. Demonstration Steps Create a query for all users Sign in to LON‑DC1 as Adatum\Administrator with the password Pa$$w0rd. On LON‑DC1, in Server Manager, click Tools, and then click Active Directory Administrative Center. In Active Directory Administrative Center, in the navigation pane, click Global Search. At the far right of the Global Search pane, click the down arrow that is displayed inside a circle to display Add criteria. Click Add criteria, select the Object type is user/inetOrgPerson/computer/group/organization unit check box, and then click Add. Verify that the criteria that you added is and The object type is: User. Click the Search button. Configure the Company attribute for all users Press Ctrl+A to select all of the user accounts, and then click Properties. In the Multiple Users pane, in the Organization section, select the Company check box. In the Company text box, type A. Datum, and then click OK. Verify that the Company attribute has been modified In the Global Search pane, click Adam Barr, and then click Properties. In the Adam Barr window, verify that the Company is A. Datum. Click Cancel. Close Active Directory Administrative Center. Leave the virtual machine running after you have completed the demonstration.
• #17: There are two slides for this topic. Use this slide to introduce the Filter parameter as a method for performing queries with the Get‑AD* cmdlets. Make note of the operators that can be used. Students might be expecting to use mathematical operators such as the equal sign (=), less than sign (<), and greater than sign (>). Let them know that it is not possible to do so. Also highlight that only ‑like can be used with the asterisk (*) wildcard for matching strings. Question What is the difference between using ‑eq and ‑like when comparing strings? Answer The ‑eq operator is used to find an exact match, meaning that it is not case sensitive. The ‑like operator can be used with the asterisk (*) wildcard to find partial matches.
• #18: This is the second slide for this topic. Use the examples to describe the parameters commonly used with the Get‑ADUser cmdlet. To avoid typing slide examples, you can use examples in E:\Labfiles\Mod04\Mod04Examples.ps1.
• #19: Explain to students how they can use the pipe character ( | ) to pass objects to another cmdlet for further processing. Use the examples on the slide to show that they can use either the results of a query or the content of a text file. Stress to students that not just any data can be passed to another cmdlet. The objects being passed to a cmdlet must be of the correct type. For example, they can pass a list of user account objects to the Set‑ADUser cmdlet, but they cannot pass a list of groups to the Set‑ADUser cmdlet. The help documentation for each Set‑AD* cmdlet defines how the identity of the object being modified should be specified. If they are using a list of objects from a text file, this tells them how they need to format the data in the text file. For example, the Set‑ADUser cmdlet allows them to identify user objects by distinguished name, globally unique identifier (GUID), security identifier (SID), or Security Accounts Manager (SAM) account name. To avoid typing slide examples, you can use examples in E:\Labfiles\Mod04\Mod04Examples.ps1. Question Which attributes of a user account can you use when creating a query by using the Filter parameter? Answer You can use any user account parameter that you can query. Use the Properties parameter with a value of * (‑Properties *) to identify all properties that can be retrieved.
• #20: Use the slide content to explain the following four key points: The header in the .csv file defines the name of each column. Import‑csv reads the contents of the .csv file. A foreach loop processes each row from the .csv file. The $i represents each row as it is processed. To avoid typing slide examples, you can use examples in E:\Labfiles\Mod04\Mod04Examples.ps1. Question In the foreach loop, how does $i change? Answer The foreach loop processes each row from the .csv file that has been loaded into the $users variable. The loop is performed once for each row from the .csv file. The variable $i represents each row as it is processed.
