茫茫網海中的冷日
         
茫茫網海中的冷日
發生過的事,不可能遺忘,只是想不起來而已!
 恭喜您是本站第 1664598 位訪客!  登入  | 註冊
主選單

Google 自訂搜尋

Goole 廣告

隨機相片
PIMG_00152.jpg

授權條款

使用者登入
使用者名稱:

密碼:


忘了密碼?

現在就註冊!

微軟帝國 : [轉貼]用 New-ADOrganizationalUnit 批量建立數個 OU 我該如何下指令?

發表者 討論內容
冷日
(冷日)
Webmaster
  • 註冊日: 2008/2/19
  • 來自:
  • 發表數: 15766
[轉貼]用 New-ADOrganizationalUnit 批量建立數個 OU 我該如何下指令?

用New-ADOrganizationalUnit 批量建立數個OU 我該如何下指令?

各位大大,幾個問題請問:

  1. 我想用New-ADOrganizationalUnit 批量建立數個OU 我該如何下指令?

  2. 我自己試過用以下指令,請好心大大幫我看看哪裡有錯!!!

**$OU1 = Users
$OU2 = Taiwan
$OU3 = APAC

$path = "OU=$OU1,OU=$OU2,OU=$OU3,dc=GPO,dc=net"
$Password = convertto-securestring 'Password123' -asplaintext -force

$Filepath = "C:\GTO.csv"
$Users = Import-csv $FilePath

Foreach ($user in $Users) {

New-ADUser -AccountPassword $Password -DisPlayName $User.DisplayName -Enable $True -Name $User.DisplayName -SamAccountName $User.SamAccountName -Path $path -givenname $user.Firstname -surname $user.Lastname -UserPrincipalName $User.UserPrincipalName;

}**

以下圖片,是對應的CSV檔


$OU1 = Users
$OU2 = Taiwan
$OU3 = APAC
$path = "OU=$OU1,OU=$OU2,OU=$OU3,dc=GPO,dc=net"

建立OU的程序應該是

  1. 先建立ou=APAC,dc=GPO,dc=net
  2. 再建立ou=Taiwan,ou=APAC,dc=GPO,dc=net
  3. 最後 ou=Users,ou=Taiwan,ou=APAC,dc=GPO,dc=net
    除非一開始ou=Taiwan,ou=APAC,dc=GPO,dc=net路徑已存在 這樣從ou=Users..才會正常
    這邊有篇範例可供參考
    http://poshcode.org/3699
    範例有描述兩種狀況:
    一種是在同層建立OU
    另一種就是像發問者之問題要依序建立OU

至於批次建立User的做法因為OU無法正常建立,故不會正常運作
以上資訊參考看看

兩個問題要麻煩再確認

  1. $ou1=users 還是 $ou1="Users" ?

$path = "OU=$OU1,OU=$OU2,OU=$OU3,dc=GPO,dc=net"

這樣寫的$path 會是 OU=$OU1,OU=$OU2,OU=$OU3,dc=GPO,dc=net
不是預期的 ou=Users,ou=Taiwan,ou=APAC,dc=GPO,dc=net


我想再問一個問題,目前User我都已建立完成,但是當我想建立群組時,有辦法一樣用批量的方式嗎??
批量建立完群組是否一樣可以放在我想放的OU內?(如圖)

可以參考微軟網站的New-ADGroup
https://technet.microsoft.com/en-us/library/ee617258.aspx
然後接下來可能會想批次將user加入群駔 可以參考
Add-ADGroupMember 或是 Add-ADPrincipalGroupMembership的說明
https://technet.microsoft.com/en-us/library/ee617210.aspx
https://technet.microsoft.com/en-us/library/ee617203.aspx


原文出處: 用New-ADOrganizationalUnit 批量建立數個OU 我該如何下指令? - iT 邦幫忙::一起幫忙解決難題,拯救 IT 人的一天
冷日
(冷日)
Webmaster
  • 註冊日: 2008/2/19
  • 來自:
  • 發表數: 15766
[轉貼]New-ADGroup

New-ADGroup

New-ADGroup

Creates an Active Directory group.

Syntax



New-ADGroup [-Name] <string> [-GroupScope] <System.Nullable[Microsoft.ActiveDirectory.Management.ADGroupScope]>

[-AuthType {<Negotiate> | <Basic>}] [-Credential <PSCredential>]

[-Description <string>] [-DisplayName <string>] [-GroupCategory <System.Nullable[Microsoft.ActiveDirectory.Management.ADGroupCategory]>]

[-HomePage <string>] [-Instance <ADGroup>] [-ManagedBy <ADPrincipal>]

[-OtherAttributes <hashtable>] [-PassThru <switch>] [-Path <string>]

[-SamAccountName <string>] [-Server <string>] [-Confirm] [-WhatIf] [<CommonParameters>]

  • Name

  • GroupScope

  • AuthType

  • Credential

  • Description

  • DisplayName

  • GroupCategory

  • HomePage

  • Instance

  • ManagedBy

  • OtherAttributes

  • PassThru

  • Path

  • SamAccountName

  • Server

  • Confirm

  • WhatIf

Detailed Description


The New-ADGroup cmdlet creates a new Active Directory group object. Many object properties are defined by setting cmdlet parameters. Properties that cannot be set by cmdlet parameters can be set using the OtherAttributes parameter.

The Name and GroupScope parameters specify the name and scope of the group and are required to create a new group. You can define the new group as a security or distribution group by setting the GroupType parameter. The Path parameter specifies the container or organizational unit (OU) for the group.

The following methods explain different ways to create an object by using this cmdlet.
Method 1: Use the New-ADGroup cmdlet, specify the required parameters, and set any additional property values by using the cmdlet parameters.
Method 2: Use a template to create the new object. To do this, create a new group object or retrieve a copy of an existing group object and set the Instance parameter to this object. The object provided to the Instance parameter is used as a template for the new object. You can override property values from the template by setting cmdlet parameters. For examples and more information, see the Instance parameter description for this cmdlet.
Method 3: Use the Import-CSV cmdlet with the New-ADGroup cmdlet to create multiple Active Directory group objects. To do this, use the Import-CSV cmdlet to create the custom objects from a comma-separated value (CSV) file that contains a list of object properties. Then pass these objects through the pipeline to the New-ADGroup cmdlet to create the group objects.

Parameters

AuthType

Specifies the authentication method to use. Possible values for this parameter include:
Negotiate or 0
Basic or 1

The default authentication method is Negotiate.

A Secure Sockets Layer (SSL) connection is required for the Basic authentication method.

The following example shows how to set this parameter to Basic.
-AuthType Basic

The following lists the acceptable values for this parameter:

  • Negotiate

  • Basic

Default Value: Microsoft.ActiveDirectory.Management.AuthType.Negotiate

Data Type: ADAuthType

Attributes


Name Value PSMAML Attribute

Required?

false

required

Variable Length?

false

variableLength

Accept wildcard characters?

false

globbing

Accept Pipeline Input?

false

pipelineInput

Position?

named

position

Value Attributes


Name Value PSMAML Attribute

Required?

true

required

Variable Length?

false

variableLength

Credential


Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default.

To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password.

You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials.
$AdminCredentials = Get-Credential "Domain01\User01"

The following shows how to set the Credential parameter to these credentials.
-Credential $AdminCredentials

If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error.

Default Value:

Data Type: PSCredential

Attributes

Name Value PSMAML Attribute

Required?

false

required

Variable Length?

false

variableLength

Accept wildcard characters?


false

globbing

Accept Pipeline Input?

false

pipelineInput

Position?

named

position

Value Attributes

Name Value PSMAML Attribute

Required?

true

required

Variable Length?

false

variableLength

Description

Specifies a description of the object. This parameter sets the value of the Description property for the object. The LDAP Display Name (ldapDisplayName) for this property is "description".

The following example shows how to set this parameter to a sample description.
-Description "Description of the object"

Default Value:

Data Type: string

Attributes


Name
Value PSMAML Attribute

Required?

false

required

Variable Length?

false

variableLength

Accept wildcard characters?

false

globbing

Accept Pipeline Input?

true (ByPropertyName)

pipelineInput

Position?

named

position

Value Attributes


Name Value PSMAML Attribute

Required?

true

required

Variable Length?

false

variableLength

DisplayName

Specifies the display name of the object. This parameter sets the DisplayName property of the object. The LDAP Display Name (ldapDisplayName) for this property is "displayName".

The following example shows how to set this parameter.
-DisplayName "Sara Davis Laptop"

Default Value:

Data Type: string

Attributes

Name Value PSMAML Attribute

Required?

false

required

Variable Length?

false

variableLength

Accept wildcard characters?

false

globbing

Accept Pipeline Input?

true (ByPropertyName)

pipelineInput

Position?

named

position

Value Attributes

Name Value PSMAML Attribute

Required?

true

required

Variable Length?

false

variableLength

GroupCategory


Specifies the category of the group. Possible values of this parameter are:
Distribution or 0
Security or 1

This parameter sets the GroupCategory property of the group. This parameter value combined with other group values sets the LDAP Display Name (ldapDisplayName) attribute named "groupType".

