Managing an on-premises Active Directory Domain Services infrastructure through the Graphical User Interface (GUI) can get daunting. And boring. Luckily, for most repetitive tasks you can resort to the command line, or in more recent versions of Windows Server to PowerShell.
Windows Server 2012 already comes equipped with PowerShell Cmdlets to manage your Active Directory topology and objects and to deploy Active Directory Domain Services.
Windows Server 2012 R2 introduces twelve new PowerShell Cmdlets in addition to this extensive collection:
You can observe these additions yourself, by running the Get-Command -Module ActiveDirectory and Get-Command –Module ADDSDeployment PowerShell one-liners in Windows Server 2012 R2 and comparing the output of these oneliners with the output in previous versions of Windows Server.
The names of these PowerShell Cmdlets might already give away that these are all related to the Authentication Policies and Authentication Policy Silos, discussed in detail yesterday.
When you’re expecting PowerShell Cmdlets for the Protected Users feature, that is also new in Active Directory Domain Services in Windows Server 2012 R2, don’t keep your hopes up. After you’ve met the requirements for this feature, you can add a user object to the Protected Users group with this PowerShell one-liner:
Add-ADPrincipalGroupMembership -Identity:”CN=Administrator, CN=users,DC=domain,DC=tld” -MemberOf:”CN=Protected Users,CN=Users,DC=domain,DC=tld”
To gain access to the PowerShell commands, you need to use either:
- Implement a Windows Server 2012 R2-based Domain Controller with the Active Directory Module for Windows PowerShell feature installed. (It is installed by default when you install the Active Directory Domain Services role.)
- Implement a Windows Server 2012 R2-based member server with the Active Directory Module for Windows PowerShell feature installed. This feature is buried deep in the Remote Server Administration Tools, then Role Administration Tools and AD DS and AD LDS Tools. Alternatively you can use the following PowerShell one-liner: Add-WindowsFeature RSAT-AD-PowerShell after you’ve installed the RSAT.
- Implement a Windows 8.1-based domain-joined workstation with the Remote Server Administration Tools (RSAT) package installed and Active Directory Module for Windows PowerShell feature installed. This feature is buried deep in the Remote Server Administration Tools, then Role Administration Tools and AD DS and AD LDS Tools. Alternatively you can use the following PowerShell one-liner: Add-WindowsFeature RSAT-AD-PowerShell after you’ve installed the RSAT.
To point the PowerShell commands to a Domain Controller, this Domain Controller needs to run the Active Directory Web Services (ADWS). This functionality is available on both Server Core and Full Installations of Windows Server 2008 R2. For Windows Server 2003 and full installations of Windows Server 2008, the Active Directory Management Gateway Service (Active Directory Web Service for Windows Server 2003 and Windows Server 2008) can be installed.
All the new functionality in Windows Server 2012 R2 Active Directory Domain Services can be managed through PowerShell.
The PowerShell History Viewer, that has been available in the Active Directory Administrative Center (dsac.exe) since Windows Server 2012 is a great help in discovering and uncovering the new PowerShell Cmdlets.
New features in AD DS in Windows Server 2012, Part 4: New PowerShell Cmdlets
New features in AD DS in Windows Server 2012, Part 5- PowerShell History Viewer
New features in AD DS in Windows Server 2012 R2, Part 2: Protected Users
New features in AD DS in Windows Server 2012 R2, Part 3: Authentication Policies and Authentication Policy Silos
Active Directory Powershell Cmdlets in 2012 R2
Weekend Scripter: Authentication Silos Part 1
How to Install the Active Directory Module for Windows PowerShell
Deploying Active Directory Domain Services on Windows Server 2012 R2