CSED 431 Week 11

CSED 431 Week 11 -- April 12

Assignment 1:
    #1. Simple File Sharing, versus what else?
    #2: welcome-style v type-your-name
    #3: SID
    #5: viruses & deepfreeze

Folder redirection

Anyone can redirect their My Documents under Windows XP, using MyDocuments => properties. The actual folder represented by the My Documents icons is
HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Personal

In that Shell Folders key, there are also entries for My Music, My Pictures, etc.

Group Policy folder redirection is just making your Personal folder be a folder on a drive share.

Powershell

http://technet.microsoft.com/en-us/library/ee332545.aspx

new-item (ni)    -type [file|directory]
copy-item (cp, copy)
remove-item (rm, del)
move-item (mv, move)

get-childitem (dir, ls)      -recurse,
    ls | sort [name|length|lastwritetime| ...]

get-member

variables: begin with $
    $dir = ls

get-executionpolicy, set-executionpolicy
    restricted, allsigned, remotesigned, unrestricted

get-process (ps)
    ps svchost
    ps |get-member
    ps|select-object cpu,name
    ps | where {$_.handles -gt 200 -and $_.name -eq "svchost"}

In the last, note what where is doing. Sort of. We're using a pipe, and each object produced by the ps command is assigned in turn to the special variable $_. We are looking at $_'s .handles and .name attributes. If they don't have that, then there's simply no match.

set-location (cd; chdir)

import-module ActiveDirectory

format-table (FT)

I now have (thanks to Miao) Server 2008 R2's set up for everyone.

http://technet.microsoft.com/en-us/library/dd378937%28WS.10%29.aspx (common commands with examples, by topic)
http://technet.microsoft.com/en-us/library/dd378783%28WS.10%29.aspx (exhaustive list of commands)

What does this do?
cd AD:
ls
Is it good for anything?

Getting information about commands:

get-help *-AD*
get-help New-AD*

get-ADdomain
Note the way domains are expressed, eg DC=csed,DC=luc,DC=edu.

In the examples below, for domain csed2.edu, it is DC=csed2,DC=edu

Listing all OUs:
    get-ADOrganizationalUnit -filter {name -like '*'}

Listing all AD objects:
    get-ADobject -filter {name -like '*'}

get-ADuser
get-ADuser alice
get-ADuser -filter {name -like 'alice' }       ;; different kind of name!

All users:
    get-ADuser -filter {name -like '*'}

get-ADcomputer: similar; you typically need a -filter.

Listing disabled accounts:

    Search-ADAccount -AccountDisabled | where {$_.ObjectClass -eq 'user'} | FT Name,ObjectClass -A

Expiring accounts

Search-ADAccount -AccountExpiring -TimeSpan 90.00:00:00 | where {$_.ObjectClass -eq 'user'} | FT Name,ObjectClass –A

The following example demonstrates how to find all the users whose accounts will expire on the date 10/15/2009:

Search-ADAccount -PasswordExpiring -DateTime 10/15/2009 | where {$_.ObjectClass -eq 'user'} | FT Name,ObjectClass -A

The following example demonstrates how to find inactive user accounts:
    Search-ADAccount -AccountInactive | where {$_.ObjectClass -eq 'user'} | FT Name,ObjectClass –A

The following example demonstrates how to find user accounts that have been inactive for 90 days:

    Search-ADAccount -AccountInactive -TimeSpan 90.00:00:00 | where {$_.ObjectClass -eq 'user'} | FT Name,ObjectClass –A

The following example demonstrates how to find user accounts that have been inactive since 1/25/2010:

    Search-ADAccount -AccountInactive -DateTime 01/25/2010 | where {$_.ObjectClass -eq 'user'} | FT Name,ObjectClass –A

Creating accounts

New-ADUser -SamAccountName peter -Name "peter two" -AccountPassword (ConvertTo-SecureString -AsPlainText "peter" -Force) -Enabled $true -Path 'OU=labusers,DC=csed2,DC=edu'

We could add -changePasswordAtLogon $false.

set-ADAccountControl peter -passwordNeverExpires $true
(or add that to the new-ADUser line)

Common options:

-passwordNeverExpires <bool>
-enabled <bool>
passwordNotRequired <bool>

get-ADdefaultDomainPasswordPolicy

get-ADgroup -filter{name -like '*remote*'}
get-ADgroupmember "remote desktop users"

add-ADgroupMember 'remote desktop users' peter

get-ADobject -filter {name -like '*'} -searchbase 'ou=labusers,dc=csed2,dc=edu'

Finally,
remove-ADuser roger

making a bunch of users

First we make the file, names.csv. (csv = comma-separated values) Note the header line that gives names to the columns:

samAccountName,name,password,ou
roger,"Roger Wilco",roger,labusers
sally,"Sally Swift",sally,labusers

Then we check it:
import-csv names.csv

samAccountName               
name                         
password                     
ou

--------------               
----                         
--------                     
--

roger                        
Roger
Wilco                  
roger                        
labusers

sally                        
Sally
Swift                  
sally                        
labusers

Now we run a script. The basic format is "import-csv names.csv | foreach { command }", where command is an instance of new-ADuser. Inside of command, $_ is a reference to the current row object, and $_.samAccountName is the first column of the current row object.

Import-CSV names.csv | foreach {New-ADUser -SamAccountName $_.SamAccountName -Name $_.Name   -Path "OU=labusers,DC=csed2,DC=edu" -AccountPassword (ConvertTo-SecureString -AsPlainText $_.password -Force) -Enabled $true}

The command itself should be either run as a batch file, or (simpler) created/edited/saved in notepad, and then copy/pasted into the powershell window when you want to run it.

Note the fact that although there's a column in our table for OU, the OU has to be part of a string, and it comes in $_.ou form as an object. I got an error
     "cannot convert 'System.Object[]' to the type 'System.String' required by parameter 'Path'."
or "the object name has bad syntax"

Here is a later version of the command:
Import-CSV names.csv | foreach {New-ADUser -SamAccountName $_.SamAccountName -Name $_.Name   -Path "OU=labusers,DC=csed2,DC=edu" -AccountPassword (ConvertTo-SecureString -AsPlainText $_.password -Force) -Enabled $true -ChangePasswordAtLogon $false -PasswordNeverExpires $true}

Lab

Log into your windows server 2008 R2. It should already be a domain controller.

Log into your windows 7 instance, and have it join the domain. Make a note of any problems you encounter. What is the DNS problem?

Install PowerShell on your windows server. Go to Server Manager => Features => Add Feature

Create an OU, labusers, using powershell. Use new-ADOrganizationalUnit

Create a .csv file (using notepad) to add at least four users. For each user, specify:

samAccountName
given name
surname
(with the above two, you should be able to specify -name "$_.givenname $_.lastname" or -name $_.givenname + " " + $_.lastname, though I did not test this.)
expiring in about 120 days
password (not the same as the samAccountName!)
description (to be used for grade level, eg "eighth")

Make sure your .csv file has a header row!