The following example shows how to specify that a group is a security group.
-GroupCategory security

Default Value: Security

Data Type: System.Nullable[Microsoft.ActiveDirectory.Management.ADGroupCategory]

Attributes

Name Value PSMAML Attribute

Required?


false

required

Variable Length?

false

variableLength

Accept wildcard characters?

false

globbing

Accept Pipeline Input?

true (ByPropertyName)

pipelineInput

Position?

named

position

Value Attributes

Name Value PSMAML Attribute

Required?

true

required

Variable Length?

false

variableLength

GroupScope


Specifies the group scope of the group. Possible values of this parameter are:
DomainLocal or 0
Global or 1
Universal or 2

This parameter sets the GroupScope property of a group object to the specified value. The LDAP display name of this property is "groupType".

The following example shows two ways to set this parameter to DomainLocal.
-GroupScope DomainLocal
-GroupScope 0

Default Value:

Data Type: System.Nullable[Microsoft.ActiveDirectory.Management.ADGroupScope]

Attributes


Name Value PSMAML Attribute

Required?

true

required

Variable Length?

false

variableLength

Accept wildcard characters?

false

globbing

Accept Pipeline Input?

true (ByPropertyName)

pipelineInput

Position?

3

position

Value Attributes

Name Value PSMAML Attribute

Required?

true

required

Variable Length?

false

variableLength

HomePage


Specifies the URL of the home page of the object. This parameter sets the homePage property of an Active Directory object. The LDAP Display Name (ldapDisplayName) for this property is "wWWHomePage".

The following example shows how to set this parameter to a URL.
-HomePage "http://employees.contoso.com/sdavis"

Default Value:

Data Type: string

Attributes

Name Value PSMAML Attribute

Required?

false

required


Variable Length?

false

variableLength

Accept wildcard characters?

false

globbing

Accept Pipeline Input?

true (ByPropertyName)

pipelineInput

Position?

named

position

Value Attributes


Name Value PSMAML Attribute

Required?

true

required

Variable Length?

false

variableLength

Instance


Specifies an instance of a group object to use as a template for a new group object.

You can use an instance of an existing group object as a template or you can construct a new group object by using the Windows PowerShell command line or by using a script. The following examples show how to use these two methods to create group object templates.

Method 1: Use an existing group object as a template for a new object. Use the Get-ADGroup cmdlet to retrieve a group object then pass this object to the Instance parameter of the New-ADGroup cmdlet to create a new group object. You can override property values of the new object by setting the appropriate parameters.

$groupInstance = Get-ADGroup -Identity "KarenTohReports"
New-ADGroup -Name "Sara Davis Reports" -Instance $groupInstance GroupType DomainLocal

Method 2: Create a new ADGroup object and set the property values by using the Windows PowerShell command line interface. Then pass this object to the Instance parameter of the New-ADGroup cmdlet to create the new group object.

$groupTemplate = New-Object Microsoft.ActiveDirectory.Management.ADGroup
$groupTemplateGroupType = DomainLocal
New-ADGroup -Name "Sara Davis Reports" -Instance $groupInstance

Note: Specified attributes are not validated, so attempting to set attributes that do not exist or cannot be set will raise an error.

Default Value:

Data Type: ADGroup

Attributes

Name Value PSMAML Attribute

Required?

false

required

Variable Length?

false

variableLength

Accept wildcard characters?

false

globbing

Accept Pipeline Input?

false

pipelineInput

Position?

named

position

Value Attributes

Name Value PSMAML Attribute

Required?

true

required

Variable Length?

false

variableLength

ManagedBy


Specifies the user or group that manages the object by providing one of the following property values. Note: The identifier in parentheses is the LDAP display name for the property.
Distinguished Name
Example: CN=SaraDavis,OU=Europe,CN=Users,DC=corp,DC=contoso,DC=com
GUID (objectGUID)
Example: 599c3d2e-f72d-4d20-8a88-030d99495f20
Security Identifier (objectSid)
Example: S-1-5-21-3165297888-301567370-576410423-1103
SAM Account Name (sAMAccountName)
Example: saradavis

This parameter sets the Active Directory attribute with an LDAP Display Name of "managedBy".

The following example shows how to specify this parameter.
-ManagedBy ContosoAdmins

Default Value:

Data Type: ADPrincipal

Attributes


Name
Value PSMAML Attribute

Required?

false

required

Variable Length?

false

variableLength

Accept wildcard characters?

false

globbing

Accept Pipeline Input?

true (ByPropertyName)

pipelineInput

Position?

named

position

Value Attributes


Name Value PSMAML Attribute

Required?

true

required

Variable Length?

false

variableLength

Name

Specifies the name of the object. This parameter sets the Name property of the Active Directory object. The LDAP Display Name (ldapDisplayName) of this property is "name".

The following example shows how to set this parameter to a name string.
-Name "SaraDavis"

Default Value:

Data Type: string

Attributes


Name Value PSMAML Attribute

Required?

true

required

Variable Length?

false

variableLength

Accept wildcard characters?

false

globbing

Accept Pipeline Input?

true (ByPropertyName)

pipelineInput

Position?

2

position


Value Attributes

Name Value PSMAML Attribute

Required?

true

required

Variable Length?

false

variableLength

OtherAttributes


Specifies object attribute values for attributes that are not represented by cmdlet parameters. You can set one or more parameters at the same time with this parameter. If an attribute takes more than one value, you can assign multiple values. To identify an attribute, specify the LDAPDisplayName (ldapDisplayName) defined for it in the Active Directory schema.

Syntax:
To specify a single value for an attribute:
-OtherAttributes @{'AttributeLDAPDisplayName'=value}
To specify multiple values for an attribute
-OtherAttributes @{'AttributeLDAPDisplayName'=value1,value2,...}

You can specify values for more than one attribute by using semicolons to separate attributes. The following syntax shows how to set values for multiple attributes:
-OtherAttributes @{'Attribute1LDAPDisplayName'=value; 'Attribute2LDAPDisplayName'=value1,value2;...}

The following examples show how to use this parameter.

To set the value of a custom attribute called favColors that takes a set of Unicode strings, use the following syntax:
-OtherAttributes @{'favColors'="pink","purple"}

To set values for favColors and dateOfBirth simultaneously, use the following syntax:
-OtherAttributes @{'favColors'="pink","purple"; 'dateOfBirth'=" 01/01/1960"}

Default Value:

Data Type: hashtable

Attributes

Name Value PSMAML Attribute

Required?

false

required

Variable Length?

false

variableLength

Accept wildcard characters?

false

globbing

Accept Pipeline Input?

false

pipelineInput

Position?

named

position

Value Attributes

Name Value PSMAML Attribute

Required?

true

required

Variable Length?

false

variableLength

PassThru

Returns the new or modified object. By default (i.e. if -PassThru is not specified), this cmdlet does not generate any output.

Default Value:

Data Type: switch

Attributes


Name Value PSMAML Attribute

Required?

false

required

Variable Length?

false

variableLength

Accept wildcard characters?

false

globbing

Accept Pipeline Input?

false

pipelineInput

Position?

named

position

Value Attributes

Name Value PSMAML Attribute

Required?

true

required

Variable Length?

false

variableLength

Path


Specifies the X.500 path of the Organizational Unit (OU) or container where the new object is created.

In many cases, a default value will be used for the Path parameter if no value is specified. The rules for determining the default value are given below. Note that rules listed first are evaluated first and once a default value can be determined, no further rules will be evaluated.

In AD DS environments, a default value for Path will be set in the following cases:
- If the cmdlet is run from an Active Directory PowerShell provider drive, the parameter is set to the current path of the provider drive.
- If the cmdlet has a default path, this will be used. For example: in New-ADUser, the Path parameter would default to the Users container.
- If none of the previous cases apply, the default value of Path will be set to the default partition or naming context of the target domain.

In AD LDS environments, a default value for Path will be set in the following cases:
- If the cmdlet is run from an Active Directory PowerShell provider drive, the parameter is set to the current path of the provider drive.
- If the cmdlet has a default path, this will be used. For example: in New-ADUser, the Path parameter would default to the Users container.
- If the target AD LDS instance has a default naming context, the default value of Path will be set to the default naming context. To specify a default naming context for an AD LDS environment, set the msDS-defaultNamingContext property of the Active Directory directory service agent (DSA) object (nTDSDSA) for the AD LDS instance.
- If none of the previous cases apply, the Path parameter will not take any default value.

The following example shows how to set this parameter to an OU.

