Windows Server 2012 R2 was released on Oct 18, 2013. Last Friday was a big day for everyone in the Microsoft community. In future blog posts I'll be going over some of the new features available for Active Directory in 2012 R2. I first want to get to know the features well before I blog about them :)
One area that most Active Directory admins are familiar with is PowerShell. Not everyone is a PowerShell Expert but I'm seeing a lot of folks trying to learn PowerShell and this is definitely true in the Active Directory community.
Windows 2012 R2 and Windows 8.1 introduced PowerShell version 4. This blog goes over the various versions of PowerShell and what is included for Active Directory in each version.
It is also important to know that you can run various versions of the AD cmdlets against DCs with the
Active Directory Web Services running Ashley McGlone aka
GoateePFE has an excellent blog on
how to use the PowerShell v 3.0 cmdlets from Windows 7. I'd personally use a Windows 8 or 8.1 admin workstation if possible.
PowerShell was known by the Code Name "Monad" and first shown off publically in 2003. It has come a long way since then. In PowerShell version 1.0 there were no native Active Directory cmdlets.
Quest released PowerShell cmdlets that worked in version 1. The Quest cmdlets are still used today and also work in versions 2-4.
Starting with PowerShell version 2 the Microsoft Active Directory team introduced a native AD module. The initial native AD module contains 76 cmdlets and deals with many common tasks that AD admins deal with including object manipulation (users, groups, computers).
For this blog I'm focusing on the ActiveDirectory module and not other modules such as ADDSDeployment, DNS, and GroupPolicy that are also heavily used by AD admins.
Getting the total number of AD cmdlets is a quick one liner:
The picture below is a snapshot of the different versions and what is included in each version. If anyone wants the slide please let me know and I'll send you the PowerPoint.
|
Active Directory PowerShell Modules through the years |
The 76 Active Directory cmdlets introduced in version 2.0 are listed below.
Jeffrey Snover is the inventor of PowerShell (Thanks!). He often says his favorite cmdlet is Get-Help. I agree with that and find it very useful. Linux types "man" also works. I use the example switch the most but you can self discover and learn more about any of these cmdlets. There is also a lot of great material on the web for learning PowerShell. I recommend the
Microsoft Virtual Academy courses on PowerShell.
ACTIVE DIRECTORY POWERSHELL CMDETS VERSION 2 | 76 TOTAL AD CMDLETS IN v2 |
Add-ADComputerServiceAccount | New-ADGroup |
Add-ADDomainControllerPasswordReplicationPolicy | New-ADObject |
Add-ADFineGrainedPasswordPolicySubject | New-ADOrganizationalUnit |
Add-ADGroupMember | New-ADServiceAccount |
Add-ADPrincipalGroupMembership | New-ADUser |
Clear-ADAccountExpiration | Remove-ADComputer |
Disable-ADAccount | Remove-ADComputerServiceAccount |
Disable-ADOptionalFeature | Remove-ADDomainControllerPasswordReplicationPolicy |
Enable-ADAccount | Remove-ADFineGrainedPasswordPolicy |
Enable-ADOptionalFeature | Remove-ADFineGrainedPasswordPolicySubject |
Get-ADAccountAuthorizationGroup | Remove-ADGroup |
Get-ADAccountResultantPasswordReplicationPolicy | Remove-ADGroupMember |
Get-ADComputer | Remove-ADObject |
Get-ADComputerServiceAccount | Remove-ADOrganizationalUnit |
Get-ADDefaultDomainPasswordPolicy | Remove-ADPrincipalGroupMembership |
Get-ADDomain | Remove-ADServiceAccount |
Get-ADDomainController | Remove-ADUser |
Get-ADDomainControllerPasswordReplicationPolicy | Rename-ADObject |
Get-ADDomainControllerPasswordReplicationPolicyUsage | Reset-ADServiceAccountPassword |
Get-ADFineGrainedPasswordPolicy | Restore-ADObject |
Get-ADFineGrainedPasswordPolicySubject | Search-ADAccount |
Get-ADForest | Set-ADAccountControl |
Get-ADGroup | Set-ADAccountExpiration |
Get-ADGroupMember | Set-ADAccountPassword |
Get-ADObject | Set-ADComputer |
Get-ADOptionalFeature | Set-ADDefaultDomainPasswordPolicy |
Get-ADOrganizationalUnit | Set-ADDomain |
Get-ADPrincipalGroupMembership | Set-ADDomainMode |
Get-ADRootDSE | Set-ADFineGrainedPasswordPolicy |
Get-ADServiceAccount | Set-ADForest |
Get-ADUser | Set-ADForestMode |
Get-ADUserResultantPasswordPolicy | Set-ADGroup |
Install-ADServiceAccount | Set-ADObject |
Move-ADDirectoryServer | Set-ADOrganizationalUnit |
Move-ADDirectoryServerOperationMasterRole | Set-ADServiceAccount |
Move-ADObject | Set-ADUser |
New-ADComputer | Uninstall-ADServiceAccount |
New-ADFineGrainedPasswordPolicy | Unlock-ADAccount |
An additional 59 Active Directory cmdlets were introduce with version 3.0 bringing the total to 135. As you would expect the new cmdlets in v3 are centered around the new features introduced for Active Directory in Windows Server 2012 such as
Dynamic Access Control
There are also new cmdlets in v3 that can be used to for
Replication and Topology Management They are not a complete replacement for the powerful repadmin tool but they are another excellent resource for AD admins.
