Active Directory and WMI Scripting with PowerShell

In this guide, we will delve into the intricacies of managing Active Directory (AD) and employing Windows Management Instrumentation (WMI) through PowerShell. This guide is tailored for advanced users who are already familiar with basic PowerShell commands and the fundamental concepts of Active Directory and WMI. Our focus will be on leveraging PowerShell to automate tasks related to querying and managing Active Directory, Group Policy Objects (GPOs), Local Users and Groups, and AD permissions.

What You Will Learn

• Active Directory Management: How to interact with AD using PowerShell for various administrative tasks.

• WMI Scripting: Techniques to leverage WMI for querying and managing system components.

• Group Policy and Local Users Management: Managing GPOs and local system users/groups through scripts.

• Security and Permissions: Handling AD security settings and permissions programmatically.

• 
  

Prerequisites

• Knowledge of PowerShell: Basic understanding of PowerShell scripting.

• Familiarity with Active Directory and WMI: Understanding of AD architecture and WMI framework.

• Environment: Access to a Windows Server with AD DS and PowerShell.

• 
  

Part 1: Managing Active Directory with PowerShell

Active Directory is a directory service developed by Microsoft for Windows domain networks. It is used for organizing your company’s hierarchy, or "directory," of users, computers, and other resources into a secure, manageable, and structured data store.

1.1 Querying Active Directory

Get-ADUser: This command is used to fetch details about AD users.

# Fetch all properties of a specific user Get-ADUser -Identity 'JohnDoe' -Properties *

Get-ADComputer: This command retrieves information about AD-joined computers.

# List all computers in AD with their operating system Get-ADComputer -Filter * -Property OperatingSystem | Select-Object Name, OperatingSystem

1.2 Managing Organizational Units and Groups:

New-ADOrganizationalUnit and New-ADGroup are used to create new OUs and groups.

# Create a new organizational unit 
New-ADOrganizationalUnit -Name 'HRDept' -Path 'DC=example,DC=com' # Create a new group in the HRDept OU New-ADGroup -Name 'HRManagers' -GroupScope Global -Path 'OU=HRDept,DC=example,DC=com'

1.3 Modifying Active Directory Objects:

Set-ADUser and Set-ADComputer are commonly used to modify properties of AD objects.

# Change a user's office phone number 
Set-ADUser -Identity 'JohnDoe' -OfficePhone '+1234567890' # Move a computer to a different OU Get-ADComputer -Identity 'Comp01' | Move-ADObject -TargetPath 'OU=ITDept,DC=example,DC=com'

Part 2: Leveraging WMI with PowerShell

Windows Management Instrumentation (WMI) is a subsystem of PowerShell that provides administrative information about a computer system.

2.1 Basic WMI Queries

Get-WmiObject: This cmdlet is used to retrieve management information from local and remote computers.

# List all services on the computer 
Get-WmiObject -Class Win32_Service | Select-Object Name, State, StartMode

2.2 Managing System Hardware

# Get processor information Get-WmiObject -Class Win32_Processor | Select-Object Name, NumberOfCores, MaxClockSpeed

2.3 Advanced WMI Queries

Combining WMI with PowerShell scripting allows for more complex data queries and operations.

# Find users currently logged on the system 
Get-WmiObject -Class Win32_ComputerSystem | Select-Object Username

Part 3: Managing Group Policy Objects and Local Users

Group Policy Objects (GPOs) are a critical part of AD management, allowing centralized management of operating system and application settings.

3.1 Creating and Managing GPOs

New-GPO and Set-GPPermission: These cmdlets are used to create and manage GPO permissions.

# Create a new GPO

 $gpo = New-GPO -Name 'SecurityPolicy' # Grant edit settings permission to a security group Set-GPPermission -Name 'SecurityPolicy' -TargetName 'SecurityTeam' -PermissionLevel GpoEdit

3.2 Managing Local Users and Groups

PowerShell provides direct commands to interact with local user accounts and groups.

# Add a new local user 
New-LocalUser -Name 'LocalAdmin' -Password (ConvertTo-SecureString -AsPlainText "Passw0rd!" -Force) # Add user to local administrators group Add-LocalGroupMember -Group "Administrators" -Member 'LocalAdmin'

Part 4: Handling Active Directory Permissions

Handling permissions in AD is crucial for maintaining security and compliance.

4.1 Setting Access Control

Get-ACL and Set-ACL are used to get and set security permissions.

# Get ACL of an OU 
$acl = Get-ACL -Path "AD:\OU=HRDept,DC=example,DC=com" # Modify and set ACL Set-ACL -Path "AD:\OU=HRDept,DC=example,DC=com" -AclObject $acl

4.2 Automating Permission Assignments

Scripting can automate the assignment of permissions to reduce manual errors and ensure consistency.

# Script to automate permissions 
$users = Get-ADUser -Filter * foreach ($user in $users) { # Process each user # Example: Modify user permissions }

Interview Practice: Questions and Answers

Question 1: PowerShell Script to Report All AD Users with 'User must change password at next logon' Set

Answer:

To identify Active Directory users who must change their password at their next logon, you can use the Get-ADUser cmdlet combined with a filter. Here's a PowerShell script that accomplishes this:

# Get all users who must change their password at next logon 
Get-ADUser -Filter {PasswordNeverExpires -eq $false -and PasswordLastSet -eq $null} -Properties PasswordLastSet, PasswordNeverExpires | Select-Object Name, SamAccountName

This script filters out users whose PasswordLastSet attribute is null and PasswordNeverExpires is false, indicating that they must change their password upon next login. The output includes the user's name and their SAM account name.

Question 2: Can you demonstrate a WMI query to list all installed software on a network computer?

Answer:

To list all software installed on a network computer using WMI, you can utilize the Win32_Product class. Here is how you can do it with PowerShell:

# Get a list of all installed software on a local computer 
Get-WmiObject -Class Win32_Product | Select-Object Name, Version, Vendor

This command retrieves information about each installed application, including its name, version, and vendor. Note, however, that using Win32_Product can be slow and might trigger a consistency check of the package installed, potentially impacting performance. An alternative, more efficient method is querying the registry:

# Alternative method using registry (faster and non-intrusive) 
Get-ItemProperty HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, DisplayVersion, Publisher

This alternative method accesses the uninstallation registry key to fetch details about installed software, which is much faster and does not impact the system.

Question 3: What PowerShell commands are crucial for troubleshooting group policy application issues?

Answer:

Troubleshooting Group Policy issues often involves understanding which policies are applied to a specific user or computer and diagnosing why certain policies might not be applying as expected. Here are some crucial PowerShell commands:

# Get Resultant Set of Policy (RSoP) information for the current user 
Get-GPResultantSetOfPolicy -ReportType Html -Path C:\GPReports\UserReport.html -User $env:USERNAME # Get all GPOs applied to the local computer with their status Get-GPResultantSetOfPolicy -ReportType Html -Path C:\GPReports\ComputerReport.html -Computer $env:COMPUTERNAME

These commands generate HTML reports that provide detailed information about which Group Policy Objects are applied and include any errors or issues that might have occurred during the processing of GPOs. These reports are instrumental in diagnosing problems with GPO application.

By mastering these commands and scripts, you will enhance your ability to manage and troubleshoot Active Directory and system configurations effectively in a professional environment.

Conclusion

This guide has walked through the detailed steps of managing Active Directory and using WMI scripting through PowerShell, covering the essentials needed to proficiently handle tasks in a complex enterprise environment. With this knowledge, you are well-equipped to automate and streamline your Windows network administration tasks.