-Path "ou=mfg,dc=noam,dc=corp,dc=contoso,dc=com"

Note: The Active Directory Provider cmdlets, such New-Item, Remove-Item, Remove-ItemProperty, Rename-Item and Set-ItemProperty also contain a Path property. However, for the provider cmdlets, the Path parameter identifies the path of the actual object and not the container as with the Active Directory cmdlets.

Default Value:

Data Type: string

Attributes

Name Value PSMAML Attribute

Required?

false

required

Variable Length?

false

variableLength

Accept wildcard characters?

false

globbing

Accept Pipeline Input?

true (ByPropertyName)

pipelineInput

Position?

named

position

Value Attributes

Name Value PSMAML Attribute

Required?

true

required

Variable Length?

false

variableLength

SamAccountName


Specifies the Security Account Manager (SAM) account name of the user, group, computer, or service account. The maximum length of the description is 256 characters. To be compatible with older operating systems, create a SAM account name that is 20 characters or less. This parameter sets the SAMAccountName for an account object. The LDAP display name (ldapDisplayName) for this property is "sAMAccountName".

The following example shows how to specify this parameter.
-SAMAccountName "saradavis"

Note: If the string value provided is not terminated with a '$' character, the system adds one if needed.

Default Value:

Data Type: string

Attributes



Name Value PSMAML Attribute

Required?

false

required

Variable Length?

false

variableLength

Accept wildcard characters?

false

globbing

Accept Pipeline Input?

true (ByPropertyName)

pipelineInput

Position?

named

position

Value Attributes

Name Value PSMAML Attribute

Required?

true

required

Variable Length?

false

variableLength

Server



Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance.
Domain name values:
Fully qualified domain name
Examples: corp.contoso.com
NetBIOS name
Example: CORP

Directory server values:
Fully qualified directory server name
Example: corp-DC12.corp.contoso.com
NetBIOS name
Example: corp-DC12
Fully qualified directory server name and port
Example: corp-DC12.corp.contoso.com:3268

The default value for the Server parameter is determined by one of the following methods in the order that they are listed:
-By using Server value from objects passed through the pipeline.
-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive.
-By using the domain of the computer running Powershell.

The following example shows how to specify a full qualified domain name as the parameter value.
-Server "corp.contoso.com"

Default Value:

Data Type: string

Attributes

Name Value PSMAML Attribute

Required?

false

required

Variable Length?

false

variableLength

Accept wildcard characters?

false

globbing

Accept Pipeline Input?

false

pipelineInput

Position?

named

position

Value Attributes

Name Value PSMAML Attribute

Required?

true

required

Variable Length?

false

variableLength

Confirm

Prompts you for confirmation before executing the command.

Default Value:

Data Type: SwitchParameter

Attributes


Name Value PSMAML Attribute

Required?

false

required

Variable Length?

true

variableLength

Accept wildcard characters?

false

globbing

Accept Pipeline Input?

false

pipelineInput

Position?

named


position

Value Attributes

Name Value PSMAML Attribute

Required?

false

required

Variable Length?

false

variableLength

WhatIf

Describes what would happen if you executed the command without actually executing the command.

Default Value:


Data Type: SwitchParameter

Attributes

Name Value PSMAML Attribute

Required?

false

required

Variable Length?

true

variableLength

Accept wildcard characters?

false


globbing

Accept Pipeline Input?

false

pipelineInput

Position?

named

position

Value Attributes

Name Value PSMAML Attribute

Required?

false

required

Variable Length?

false

variableLength

Input Type

None or Microsoft.ActiveDirectory.Management.ADGroup


A group object that is a template for the new group object is received by the Instance parameter.

Return Type

None or Microsoft.ActiveDirectory.Management.ADGroup


Returns the new group object when the PassThru parameter is specified. By default, this cmdlet does not generate any output.

Notes



  • This cmdlet does not work with an Active Directory Snapshot.
    This cmdlet does not work with a read-only domain controller.


Examples

-------------------------- EXAMPLE 1 --------------------------

Command Prompt: C:\PS>


New-ADGroup -Name "RODC Admins" -SamAccountName RODCAdmins -GroupCategory Security -GroupScope Global -DisplayName "RODC Administrators" -Path "CN=Users,DC=Fabrikam,DC=Com" -Description "Members of this group are RODC Administrators"

Create a new group named 'RODC Admins' in the container 'CN=Users,DC=Fabrikam,DC=Com' and set the GroupCategory, DisplayName, GroupScope, and Description properties on the new object.

-------------------------- EXAMPLE 2 --------------------------

Command Prompt: C:\PS>


Get-ADGroup FabrikamBranch1 -Properties Description | New-ADGroup -Name Branch1Employees -SamAccountName Branch1Employees -GroupCategory Distribution -PassThru

GroupScope : Universal
Name : Branch1Employees
GroupCategory : Distribution
SamAccountName : Branch1Employees
ObjectClass : group
ObjectGUID : 8eebce44-5df7-4bed-a98b-b987a702103e
SID : S-1-5-21-41432690-3719764436-1984117282-1117
DistinguishedName : CN=Branch1Employees,CN=Users,DC=Fabrikam,DC=com

Description

-----------

Create a new group using the property values from a current group.

-------------------------- EXAMPLE 3 --------------------------

Command Prompt: C:\PS>


New-ADGroup -Server localhost:60000 -Path "OU=AccountDeptOU,DC=AppNC" -Name AccountLeads -GroupScope DomainLocal -GroupCategory Distribution

Create a new group named 'AccountLeads' on an AD LDS instance.


原文出處: Windows Server Commands, References, and Tools : New-ADGroup
冷日
(冷日)
Webmaster
  • 註冊日: 2008/2/19
  • 來自:
  • 發表數: 15766
[轉貼]Add-ADGroupMember

Add-ADGroupMember

Add-ADGroupMember

Adds one or more members to an Active Directory group.

Syntax



Add-ADGroupMember [-Identity] <ADGroup> [-Members] <ADPrincipal[]>

[-AuthType {<Negotiate> | <Basic>}] [-Credential <PSCredential>]

[-Partition <string>] [-PassThru <switch>] [-Server <string>] [-Confirm] [-WhatIf] [<CommonParameters>]

  • Identity

  • Members

  • AuthType

  • Credential

  • Partition

  • PassThru

  • Server

  • Confirm

  • WhatIf

Detailed Description


The Add-ADGroupMember cmdlet adds one or more users, groups, service accounts, or computers as new members of an Active Directory group.

The Identity parameter specifies the Active Directory group that receives the new members. You can identify a group by its distinguished name (DN), GUID, security identifier (SID) or Security Accounts Manager (SAM) account name. You can also specify group object variable, such as $<localGroupObject>, or pass a group object through the pipeline to the Identity parameter. For example, you can use the Get-ADGroup cmdlet to get a group object and then pass the object through the pipeline to the Add-ADGroupMember cmdlet.

The Members parameter specifies the new members to add to a group. You can identify a new member by its distinguished name (DN), GUID, security identifier (SID) or SAM account name. You can also specify user, computer, and group object variables, such as $<localUserObject>. If you are specifying more than one new member, use a comma-separated list. You cannot pass user, computer, or group objects through the pipeline to this cmdlet. To add user, computer, or group objects to a group by using the pipeline, use the Add-ADPrincipalGroupMembership cmdlet.

For AD LDS environments, the Partition parameter must be specified except in the following two conditions:
-The cmdlet is run from an Active Directory provider drive.
-A default naming context or partition is defined for the AD LDS environment. To specify a default naming context for an AD LDS environment, set the msDS-defaultNamingContext property of the Active Directory directory service agent (DSA) object (nTDSDSA) for the AD LDS instance.

Parameters

AuthType

Specifies the authentication method to use. Possible values for this parameter include:
Negotiate or 0
Basic or 1

The default authentication method is Negotiate.

A Secure Sockets Layer (SSL) connection is required for the Basic authentication method.

The following example shows how to set this parameter to Basic.
-AuthType Basic

The following lists the acceptable values for this parameter:

  • Negotiate

  • Basic

Default Value: Microsoft.ActiveDirectory.Management.AuthType.Negotiate

Data Type: ADAuthType

Attributes


Name Value PSMAML Attribute

Required?

false

required

Variable Length?

false

variableLength

Accept wildcard characters?

false

globbing

Accept Pipeline Input?

false

pipelineInput

Position?

named

position

Value Attributes


Name Value PSMAML Attribute

Required?

true

required

Variable Length?

false

variableLength

Credential


Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default.

To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password.

You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials.
$AdminCredentials = Get-Credential "Domain01\User01"

The following shows how to set the Credential parameter to these credentials.
-Credential $AdminCredentials

If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error.

Default Value:

Data Type: PSCredential

Attributes

Name Value PSMAML Attribute

Required?

false

required

Variable Length?

false

variableLength

Accept wildcard characters?

false

globbing

Accept Pipeline Input?

false

pipelineInput

Position?

named

position

Value Attributes

Name Value PSMAML Attribute

Required?

true

required

Variable Length?

false

variableLength

Identity


Specifies an Active Directory group object by providing one of the following values. The identifier in parentheses is the LDAP display name for the attribute.

