powershell manage domain users,Using PowerShell to Manage AD and AD Users

In the domain environment, often need to use the command line management domain users, then you can use the Active Directory command line tools Dsquery.exe, or CSVE, and Ldifde, in fact, the use of Windows Powershell to manage the operation is quite convenient.

The following to create a user example: Create a domain user The most basic Windows Powershell script looks like this:

$objUser=$objU.Create(“user”,”CN=Mary North”)

The above code lists the four basic steps for creating a user using Active Directory using Windows Powershell.
The details will be described below.

Connect to the Active Directory container

To create an object like this, it is actually going to create an object for the object’s container. So the first need for the container, the implementation of a certain operation, that is, “method.” The first step is to connect to the container, and Windows Powershell can use the Active Directory service interface type adapter to cut into the Active Directory object. To connect to an Active Directory object, you must submit an LDAP query string, that is, the LDAP: // protocol identifier followed by the object’s DN. So the first line of code should look like this:


Windows Powershell needs to use the ADSI type adapter to create objects that represent the People OU and assign it to the component. A variable named objOU reflects the identification of a variable type, starting with obj just a programming standard, but the actual variable can use any name.

Call the Create method

At this point, the variable $ objOU can represent the People OU. You can then use the container’s create method to let the container create the object. The Create method needs to provide two parameters: the object class and the object RDN. The object’s RDN refers to the name of the object under the parent container, and most object classes use the “CN = object name” format as its own RDN. However, the RDN of the OU is in the format “OU = organizational unit name”, and the domain’s RDN is “DN = domain name”. So the following code can use the “CN = Mary North” RDN to create user objects:

$objUser=$objU.Create(“user”,”CN=Mary North”)

The resulting object result is assigned to the variable $objUser and uses the variable to represent the object to be created for subsequent operations.

Fill in the user attributes

It is important to note that a new object and its changes are not saved until the changes are merged, and the changes can not be successfully merged before filling in all the necessary attributes. User object must be comfortable including windows 2000 before the login name. The LDAP name of the attribute is sAMAccountName, so the next line of code needs to assign sAMAccountName to the object, and you need to use the Put method. Put is the standard method for writing properties to an object, and Get is the standard method for retrieving object properties. The code here should look like this:

$odjUser.Put=(“sAMAccountName”,”Mary North”)

For user objects, there are other mandatory attributes, including the object’s security identifier (SID), but these objects will be automatically created when Active Directory is created when the new user is submitted to the directory.

Using the SetInfo method to merge changes

To merge changes, use the SetInfo method of the Active Directory object. The code here should look like this:


Fill in other user attributes

The above command creates a user that only contains the mandatory sAMAccountName attribute. When creating a user object, you also need to fill in other user attributes. Previously, the use of the user object Put method to write attributes, so here only need to repeatedly call the method, specify the need to add each attribute can be:

$odjUser.Put=(“sAMAccountName”, ”$samAccountName”)
$odjUser.Put=(“displayName”, ”$displayname”)
$odjUser.Put=(“sn”, “$sn”)

What is the user’s password? You can not set the user password using the Put method. Instead, you should use the SetPassword method, for example:


However, the SetPassword method can only be used after creating a user and calling the SetInfo () method, which means that in fact, we are the preferred to create a good account and then set a password for it. This is not a Windows Powershell bug or limitation, but the actual requirements for Kerberos and LDAP. However, security is not compromised because the account created is disabled.
So the status of the account is actually a flag (flag), can not be directly used Put command settings. The following commands are required:


The post Use powershell to manage domain users appeared first on Penetration Testing. http://ift.tt/2rL48KJ http://ift.tt/2aM8QhC


Deixe um comentário

Preencha os seus dados abaixo ou clique em um ícone para log in:

Logotipo do WordPress.com

Você está comentando utilizando sua conta WordPress.com. Sair / Alterar )

Imagem do Twitter

Você está comentando utilizando sua conta Twitter. Sair / Alterar )

Foto do Facebook

Você está comentando utilizando sua conta Facebook. Sair / Alterar )

Foto do Google+

Você está comentando utilizando sua conta Google+. Sair / Alterar )

Conectando a %s