• #21: Preparation Steps For this demonstration, you need the 20410C‑LON‑DC1 virtual machine. It should already be running after the preceding demonstration. Demonstration Steps Configure a department for users On LON‑DC1, on the taskbar, click the Windows PowerShell icon. At the Windows PowerShell prompt, type the following command, and then press Enter: Get‑ADUser ‑Filter * ‑SearchBase “ou=Research,dc=adatum,dc=com” Type the following command, and then press Enter: Get‑ADUser ‑Filter * ‑SearchBase “ou=Research,dc=adatum,dc=com” | Set‑ADUser ‑Department Research Type the following command, and then press Enter: Get‑ADUser ‑Filter ‘department ‑eq “Research”’ | Format‑Table DistinguishedName,Department Type the following command, and then press Enter: Get‑ADUser ‑Filter ‘department ‑eq “Research”’ ‑Properties Department | Format‑Table DistinguishedName,Department Create an OU At the Windows PowerShell prompt, type the following command, and then press Enter: New‑ADOrganizationalUnit LondonBranch ‑Path “dc=adatum,dc=com”
• #22: (Continued) Run a script to create new user accounts On the taskbar, click the File Explorer icon. In File Explorer, expand drive E, expand Labfiles, and then click Mod04. Double‑click DemoUsers.csv. In the How do you want to open this type of file (.csv)? message, click Notepad. In Notepad, review the contents of the .csv file, and read the header row. Close Notepad. In File Explorer, right‑click DemoUsers.ps1, and then click Edit. In Windows PowerShell Integrated Scripting Environment (ISE), review the contents of the script. Note that the script: Refers to the location of the .csv file. Uses a foreach loop to process the .csv file contents. Refers to the columns defined by the header in the .csv file. Close Windows PowerShell ISE. At the Windows PowerShell prompt, type cd E:\Labfiles\Mod04, and then press Enter. Type .\DemoUsers.ps1, and then press Enter. Close Windows PowerShell. Verify that new user accounts were created In Server Manager, click Tools, and then click Active Directory Administrative Center. In Active Directory Administrative Center, in the navigation pane, go to Adatum (local)>LondonBranch. Verify that the user accounts were created. Note that the accounts are disabled, because no password was set during creation. Close Active Directory Administrative Center. After you complete the demonstration, revert the virtual machine.
• #23: Before the students begin the lab, read the lab scenario and display the next slide. Before each exercise, read the scenario associated with the exercise to the class. The scenarios give context to the lab and exercises, and help to facilitate the discussion at the end of the lab. Remind students to complete the discussion questions after the last lab exercise. Exercise 1: Creating User Accounts and Groups by Using Windows PowerShell A. Datum Corporation has a number of scripts that have been used in the past to create user accounts by using command‑line tools. It has been mandated that all future scripting will be done by using Windows PowerShell. As the first step in creating scripts, you need to identify the syntax required to manage AD DS objects in Windows PowerShell. Exercise 2: Using Windows PowerShell to Create User Accounts in Bulk You have been given a .csv file that contains a large list of new users for the branch office. It would be inefficient to create these users individually with graphical tools. Instead, you will use a Windows PowerShell script to create the users. A colleague that is experienced with scripting has provided you with a script that she created. You need to modify the script to match the format of your .csv file. Exercise 3: Using Windows PowerShell to Modify User Accounts in Bulk You have received a request to update all user accounts in the new branch office OU with the correct address of the new building. You have also been asked to ensure that all of the new user accounts in the branch office are configured to force users to change their passwords the next time they sign in.
• #25: Lab Review Questions Question By default, are new user accounts enabled or disabled when you create them by using the New‑ADUser cmdlet? Answer By default, new user accounts are disabled when you create them by using the New‑ADUser cmdlet. Question What file extension do Windows PowerShell scripts use? Answer Windows PowerShell scripts use the .ps1 file extension.
• #26: Module Review Questions Point students to the appropriate section in the course so that they are able to answer the questions that this section presents. Question A colleague is creating a Windows PowerShell script that creates user accounts from data in a .csv file. However, his script is experiencing errors when attempting to set a default password. Why might this be happening? Answer The most common source of errors received when setting passwords during user account creation is the format of the variable containing the password. The variable containing a user password must be a secure string. After importing default passwords from the .csv file, your colleague must convert the value to a secure string so that it is encrypted in memory. Another common problem is trying to use passwords that do not meet complexity requirements. If you try to create a user account with the New‑ADUser cmdlets and use a password that does not meet complexity requirements, the user account is created but the password is not set, causing the user account to be disabled. Question You are an administrator for a school district that creates 20,000 new user accounts for students each year. The administration system for students can generate a list of the new students and then export it as a .csv file. After the data has been exported to a .csv file, what information do you need to work with the data in a script? Answer To work with a .csv file, you need to know the name and location of the .csv file. This information allows you to import the .csv file into a variable. You also need to know the name of each column in the .csv file. If there is no header row with column names, then you need to create one. Question The Research department in your organization has been renamed “Research and Development.” You need to update the Department property of users in the Research department to reflect this change. You have created a query for user accounts with the department property set to Research, by using the Get‑ADUser cmdlet and the ‑Filter parameter. What is the next step to update the department property to Research and Development? Answer You need to pipe the output from the query to the Set‑ADUser cmdlet. The Set‑ADUser cmdlet modified the department property of the user accounts.
• #27: Tools