Distinguished Name
Example: CN=saradavisreports,OU=europe,CN=users,DC=corp,DC=contoso,DC=com
GUID (objectGUID)
Example: 599c3d2e-f72d-4d20-8a88-030d99495f20
Security Identifier (objectSid)
Example: S-1-5-21-3165297888-301567370-576410423-1103
Security Accounts Manager (SAM) Account Name (sAMAccountName)
Example: saradavisreports

The cmdlet searches the default naming context or partition to find the object. If two or more objects are found, the cmdlet returns a non-terminating error.

This parameter can also get this object through the pipeline or you can set this parameter to an object instance.

This example shows how to set the parameter to a distinguished name.
-Identity "CN=saradavisreports,OU=europe,CN=users,DC=corp,DC=contoso,DC=com"

This example shows how to set this parameter to a group object instance named "ADGroupInstance".
-Identity $ADGroupInstance

Default Value:

Data Type: ADGroup

Attributes

Name Value PSMAML Attribute

Required?

true

required

Variable Length?

false

variableLength

Accept wildcard characters?

false

globbing

Accept Pipeline Input?

true (ByValue)

pipelineInput

Position?

1

position

Value Attributes

Name Value PSMAML Attribute

Required?

true

required

Variable Length?

false

variableLength

Members


Specifies a set of user, group, and computer objects in a comma-separated list to add to a group. To identify each object, use one of the following property values. Note: The identifier in parentheses is the LDAP display name.

Distinguished Name
Example: CN=SaraDavis,CN=Europe,CN=Users,DC=corp,DC=contoso,DC=com
GUID (objectGUID)
Example: 599c3d2e-f72d-4d20-8a88-030d99495f20
Security Identifier (objectSid)
Example: S-1-5-21-3165297888-301567370-576410423-1103
SAM Account Name (sAMAccountName)
Example: saradavis

You can also provide objects to this parameter directly.

The following examples show how to specify this parameter.

This example specifies a user and group to add by specifying the distinguished name and the SAM Account Name properties.
-Members "CN=SaraDavis,CN=employees,CN=Users,DC=contoso,DC=com", "saradavisreports"

This example specifies a user and a group object that are defined in the current Windows PowerShell session as input for the parameter.

-Members $userObject, $groupObject

The objects specified for this parameter are processed as Microsoft.ActiveDirectory.Management.ADPrincipal objects. Derived types, such as the following are also received by this parameter.
Microsoft.ActiveDirectory.Management.ADUser
Microsoft.ActiveDirectory.Management.ADComputer
Microsoft.ActiveDirectory.Management.ADServiceAccount
Microsoft.ActiveDirectory.Management.ADGroup

You cannot pass objects through the pipeline to this parameter.

Default Value:

Data Type: ADPrincipal[]

Attributes

Name Value PSMAML Attribute

Required?

true

required

Variable Length?

true

variableLength

Accept wildcard characters?

false

globbing

Accept Pipeline Input?

false

pipelineInput

Position?

2

position

Value Attributes

Name Value PSMAML Attribute

Required?

true

required

Variable Length?

true

variableLength

Partition


Specifies the distinguished name of an Active Directory partition. The distinguished name must be one of the naming contexts on the current directory server. The cmdlet searches this partition to find the object defined by the Identity parameter.
The following two examples show how to specify a value for this parameter.
-Partition "CN=Configuration,DC=EUROPE,DC=TEST,DC=CONTOSO,DC=COM"

-Partition "CN=Schema,CN=Configuration,DC=EUROPE,DC=TEST,DC=CONTOSO,DC=COM"

In many cases, a default value will be used for the Partition parameter if no value is specified. The rules for determining the default value are given below. Note that rules listed first are evaluated first and once a default value can be determined, no further rules will be evaluated.

In AD DS environments, a default value for Partition will be set in the following cases: - If the Identity parameter is set to a distinguished name, the default value of Partition is automatically generated from this distinguished name.
- If running cmdlets from an Active Directory provider drive, the default value of Partition is automatically generated from the current path in the drive.
- If none of the previous cases apply, the default value of Partition will be set to the default partition or naming context of the target domain.

In AD LDS environments, a default value for Partition will be set in the following cases:
- If the Identity parameter is set to a distinguished name, the default value of Partition is automatically generated from this distinguished name.
- If running cmdlets from an Active Directory provider drive, the default value of Partition is automatically generated from the current path in the drive.
- If the target AD LDS instance has a default naming context, the default value of Partition will be set to the default naming context. To specify a default naming context for an AD LDS environment, set the msDS-defaultNamingContext property of the Active Directory directory service agent (DSA) object (nTDSDSA) for the AD LDS instance.
- If none of the previous cases apply, the Partition parameter will not take any default value.

Default Value:

Data Type: string

Attributes

Name Value PSMAML Attribute

Required?

false

required

Variable Length?

false

variableLength

Accept wildcard characters?

false

globbing

Accept Pipeline Input?

false

pipelineInput

Position?

named

position

Value Attributes

Name Value PSMAML Attribute

Required?

true

required

Variable Length?

false

variableLength

PassThru


Returns the new or modified object. By default (i.e. if -PassThru is not specified), this cmdlet does not generate any output.

Default Value:

Data Type: switch

Attributes

Name Value PSMAML Attribute

Required?

false

required

Variable Length?

false

variableLength

Accept wildcard characters?

false

globbing

Accept Pipeline Input?

false

pipelineInput

Position?

named

position

Value Attributes

Name Value PSMAML Attribute

Required?

true

required

Variable Length?

false

variableLength


Server


Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance.
Domain name values:
Fully qualified domain name
Examples: corp.contoso.com
NetBIOS name
Example: CORP

Directory server values:
Fully qualified directory server name
Example: corp-DC12.corp.contoso.com
NetBIOS name
Example: corp-DC12
Fully qualified directory server name and port
Example: corp-DC12.corp.contoso.com:3268

The default value for the Server parameter is determined by one of the following methods in the order that they are listed:
-By using Server value from objects passed through the pipeline.
-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive.
-By using the domain of the computer running Powershell.

The following example shows how to specify a full qualified domain name as the parameter value.
-Server "corp.contoso.com"

Default Value:

Data Type: string

Attributes

Name Value PSMAML Attribute

Required?

false

required

Variable Length?

false

variableLength

Accept wildcard characters?

false

globbing

Accept Pipeline Input?

false

pipelineInput

Position?

named

position

Value Attributes

Name Value PSMAML Attribute

Required?

true

required

Variable Length?

false

variableLength

Confirm

Prompts you for confirmation before executing the command.

Default Value:

Data Type: SwitchParameter

Attributes

Name Value PSMAML Attribute

Required?

false

required

Variable Length?

true

variableLength

Accept wildcard characters?

false

globbing

Accept Pipeline Input?

false


pipelineInput

Position?

named

position

Value Attributes

Name Value PSMAML Attribute

Required?

false

required

Variable Length?

false

variableLength

WhatIf

Describes what would happen if you executed the command without actually executing the command.

Default Value:

Data Type: SwitchParameter

Attributes

Name Value PSMAML Attribute

Required?

false

required

Variable Length?

true

variableLength

Accept wildcard characters?

false

globbing

Accept Pipeline Input?

false


pipelineInput

Position?

named

position

Value Attributes

Name Value PSMAML Attribute

Required?

false

required

Variable Length?

false

variableLength

Input Type

Microsoft.ActiveDirectory.Management.ADGroup



A group object is received by the Identity parameter.

Return Type

None or Microsoft.ActiveDirectory.Management.ADGroup


Returns the modified group object when the PassThru parameter is specified. By default, this cmdlet does not generate any output.

Notes


  • This cmdlet does not work with a read-only domain controller.
    This cmdlet does not work with an Active Directory Snapshot.


Examples

-------------------------- EXAMPLE 1 --------------------------

Command Prompt: C:\PS>


Add-ADGroupMember SvcAccPSOGroup SQL01,SQL02

Adds the user accounts with SamAccountNames SQL01,SQL02 to the group SvcAccPSOGroup.

-------------------------- EXAMPLE 2 --------------------------

Command Prompt: C:\PS>


Add-ADGroupMember

cmdlet Add-ADGroupMember at command pipeline position 1
Supply values for the following parameters:
Identity: RodcAdmins
Members[0]: JohnSmith
Members[1]: JeffPrice
Members[2]:

Description

-----------

Demonstrates default behavior for this cmdlet (no parameters specified). Adds user accounts with SamAccountNames JohnSmith and JeffPrice to the group RodcAdmins.

