http://www.manning.com/siddaway3/

The chapter covers Fine Grained Password Policies

Chapter 8 – creating Group Policies

details from http://www.manning.com/siddaway3/

The get 50% off today using code dotd0227cc. The offer is good for today only

The same code can be used for 50% off PowerShell in Practice

PS> Get-Help Get-ADUser -Parameter *Filter*

-Filter <String>
    Specifies a query string that retrieves Active Directory objects. This string uses the PowerShell Expression
    Language syntax. The PowerShell Expression Language syntax provides rich type-conversion support for value types  received by the Filter parameter. The syntax uses an in-order representation, which means that the operator is placed between the operand and the value. For more information about the Filter parameter, see  about_ActiveDirectory_Filter.

-LDAPFilter <String>
    Specifies an LDAP query string that is used to filter Active Directory objects. You can use this parameter to run  your existing LDAP queries. The Filter parameter syntax supports the same functionality as the LDAP syntax. For  more information, see the Filter parameter description and the about_ActiveDirectory_Filter.

This means you have two ways to approach a problem. Lets think about finding a single user:

Get-ADUser -LDAPFilter "(samAccountName=Richard)"

Get-ADUser -Filter {samAccountName -eq ‘Richard’}

The LDAPFilter uses LDAP query syntax – attribute and value.  Filter uses PowerShell syntax. You could think of the –Filter as a condensed version of

Get-ADUser -Filter * | where samAccountName -eq ‘Richard’

Use the –Filter parameter because its less typing and you filter early – especially important if querying across a network.

You can use multiple attributes in the filters  – & implies AND in the LDAP filter

Get-ADUser -LDAPFilter "(&(givenname=Bill)(sn=Green))"

Get-ADUser -Filter {GivenName -eq ‘Bill’ -and Surname -eq ‘Green’}

The LDAP filter HAS to use the correct attribute name but Filter uses the property name returned by Get-ADUser.

LDAP filters can get very complicated very quickly. For instance if you want to find the disabled user accounts

Get-ADUser -LDAPFilter "(&(objectclass=user)(objectcategory=user)(useraccountcontrol:1.2.840.113556.1.4.803:=2))"

Get-ADUser -Filter {Enabled -eq $false}

Alternatively,and in my opinion, its simpler to use Search-ADaccount

Search-ADAccount -AccountDisabled –UsersOnly

Which one should you use?  The one that best solves your problem. I mix & match to suit the search I’m performing

it assumes no knowledge of AD and shows how to perform the common management tasks from the GUI (AD Administrative Center & the venerable AD Users & Computers) as well as PowerShell (using the Microsoft cmdlets). 

Chapters 1-7 are currently available from www.manning.com\siddaway3 with more to come soon

I’ve covered configuring a server before but to recap:

• Rename the machine – use Rename-Computer
• Set Network – use Set-NetIPInterface (address) & et-DnsClientServerAddress( dns address) & Rename-netAdapter
• Join to domain – use Add-Computer

To create the domain controller use the ADDSDeployment module. You’ll only find this on servers where you’ve installed the AD Domain Services feature which you do like this:

Install-WindowsFeature -Name AD-Domain-Services -Confirm:$false

Import the module

Import-Module ADDSDeployment
Get-Command -Module ADDSDeployment

Create the Domain Controller. This is the equivalent of running DCPROMO in earlier versions. Even better you don’t need the answer file. Everything is a parameter on the cmdlet.

Install-ADDSDomain Controller -DomainName "manticore.org" -InstallDns -Credential (Get-Credential manticore\richard) -ApplicationPartitionsToReplicate *

Thats it!  Just wait for replication to happen.

You can also demote a domain controller

$cred = Get-Credential
Uninstall-ADDSDomainController -Credential $cred -RemoveApplicationPartitions -Confirm:$false

Restart the machine and uninstall AD & DNS

Uninstall-WindowsFeature -Name AD-Domain-Services, DNS -Confirm:$false
Restart-Computer -ComputerName dc02

Leave the domain

$cred = Get-Credential manticore\richard
Remove-Computer -UnjoinDomainCredential $cred -Workgroup Test

Trash the VM.

And best of all it works over remoting.  You will need to recreate the session for restarts & changes but it is really easy.

Server Core is now a much friendlier option.

https://skydrive.live.com/?cid=43cfa46a74cf3e96#cid=43CFA46A74CF3E96&id=43CFA46A74CF3E96%2140563

http://msmvps.com/blogs/richardsiddaway/archive/2013/01/16/uk-powershell-group-29-january-2013.aspx

When: Tuesday, Jan 29, 2013 7:30 PM (GMT)

Where: virtual

*~*~*~*~*~*~*~*~*~*

Active Directory is one of the commonest automation targets for administrators. This session will covert the basics of automating your AD admin – scripts and the Microsoft cmdlets. The new features in PowerShell for Windows 2012 AD will also be covered

Notes

Richard Siddaway has invited you to attend an online meeting using Live Meeting.
Join the meeting.
Audio Information
Computer Audio
To use computer audio, you need speakers and microphone, or a headset.
First Time Users:
To save time before the meeting, check your system to make sure it is ready to use Microsoft Office Live Meeting.
Troubleshooting
Unable to join the meeting? Follow these steps:

1. Copy this address and paste it into your web browser:
   https://www.livemeeting.com/cc/usergroups/join
2. Copy and paste the required information:
   Meeting ID: RCRWH3
   Entry Code: 5p7$}S_!h
   Location: https://www.livemeeting.com/cc/usergroups

If you still cannot enter the meeting, contact support

Notice
Microsoft Office Live Meeting can be used to record meetings. By participating in this meeting, you agree that your communications may be monitored or recorded at any time during the meeting.