59 ADDITIONAL AD CMDLETS | POWERASHELL VERSION 3.0 | 135 TOTAL AD CMDLETS IN v3 |
Add-ADCentralAccessPolicyMember | Get-ADResourcePropertyValueType | Remove-ADReplicationSiteLinkBridge |
Add-ADResourcePropertyListMember | Get-ADTrust | Remove-ADReplicationSubnet |
Clear-ADClaimTransformLink | New-ADCentralAccessPolicy | Remove-ADResourceProperty |
Get-ADCentralAccessPolicy | New-ADCentralAccessRule | Remove-ADResourcePropertyList |
Get-ADCentralAccessRule | New-ADClaimTransformPolicy | Remove-ADResourcePropertyListMember |
Get-ADClaimTransformPolicy | New-ADClaimType | Set-ADCentralAccessPolicy |
Get-ADClaimType | New-ADDCCloneConfigFile | Set-ADCentralAccessRule |
Get-ADDCCloningExcludedApplicationList | New-ADReplicationSite | Set-ADClaimTransformLink |
Get-ADReplicationAttributeMetadata | New-ADReplicationSiteLink | Set-ADClaimTransformPolicy |
Get-ADReplicationConnection | New-ADReplicationSiteLinkBridge | Set-ADClaimType |
Get-ADReplicationFailure | New-ADReplicationSubnet | Set-ADReplicationConnection |
Get-ADReplicationPartnerMetadata | New-ADResourceProperty | Set-ADReplicationSite |
Get-ADReplicationQueueOperation | New-ADResourcePropertyList | Set-ADReplicationSiteLink |
Get-ADReplicationSite | Remove-ADCentralAccessPolicy | Set-ADReplicationSiteLinkBridge |
Get-ADReplicationSiteLink | Remove-ADCentralAccessPolicyMember | Set-ADReplicationSubnet |
Get-ADReplicationSiteLinkBridge | Remove-ADCentralAccessRule | Set-ADResourceProperty |
Get-ADReplicationSubnet | Remove-ADClaimTransformPolicy | Set-ADResourcePropertyList |
Get-ADReplicationUpToDatenessVectorTable | Remove-ADClaimType | Sync-ADObject |
Get-ADResourceProperty | Remove-ADReplicationSite | Test-ADServiceAccount |
Get-ADResourcePropertyList | Remove-ADReplicationSiteLink | |
Windows Server 2012 R2 introduced an additional 12 AD cmdlets bringing the total up to 147 AD cmdlets. The 12 new cmdlets are centered around
Authentication Policies and Authentication Policy Silos. If you haven't seen them then open up the AD Admin Center on a 2012 R2 box
I'm personally still learning about these new features myself. Authentication policies can control which hosts an account can sign into. Windows Server 2012 R2 is also being called the "CloudOS" so many of the new features are based around Azure and the cloud.
12 ADDITIONAL AD CMDLETS | POWERSHELL VERSION 4.0 | 147 TOTAL AD CMDLETS IN v4 |
Get-ADAuthenticationPolicy | New-ADAuthenticationPolicySilo | Set-ADAccountAuthenticationPolicySilo |
Get-ADAuthenticationPolicySilo | Remove-ADAuthenticationPolicy | Set-ADAuthenticationPolicy |
Grant-ADAuthenticationPolicySiloAccess | Remove-ADAuthenticationPolicySilo | Set-ADAuthenticationPolicySilo |
New-ADAuthenticationPolicy | Revoke-ADAuthenticationPolicySiloAccess | Show-ADAuthenticationPolicyExpression |