-------------------------- EXAMPLE 3 --------------------------

Command Prompt: C:\PS>


Get-ADGroup -Server localhost:60000 -SearchBase "OU=AccountDeptOU,DC=AppNC" -filter { name -like "AccountLeads" } | Add-ADGroupMember -Members "CN=SanjayPatel,OU=AccountDeptOU,DC=AppNC"

Gets a group from the Organizational Unit "OU=AccountDeptOU,DC=AppNC" in the AD LDS instance localhost:60000 that has the name "AccountLeads" and then pipes it to Add-ADGroupMember, which then adds the user account with DistinguishedName "CN=SanjayPatel,OU=AccountDeptOU,DC=AppNC" to it.

-------------------------- EXAMPLE 4 --------------------------

Command Prompt: C:\PS>


$user = Get-ADUser "CN=Glen John,OU=UserAccounts,DC=NORTHAMERICA,DC=FABRIKAM,DC=COM" –Server "northamerica.fabrikam.com";
$group = Get-ADGroup "CN=AccountLeads,OU=UserAccounts,DC=EUROPE,DC=FABRIKAM,DC=COM" –Server "europe.fabrikam.com";
Add-ADGroupMember $group –Member $user –Server "europe.fabrikam.com"

Adds the user "CN=Glen John,OU=UserAccounts" from the North America domain to the group "CN=AccountLeads,OU=UserAccounts" in the Europe domain.


原文出處:Windows Server Commands, References, and Tools : Add-ADGroupMember
冷日
(冷日)
Webmaster
  • 註冊日: 2008/2/19
  • 來自:
  • 發表數: 15766
[轉貼]Add-ADPrincipalGroupMembership

Add-ADPrincipalGroupMembership

Add-ADPrincipalGroupMembership

Adds a member to one or more Active Directory groups.

Syntax



Add-ADPrincipalGroupMembership [-Identity] <ADPrincipal> [-MemberOf] <ADGroup[]>

[-AuthType {<Negotiate> | <Basic>}] [-Credential <PSCredential>]

[-Partition <string>] [-PassThru <switch>] [-Server <string>] [-Confirm] [-WhatIf] [<CommonParameters>]

  • Identity

  • MemberOf

  • AuthType

  • Credential

  • Partition

  • PassThru

  • Server

  • Confirm

  • WhatIf

Detailed Description


The Add-ADPrincipalGroupMembership cmdlet adds a user, group, service account, or computer as a new member to one or more Active Directory groups.

The Identity parameter specifies the new user, computer, or group to add. You can identify the user, group, or computer by its distinguished name (DN), GUID, security identifier (SID), or SAM account name. You can also specify a user, group, or computer object variable, such as $<localGroupObject>, or pass an object through the pipeline to the Identity parameter. For example, you can use the Get-ADGroup cmdlet to get a group object and then pass the object through the pipeline to the Add-ADPrincipalGroupMembership cmdlet. Similarly, you can use Get-ADUser or Get-ADComputer to get user and computer objects to pass through the pipeline.

This cmdlet collects all of the user, computer and group objects from the pipeline, and then adds these objects to the specified group by using one Active Directory operation.

The MemberOf parameter specifies the groups that receive the new member. You can identify a group by its distinguished name (DN), GUID, security identifier (SID), or Security Accounts Manager (SAM) account name. You can also specify group object variable, such as $<localGroupObject>. To specify more than one group, use a comma-separated list. You cannot pass group objects through the pipeline to the MemberOf parameter. To add to a group by passing the group through the pipeline, use the Add-ADGroupMember cmdlet.

For AD LDS environments, the Partition parameter must be specified except in the following two conditions:
-The cmdlet is run from an Active Directory provider drive.
-A default naming context or partition is defined for the AD LDS environment. To specify a default naming context for an AD LDS environment, set the msDS-defaultNamingContext property of the Active Directory directory service agent (DSA) object (nTDSDSA) for the AD LDS instance.

Parameters

AuthType

Specifies the authentication method to use. Possible values for this parameter include:
Negotiate or 0
Basic or 1

The default authentication method is Negotiate.

A Secure Sockets Layer (SSL) connection is required for the Basic authentication method.

The following example shows how to set this parameter to Basic.
-AuthType Basic

The following lists the acceptable values for this parameter:

  • Negotiate

  • Basic

Default Value: Microsoft.ActiveDirectory.Management.AuthType.Negotiate

Data Type: ADAuthType

Attributes


Name Value PSMAML Attribute

Required?

false

required

Variable Length?

false

variableLength

Accept wildcard characters?

false

globbing

Accept Pipeline Input?

false

pipelineInput

Position?

named

position

Value Attributes


Name Value PSMAML Attribute

Required?

true

required

Variable Length?

false

variableLength

Credential


Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default.

To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password.

You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials.
$AdminCredentials = Get-Credential "Domain01\User01"

The following shows how to set the Credential parameter to these credentials.
-Credential $AdminCredentials

If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error.

Default Value:

Data Type: PSCredential

Attributes


Name Value PSMAML Attribute

Required?

false

required

Variable Length?

false

variableLength

Accept wildcard characters?

false

globbing

Accept Pipeline Input?

false

pipelineInput

Position?

named

position

Value Attributes

Name Value PSMAML Attribute

Required?

true

required

Variable Length?

false

variableLength

Identity


Specifies an Active Directory principal object by providing one of the following property values. The identifier in parentheses is the LDAP display name for the attribute.

Distinguished Name
Example: CN=SaraDavis,CN=Users,DC=corp,DC=contoso,DC=com
GUID (objectGUID)
Example: 599c3d2e-f72d-4d20-8a88-030d99495f20
Security Identifier (objectSid)
Example: S-1-5-21-3165297888-301567370-576410423-1103
SAM Account Name (sAMAccountName)
Example: saradavis

The cmdlet searches the default naming context or partition to find the object. If two or more objects are found, the cmdlet returns a non-terminating error.

This parameter can also get this object through the pipeline or you can set this parameter to an object instance.

Derived types, such as the following are also accepted:
- Microsoft.ActiveDirectory.Management.ADGroup
- Microsoft.ActiveDirectory.Management.ADUser
- Microsoft.ActiveDirectory.Management.ADComputer
- Microsoft.ActiveDirectory.Management.ADServiceAccount

This example shows how to set the parameter to a distinguished name.
-Identity "CN=saradavis,CN=Users,DC=corp,DC=contoso,DC=com"

This example shows how to set this parameter to a principal object instance named "principalInstance".
-Identity $principalInstance

Default Value:

Data Type: ADPrincipal

Attributes

Name Value PSMAML Attribute

Required?

true

required

Variable Length?

false

variableLength

Accept wildcard characters?

false

globbing

Accept Pipeline Input?

true (ByValue)

pipelineInput

Position?

1

position

Value Attributes

Name Value PSMAML Attribute

Required?

true

required

Variable Length?

false

variableLength

MemberOf


Specifies the Active Directory groups to add a user, computer, or group to as a member. You can identify a group by providing one of the following values. Note: The identifier in parentheses is the LDAP display name for the attribute.

Distinguished Name
Example: CN=saradavisreports,CN=europe,CN=users,DC=corp,DC=contoso,DC=com
GUID (objectGUID)
Example: 599c3d2e-f72d-4d20-8a88-030d99495f20
Security Identifier (objectSid)
Example: S-1-5-21-3165297888-301567370-576410423-1103
Security Accounts Manager (SAM) Account Name (sAMAccountName)
Example: saradavisreports

If you are specifying more than one group, use commas to separate the groups in the list.

The following example shows how to specify this parameter by using SAM account name values.
-MemberOf "SaraDavisGroup", "JohnSmithGroup"

Default Value:

Data Type: ADGroup[]

Attributes


Name Value PSMAML Attribute

Required?

true

required

Variable Length?

true

variableLength

Accept wildcard characters?

false

globbing

Accept Pipeline Input?

false

pipelineInput

Position?

2

position

Value Attributes

Name Value PSMAML Attribute

Required?

true

required

Variable Length?

true

variableLength

Partition


Specifies the distinguished name of an Active Directory partition. The distinguished name must be one of the naming contexts on the current directory server. The cmdlet searches this partition to find the object defined by the Identity parameter.
The following two examples show how to specify a value for this parameter.
-Partition "CN=Configuration,DC=EUROPE,DC=TEST,DC=CONTOSO,DC=COM"

-Partition "CN=Schema,CN=Configuration,DC=EUROPE,DC=TEST,DC=CONTOSO,DC=COM"

In many cases, a default value will be used for the Partition parameter if no value is specified. The rules for determining the default value are given below. Note that rules listed first are evaluated first and once a default value can be determined, no further rules will be evaluated.

In AD DS environments, a default value for Partition will be set in the following cases: - If the Identity parameter is set to a distinguished name, the default value of Partition is automatically generated from this distinguished name.
- If running cmdlets from an Active Directory provider drive, the default value of Partition is automatically generated from the current path in the drive.
- If none of the previous cases apply, the default value of Partition will be set to the default partition or naming context of the target domain.

