CSED 431 Week 11 -- April 12
Assignment 1:
#1. Simple File Sharing, versus what else?
#2: welcome-style v type-your-name
#3: SID
#5: viruses & deepfreeze
Folder redirection
Anyone can redirect their My Documents under
Windows XP, using MyDocuments => properties. The actual folder
represented by the My Documents icons is
HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Personal
In that Shell Folders key, there are also entries for My Music, My Pictures, etc.
Group Policy folder redirection is just making your Personal folder be a folder on a drive share.
Powershell
http://technet.microsoft.com/en-us/library/ee332545.aspx
new-item (ni) -type [file|directory]
copy-item (cp, copy)
remove-item (rm, del)
move-item (mv, move)
get-childitem (dir, ls) -recurse,
ls | sort [name|length|lastwritetime| ...]
get-member
variables: begin with $
$dir = ls
get-executionpolicy, set-executionpolicy
restricted, allsigned, remotesigned, unrestricted
get-process (ps)
ps svchost
ps |get-member
ps|select-object cpu,name
ps | where {$_.handles -gt 200 -and $_.name -eq "svchost"}
In the last, note what where is doing. Sort of. We're using a pipe, and each object produced by the ps command is assigned in turn to the special variable $_. We are looking at $_'s .handles and .name attributes. If they don't have that, then there's simply no match.
set-location (cd; chdir)
import-module ActiveDirectory
format-table (FT)
I now have (thanks to Miao) Server 2008 R2's set up for everyone.
What does this do?
cd AD:
ls
Is it good for anything?
Getting information about commands:
get-help *-AD*
get-help New-AD*
get-ADdomain
Note the way domains are expressed, eg DC=csed,DC=luc,DC=edu.
In the examples below, for domain csed2.edu, it is DC=csed2,DC=edu
Listing all OUs:
get-ADOrganizationalUnit -filter {name -like '*'}
Listing all AD objects:
get-ADobject -filter {name -like '*'}
get-ADuser
get-ADuser alice
get-ADuser -filter {name -like 'alice' } ;; different kind of name!
All users:
get-ADuser -filter {name -like '*'}
get-ADcomputer: similar; you typically need a -filter.
Listing disabled accounts:
Search-ADAccount -AccountDisabled | where {$_.ObjectClass -eq
'user'} | FT Name,ObjectClass -A
Expiring accounts
Search-ADAccount -AccountExpiring -TimeSpan
90.00:00:00 | where {$_.ObjectClass -eq 'user'} | FT Name,ObjectClass –A
The following example demonstrates how to find all the users
whose accounts will expire on the date 10/15/2009:
Search-ADAccount -PasswordExpiring -DateTime
10/15/2009 | where {$_.ObjectClass -eq 'user'} | FT Name,ObjectClass -A
The following example demonstrates how to find inactive user accounts:
Search-ADAccount -AccountInactive | where {$_.ObjectClass -eq
'user'} | FT Name,ObjectClass –A
The following example demonstrates how to find user accounts that have
been inactive for 90 days:
Search-ADAccount -AccountInactive -TimeSpan 90.00:00:00 | where
{$_.ObjectClass -eq 'user'} | FT Name,ObjectClass –A
The following example demonstrates how to find user accounts that have
been inactive since 1/25/2010:
Search-ADAccount -AccountInactive -DateTime 01/25/2010 | where
{$_.ObjectClass -eq 'user'} | FT Name,ObjectClass –A
Creating accounts
New-ADUser -SamAccountName peter -Name "peter two"
-AccountPassword (ConvertTo-SecureString -AsPlainText "peter" -Force)
-Enabled $true -Path 'OU=labusers,DC=csed2,DC=edu'
We could add -changePasswordAtLogon $false.
set-ADAccountControl peter -passwordNeverExpires $true
(or add that to the new-ADUser line)
Common options:
- -passwordNeverExpires <bool>
- -enabled <bool>
- passwordNotRequired <bool>
get-ADdefaultDomainPasswordPolicy
get-ADgroup -filter{name -like '*remote*'}
get-ADgroupmember "remote desktop users"
add-ADgroupMember 'remote desktop users' peter
get-ADobject -filter {name -like '*'} -searchbase 'ou=labusers,dc=csed2,dc=edu'
Finally,
remove-ADuser roger
making a bunch of users
First we make the file, names.csv. (csv = comma-separated values) Note the header line that gives names to the columns:
samAccountName,name,password,ou
roger,"Roger Wilco",roger,labusers
sally,"Sally Swift",sally,labusers
Then we check it:
import-csv names.csv
samAccountName
name
password
ou
--------------
----
--------
--
roger
Roger
Wilco
roger
labusers
sally
Sally
Swift
sally
labusers
Now we run a script. The basic format is "import-csv names.csv | foreach { command }", where command is an instance of new-ADuser. Inside of command, $_ is a reference to the current row object, and $_.samAccountName is the first column of the current row object.
Import-CSV names.csv | foreach {New-ADUser
-SamAccountName $_.SamAccountName -Name $_.Name -Path
"OU=labusers,DC=csed2,DC=edu" -AccountPassword
(ConvertTo-SecureString -AsPlainText $_.password -Force) -Enabled
$true}
The command itself should be either run as a batch file, or (simpler)
created/edited/saved in notepad, and then copy/pasted into the
powershell window when you want to run it.
Note the fact that although there's a column in our table for OU, the OU has to be part of a string, and it comes in $_.ou form as an object. I got an error
"cannot convert 'System.Object[]' to the type 'System.String' required by parameter 'Path'."
or "the object name has bad syntax"
Here is a later version of the command:
Import-CSV names.csv | foreach
{New-ADUser
-SamAccountName $_.SamAccountName -Name $_.Name -Path
"OU=labusers,DC=csed2,DC=edu" -AccountPassword
(ConvertTo-SecureString -AsPlainText $_.password -Force) -Enabled
$true -ChangePasswordAtLogon $false -PasswordNeverExpires $true}
Lab
Log into your windows server 2008 R2. It should already be a domain controller.
Log into your windows 7 instance, and have it join the domain. Make
a note of any problems you encounter. What is the DNS problem?
Install PowerShell on your windows server. Go to Server Manager => Features => Add Feature
Create an OU, labusers, using powershell. Use new-ADOrganizationalUnit
Create a .csv file (using notepad) to add at least four users. For each user, specify:
- samAccountName
- given name
- surname
- (with the above two, you should be able to specify -name "$_.givenname $_.lastname" or -name $_.givenname + " " + $_.lastname, though I did not test this.)
- expiring in about 120 days
- password (not the same as the samAccountName!)
- description (to be used for grade level, eg "eighth")
Make sure your .csv file has a header row!