In AD LDS environments, a default value for Partition will be set in the following cases:
- If the Identity parameter is set to a distinguished name, the default value of Partition is automatically generated from this distinguished name.
- If running cmdlets from an Active Directory provider drive, the default value of Partition is automatically generated from the current path in the drive.
- If the target AD LDS instance has a default naming context, the default value of Partition will be set to the default naming context. To specify a default naming context for an AD LDS environment, set the msDS-defaultNamingContext property of the Active Directory directory service agent (DSA) object (nTDSDSA) for the AD LDS instance.
- If none of the previous cases apply, the Partition parameter will not take any default value.

Default Value:

Data Type: string

Attributes


Name Value PSMAML Attribute

Required?

false

required

Variable Length?

false

variableLength

Accept wildcard characters?

false

globbing

Accept Pipeline Input?

false

pipelineInput

Position?

named

position

Value Attributes

Name Value PSMAML Attribute

Required?

true

required

Variable Length?

false

variableLength

PassThru

Returns the new or modified object. By default (i.e. if -PassThru is not specified), this cmdlet does not generate any output.

Default Value:

Data Type: switch

Attributes


Name Value PSMAML Attribute

Required?

false

required

Variable Length?

false

variableLength

Accept wildcard characters?

false

globbing

Accept Pipeline Input?

false

pipelineInput

Position?

named

position

Value Attributes

Name Value PSMAML Attribute

Required?

true

required

Variable Length?

false

variableLength

Server


Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance.
Domain name values:
Fully qualified domain name
Examples: corp.contoso.com
NetBIOS name
Example: CORP

Directory server values:
Fully qualified directory server name
Example: corp-DC12.corp.contoso.com
NetBIOS name
Example: corp-DC12
Fully qualified directory server name and port
Example: corp-DC12.corp.contoso.com:3268

The default value for the Server parameter is determined by one of the following methods in the order that they are listed:
-By using Server value from objects passed through the pipeline.
-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive.
-By using the domain of the computer running Powershell.

The following example shows how to specify a full qualified domain name as the parameter value.
-Server "corp.contoso.com"

Default Value:

Data Type: string

Attributes


Name Value PSMAML Attribute

Required?

false

required

Variable Length?

false

variableLength

Accept wildcard characters?

false

globbing

Accept Pipeline Input?

false

pipelineInput

Position?

named

position

Value Attributes

Name Value PSMAML Attribute

Required?

true

required

Variable Length?

false

variableLength

Confirm

Prompts you for confirmation before executing the command.

Default Value:


Data Type: SwitchParameter

Attributes

Name Value PSMAML Attribute

Required?

false

required

Variable Length?

true

variableLength

Accept wildcard characters?

false

globbing

Accept Pipeline Input?

false

pipelineInput

Position?

named

position

Value Attributes

Name Value PSMAML Attribute

Required?

false

required

Variable Length?

false

variableLength

WhatIf

Describes what would happen if you executed the command without actually executing the command.

Default Value:


Data Type: SwitchParameter

Attributes

Name Value PSMAML Attribute

Required?

false

required

Variable Length?

true

variableLength

Accept wildcard characters?

false

globbing

Accept Pipeline Input?

false

pipelineInput

Position?

named

position

Value Attributes

Name Value PSMAML Attribute

Required?

false

required

Variable Length?

false

variableLength

Input Type

Microsoft.ActiveDirectory.Management.ADPrincipal



A principal object (Microsoft.ActiveDirectory.Management.ADPrincipal) that represents a user, computer or group is received by the Identity parameter. Derived types, such as the following are also received by this parameter.
Microsoft.ActiveDirectory.Management.ADUser
Microsoft.ActiveDirectory.Management.ADComputer
Microsoft.ActiveDirectory.Management.ADServiceAccount
Microsoft.ActiveDirectory.Management.ADGroup

Return Type

None or Microsoft.ActiveDirectory.Management.ADPrincipal


Returns a principal object that represents the modified user, computer or group object when the PassThru parameter is specified. By default, this cmdlet does not generate any output.

Notes


  • This cmdlet does not work with a read-only domain controller.
    This cmdlet does not work with an Active Directory Snapshot.



Examples

-------------------------- EXAMPLE 1 --------------------------

Command Prompt: C:\PS>


Add-ADPrincipalGroupMembership -Identity SQLAdmin1 -MemberOf DlgtdAdminsPSOGroup

Adds the user with SamAccountName "SQLAdmin1" to the group "DlgtdAdminsPSOGroup".

-------------------------- EXAMPLE 2 --------------------------

Command Prompt: C:\PS>


Get-ADUser -Filter 'Name -like "*SvcAccount*"' | Add-ADPrincipalGroupMembership -MemberOf SvcAccPSOGroup

Gets all users with "SvcAccount" in their name and adds it to the group "SvcAccPSOGroup".

-------------------------- EXAMPLE 3 --------------------------

Command Prompt: C:\PS>


Add-ADPrincipalGroupMembership

cmdlet Add-ADPrincipalGroupMembership at command pipeline position 1
Supply values for the following parameters:
Identity: JeffPrice
MemberOf[0]: RodcAdmins
MemberOf[1]: Allowed RODC Password Replication Group
MemberOf[2]:

Description

-----------

Demonstrates the default behavior of this cmdlet (no parameters specified).

-------------------------- EXAMPLE 4 --------------------------

Command Prompt: C:\PS>


Get-ADUser -Server localhost:60000 -SearchBase "DC=AppNC" -filter { Title -eq "Account Lead" -and Office -eq "Branch1" } |

Add-ADPrincipalGroupMembership -MemberOf "CN=AccountLeads,OU=AccountDeptOU,DC=AppNC"

Adds all employees in "Branch1" in the AD LDS instance "localhost:60000" whose title is "Account Lead" to the group with the DistinguishedName "CN=AccountLeads,OU=AccountDeptOU,DC=AppNC".


原文出處:Windows Server Commands, References, and Tools : Add-ADPrincipalGroupMembership
冷日
(冷日)
Webmaster
  • 註冊日: 2008/2/19
  • 來自:
  • 發表數: 15766
[轉貼]AD Group Batch Insert 冷日範本
經過上面的功課,冷日後來的作法是:
1.先做一個 CSV
範本:
OU,OU_FullName,OU_Desc,Group,Group_Desc
AOX,"OU=AOX,OU=theComOU,DC=comName,DC=org,DC=tw",總經理,g0OX,總經理群組
AXO,"OU=AXO,OU=theComOU,DC=comName,DC=org,DC=tw",留職停薪,gAXO,留職停薪群組
BOX,"OU=BOX,OU=theComOU,DC=comName,DC=org,DC=tw",秘書室,gBOX,秘書室群組
BXO,"OU=BXO,OU=theComOU,DC=comName,DC=org,DC=tw",法務部,gBXO,法務部群組
GOX,"OU=GOX,OU=theComOU,DC=comName,DC=org,DC=tw",台南客服,gGOX,台南客服群組
GXO,"OU=GXO,OU=theComOU,DC=comName,DC=org,DC=tw",高雄客服,gGXO,高雄客服群組

2.寫一個 PowerShell
範本:
# Imports groups and description list from CSV file
$GetOUWithDesc = Import-CSV "OU_Group_Desc_Import_Mapping.csv"

foreach ($item in $GetOUWithDesc) {
# Map variables from CSV
	$group = $item.'Group'
	$description = $item.'Group_Desc'
	$oupath = $item.'OU_FullName'
# Creates Active Directory Group
	New-ADGroup –name $group –groupscope Global -Description $description –path $oupath
}

3.把檔案都上傳道 2012 Server 上
4.運行該 PowerShell
5.進 AD 檢查,收工!
冷日
(冷日)
Webmaster
  • 註冊日: 2008/2/19
  • 來自:
  • 發表數: 15766
[轉貼]使用 Windows PowerShell 進行進階的 Active Directory 複寫和拓撲管理 (層級 200)

使用 Windows PowerShell 進行進階的 Active Directory 複寫和拓撲管理 (層級 200)

適用於: Windows Server 2012

此主題詳細說明新的 AD DS 複寫和拓撲管理 Cmdlet,並提供額外的範例。 如需簡介,請參閱 使用 Windows PowerShell 進行 Active Directory 複寫和拓撲管理

簡介

Windows Server 2012 對「適用於 Windows PowerShell 的 Active Directory 模組」擴充了 25 個新的 Cmdlet 來管理複寫和樹系拓撲。 在此之前,您只能使用一般的 *-AdObject 名詞或呼叫 .NET 函式。

就像所有 Active Directory Windows PowerShell Cmdlet 一樣,此功能必須至少在一部網域控制站 (或者最好在所有網域控制站) 安裝 Active Directory 管理閘道服務

下表列出 Active Directory Windows PowerShell 模組新增的複寫和拓撲 Cmdlet。


Cmdlet

說明

Get-ADReplicationAttributeMetadata

傳回物件的屬性複寫中繼資料

Get-ADReplicationConnection

傳回網域控制站連線物件詳細資料

Get-ADReplicationFailure

傳回網域控制站最近的複寫失敗

Get-ADReplicationPartnerMetadata

傳回網域控制站的複寫設定

Get-ADReplicationQueueOperation

傳回目前的複寫佇列待處理項目

Get-ADReplicationSite

傳回站台資訊

Get-ADReplicationSiteLink

傳回站台連結資訊

Get-ADReplicationSiteLinkBridge

傳回站台連結橋接器資訊

Get-ADReplicationSubnet


傳回 AD 子網路資訊

Get-ADReplicationUpToDatenessVectorTable

傳回網域控制站的 UTD 向量

Get-ADTrust

傳回網域間或樹系間信任的相關資訊

New-ADReplicationSite

建立新的站台

New-ADReplicationSiteLink

建立新的站台連結

New-ADReplicationSiteLinkBridge

建立新的站台連結橋接器

New-ADReplicationSubnet

建立新的 AD 子網路

Remove-ADReplicationSite

刪除站台

Remove-ADReplicationSiteLink

刪除站台連結

Remove-ADReplicationSiteLinkBridge

刪除站台連結橋接器

Remove-ADReplicationSubnet

刪除 AD 子網路

Set-ADReplicationConnection

修改連線

Set-ADReplicationSite

修改站台

Set-ADReplicationSiteLink

修改站台連結

Set-ADReplicationSiteLinkBridge

修改站台連結橋接器

Set-ADReplicationSubnet

修改 AD 子網路

Sync-ADObject

強制複寫單一物件

大部分這些 Cmdlet 在 Repadmin.exe 中都有自己的基礎。 其他 (未列出) 的 Cmdlet 則處理如「動態存取控制」與「群組受管理的服務帳戶」等功能。

如需所有 Active Directory Windows PowerShell Cmdlet 的完整清單,請執行:



Get-command -module ActiveDirectory

如需所有 Active Directory Windows PowerShell Cmdlet 引數的完整清單,請參閱說明。 例如:



Get-help New-ADReplicationSite

使用 Update-Help Cmdlet 來下載並安裝說明檔

複寫和中繼資料

Repadmin.exe 會驗證 Active Directory 複寫的健康情況與一致性。 Repadmin.exe 提供簡單的資料管理選項 (例如某些引數支援 CSV 輸出),但自動化通常需要透過文字檔案輸出剖析。 「適用於 Windows PowerShell 的 Active Directory 模組」是第一次嘗試提供可真正控制傳回資料的選項;在此之前,您必須建立指令碼或使用協力廠商工具。

此外,下列 Cmdlet 實作新的參數集 TargetScopeEnumerationServer

  • Get-ADReplicationFailure

  • Get-ADReplicationPartnerMetadata

  • Get-ADReplicationUpToDatenessVectorTable

Target 引數接受一個以逗號分隔的字串清單,識別由 Scope 引數所指定的目標伺服器、站台、網域或樹系。 其中也允許使用星號 (*),表示指定領域內的所有伺服器。 如果未指定領域,則表示目前使用者樹系中的所有伺服器。 Scope
引數指定搜尋的範圍。
可接受的值為 ServerSiteDomainForest EnumerationServer 指定的伺服器會列舉 TargetScope 中指定的網域控制站清單。 其運作方式與 Server 引數相同,而且要求指定的伺服器必須執行「Active Directory Web 服務」。

為了介紹新的 Cmdlet,以下範例案例顯示 repadmin.exe 無法執行的功能;有了這些實例,就能明確顯示出系統管理的可能性。 如需特定的使用需求,請檢閱 Cmdlet 說明。

Get-ADReplicationAttributeMetadata

此 Cmdlet 類似 repadmin.exe /showobjmeta 它可以傳回複寫中繼資料,例如當屬性變更時的來源網域控制站、版本和 USN 資訊與屬性資料。 此 Cmdlet 可用來稽核變更的位置與時間。

Windows PowerShell 與 Repadmin 不同的地方在於,可提供彈性的搜尋與輸出控制。 例如,您可以將 Domain Admins 物件的中繼資料輸出成排列過而方便讀取的清單:



Get-ADReplicationAttributeMetadata -object "cn=domain admins,cn=users,dc=corp,dc=contoso,dc=com" -server dc1.corp.contoso.com -showalllinkedvalues | format-list

或者,您也可以將資料排列成表格,類似 repadmin:



Get-ADReplicationAttributeMetadata -object "cn=domain admins,cn=users,dc=corp,dc=contoso,dc=com" -server dc1.corp.contoso.com -showalllinkedvalues | format-table -wrap

或者,您可以搭配篩選條件 (例如所有群組,然後與特定日期結合) 以管線方式輸出 Get-Adobject Cmdlet,以取得整個物件類別的中繼資料。 管線是用來在多個 Cmdlet 之間傳送資料的通道。 若要查看在 2012 年 1 月 13 日因為某些原因修改過的所有群組:



get-adobject -filter 'objectclass -eq "group"' | Get-ADReplicationAttributeMetadata -server dc1.corp.contoso.com | where-object {$_.lastoriginatingchangetime -like "*1/13/2012*" -and $_.attributename -eq "name"} | format-table object

如需更多 Windows PowerShell 作業搭配管線的詳細資訊,請參閱 Windows PowerShell 中的管線處理與管線

或者,想要找出成員有 Tong Wang 的每個群組,以及上次修改群組的時間:



get-adobject -filter 'objectclass -eq "group"' | Get-ADReplicationAttributeMetadata -server dc1.corp.contoso.com -showalllinkedvalues | where-object {$_.attributevalue -like "*tony wang*"} | format-table object,LastOriginatingChangeTime,version -auto

或者,若要根據人工方式的高版本,找出網域中使用系統狀態備份進行系統授權還原的所有物件:



get-adobject -filter 'objectclass -like "*"' | Get-ADReplicationAttributeMetadata -server dc1.corp.contoso.com | where-object {$_.version -gt "100000" -and $_.attributename -eq "name"} | format-table object,LastOriginatingChangeTime

或者,將所有使用者中繼資料都傳送到 CSV 檔案,以供稍後在 Microsoft Excel 中檢查:



get-adobject -filter 'objectclass -eq "user"' | Get-ADReplicationAttributeMetadata -server dc1.corp.contoso.com -showalllinkedvalues | export-csv allgroupmetadata.csv

Get-ADReplicationPartnerMetadata

此 Cmdlet 會傳回網域控制站之複寫設定與狀態的相關資訊,讓您監視、清查或疑難排解。 不像 Repadmin.exe,使用 Windows PowerShell 表示您只會以您想要的格式,看到對您重要的資料。

例如,單一網域控制站的可讀取複寫狀態:



Get-ADReplicationPartnerMetadata -target dc1.corp.contoso.com

或者,以表格格式查看上一次網域控制站內送複寫及其複寫協力電腦的資料:



Get-ADReplicationPartnerMetadata -target dc1.corp.contoso.com | format-table lastreplicationattempt,lastreplicationresult,partner -auto

或者,連絡樹系中的所有網域控制站並顯示最後一次嘗試複寫卻因任何原因而失敗的網域控制站:



Get-ADReplicationPartnerMetadata -target * -scope server | where {$_.lastreplicationresult -ne "0"} | ft server,lastreplicationattempt,lastreplicationresult,partner -auto

Get-ADReplicationFailure

此 Cmdlet 可用來傳回複寫時發生最近錯誤的相關資訊。 它類似 Repadmin.exe /showreplsum,不過同樣地,因為使用 Windows PowerShell 而能採取更多控制方式。

例如,您可以傳回網域控制站最近的失敗,以及其無法連絡的複寫協力電腦:



Get-ADReplicationFailure dc1.corp.contoso.com

或者,傳回特定 AD 邏輯站台中所有伺服器的表格檢視,因為經過排序,所以更容易檢視,而且只包含最重要的資料:



Get-ADReplicationFailure -scope site -target default-first-site-name | format-table server,firstfailuretime,failurecount,lasterror,partner -auto

Get-ADReplicationQueueOperation 和 Get-ADReplicationUpToDatenessVectorTable

這兩個 Cmdlet 都會傳回網域控制站「最即時」的其他層面,包括暫止中的複寫和版本向量資訊。

Sync-ADObject

此 Cmdlet 類似執行 Repadmin.exe /replsingleobject 當您進行需要頻外複寫的變更,尤其是修正問題時,它會非常有用。

例如,如果某人刪除了總裁的使用者帳戶,並使用 Active Directory 資源回收筒將它還原,您可能想要將它立即複寫到所有網域控制站。 您可能也想要執行此動作而不強制複寫所有其他物件的變更;畢竟,這就是為什麼要有複寫排程 (因為可以避免 WAN 連結超過負荷)。



Get-ADDomainController -filter * | foreach {Sync-ADObject -object "cn=tony wang,cn=users,dc=corp,dc=contoso,dc=com" -source dc1 -destination $_.hostname}

拓撲

雖然 Repadmin.exe 擅長傳回如站台、站台連結、站台連結橋接器與連線等複寫拓撲的相關資訊,但是它並沒有一組完整的引數可進行變更。 事實上,也從來沒有任何專門設計可編寫指令碼、附隨的 Windows 公用程式,讓系統管理員建立及修改 AD DS 拓撲。 由於 Active Directory 在眾多客戶環境中已經非常成熟,因此大量修改 Active Directory 邏輯資訊的需求就變得很重要。

例如,新的分公司迅速擴編加上與其他分公司整併,根據實體位置、網路變更和新的容量需求,您可能會有上百個站台變更需要處理。 比起使用 Dssites.msc 和 Adsiedit.msc 進行變更,您可以進行自動化。 當您使用網路和設備團隊提供的試算表資料時,這樣會特別方便。

Get-Adreplication* Cmdlet 會傳回複寫拓撲的相關資訊,而且在以管線方式大量輸出到 Set-Adreplication* Cmdlet 時很好用。 Get Cmdlet 不會變更資料,它們只會顯示資料或建立能以管線方式輸出到 Set-Adreplication* Cmdlet 的 Windows PowerShell 工作階段物件。 NewRemove
Cmdlet 可用來建立或移除 Active Directory 拓撲物件。

例如,您可以使用 CSV 檔案建立新的站台:



import-csv -path C:\newsites.csv | new-adreplicationsite

或者,在兩具有自訂複寫間隔和站台成本的個現有站台之間建立新的站台連結:



new-adreplicationsitelink -name "chicago<-->waukegan" -sitesincluded chicago,waukegan -cost 50 -replicationfrequencyinminutes 15

或者,尋找樹系中的每個站台並以旗標取代其 Options 屬性來啟用站台間的變更通知,以便使用最大的壓縮速度複寫:



get-adreplicationsitelink -filter * | set-adobject –replace @{options=$($_.options –bor 1)}

重要事項

設定 -bor 5 可一併停用那些站台連結的壓縮。

或者,尋找缺少子網路指派的所有站台,以便與那些位置的實際子網路調解清單:



get-adreplicationsite -filter * -property subnets | where-object {!$_.subnets -eq "*"} | format-table name


原文出處: Microsoft TechNet:使用 Windows PowerShell 進行進階的 Active Directory 複寫和拓撲管理 (層級 200)
冷日
(冷日)
Webmaster
  • 註冊日: 2008/2/19
  • 來自:
  • 發表數: 15766
[分享]同時新增 OU 和 Group 的冷日範本
基於 OU 可能也需要自動塞這個狀況,冷日把冷日的範例又進行了更新,作法如下:
1.先做一個 CSV
範本:
OU,OU_FullName,OU_Desc,Group,Group_Desc
AOX,"OU=AOX,OU=theComOU,DC=comName,DC=org,DC=tw",總經理,g0OX,總經理群組
AXO,"OU=AXO,OU=theComOU,DC=comName,DC=org,DC=tw",留職停薪,gAXO,留職停薪群組
BOX,"OU=BOX,OU=theComOU,DC=comName,DC=org,DC=tw",秘書室,gBOX,秘書室群組
BXO,"OU=BXO,OU=theComOU,DC=comName,DC=org,DC=tw",法務部,gBXO,法務部群組
GOX,"OU=GOX,OU=theComOU,DC=comName,DC=org,DC=tw",台南客服,gGOX,台南客服群組
GXO,"OU=GXO,OU=theComOU,DC=comName,DC=org,DC=tw",高雄客服,gGXO,高雄客服群組

2.寫一個 PowerShell
範本:
# Imports groups and description list from CSV file
$GetOUWithDesc = Import-CSV "OU_Group_Desc_Import_Mapping.csv"

foreach ($item in $GetOUWithDesc) {
# Map variables from CSV
  $ou = $item.'OU'
  $baseou = "OU=theComOU,DC=comName,DC=org,DC=tw"
  $oudesc = $item.'OU_Desc'
	$group = $item.'Group'
	$description = $item.'Group_Desc'
	$oupath = $item.'OU_FullName'
# Creates Active Directory Organizational Unit
  New-ADOrganizationalUnit -Name $ou –path $baseou -Description $oudesc
# Creates Active Directory Group
	New-ADGroup –name $group –groupscope Global -Description $description –path $oupath
}

3.把檔案都上傳到 2012 Server 上
4.運行該 PowerShell
5.運行時記得要輸出 log
6.檢查 log 後進 AD 檢查,若有錯漏再回去改
7.無事收工
冷日
(冷日)
Webmaster
  • 註冊日: 2008/2/19
  • 來自:
  • 發表數: 15766
[轉貼]New-ADOrganizationalUnit

New-ADOrganizationalUnit

New-ADOrganizationalUnit

Creates a new Active Directory organizational unit.

Syntax



New-ADOrganizationalUnit [-Name] [-AuthType { | }]
[-City ] [-Country ] [-Credential ]
[-Description ] [-DisplayName ] [-Instance ]
[-ManagedBy ] [-OtherAttributes ] [-PassThru ]
[-Path ] [-PostalCode ] [-ProtectedFromAccidentalDeletion ]
[-Server ] [-State ] [-StreetAddress ] [-Confirm] [-WhatIf] []

  • Name

  • AuthType

  • City

  • Country

  • Credential

  • Description

  • DisplayName

  • Instance

  • ManagedBy

  • OtherAttributes

  • PassThru

  • Path

  • PostalCode

  • ProtectedFromAccidentalDeletion

  • Server

  • State

  • StreetAddress

  • Confirm

  • WhatIf

Detailed Description


The New-ADOrganizationalUnit cmdlet creates a new Active Directory organizational unit. You can set commonly used organizational unit property values by using the cmdlet parameters. Property values that are not associated with cmdlet parameters can be set by using the OtherAttributes parameter.

You must set the Name parameter to create a new organizational unit. When you do not specify the Path parameter, the cmdlet creates an organizational unit under the default NC head for the domain.
The following methods explain different ways to create an object by using this cmdlet.
Method 1: Use the New-ADOrganizationalUnit cmdlet, specify the required parameters, and set any additional property values by using the cmdlet parameters.
Method 2: Use a template to create the new object. To do this, create a new organizational unit object or retrieve a copy of an existing organizational unit object and set the Instance parameter to this object. The object provided to the Instance parameter is used as a template for the new object. You can override property values from the template by setting cmdlet parameters. For examples and more information, see the Instance parameter description for this cmdlet.
Method 3: Use the Import-CSV cmdlet with the New-ADOrganizationalUnit cmdlet to create multiple Active Directory organizational unit objects. To do this, use the Import-CSV cmdlet to create the custom objects from a comma-separated value (CSV) file that contains a list of object properties. Then pass these objects through the pipeline to the New-ADOrganizationalUnit cmdlet to create the organizational unit objects.

Parameters

AuthType

Specifies the authentication method to use. Possible values for this parameter include:
Negotiate or 0
Basic or 1

The default authentication method is Negotiate.

A Secure Sockets Layer (SSL) connection is required for the Basic authentication method.

The following example shows how to set this parameter to Basic.
-AuthType Basic

The following lists the acceptable values for this parameter:

  • Negotiate

  • Basic

Default Value: Microsoft.ActiveDirectory.Management.AuthType.Negotiate

Data Type: ADAuthType

Attributes

Name Value PSMAML Attribute

Required?

false


required

Variable Length?

false

variableLength

Accept wildcard characters?

false

globbing

Accept Pipeline Input?

false

pipelineInput

Position?

named

position

Value Attributes

Name Value PSMAML Attribute

Required?

true

required

Variable Length?

false

variableLength

City


Specifies the user's town or city. This parameter sets the City property of a user. The LDAP display name (ldapDisplayName) of this property is "l".

The following example shows how set this parameter.
-City "Las Vegas"

Default Value:

Data Type: string

Attributes


Name Value PSMAML Attribute

Required?

false

required

Variable Length?

false

variableLength

Accept wildcard characters?

false

globbing

Accept Pipeline Input?

true (ByPropertyName)

pipelineInput

Position?

named

position

Value Attributes

Name Value PSMAML Attribute

Required?

true

required

Variable Length?

false

variableLength

Country

Specifies the country or region code for the user's language of choice. This parameter sets the Country property of a user object. The LDAP Display Name (ldapDisplayName) of this property is "c". This value is not used by Windows 2000.

The following example shows how set this parameter.
-Country "IN"

Default Value:

Data Type: string


Attributes

Name Value PSMAML Attribute

Required?

false

required

Variable Length?

false

variableLength

Accept wildcard characters?

false

globbing

Accept Pipeline Input?

true (ByPropertyName)

pipelineInput

Position?

named

position

Value Attributes


Name Value PSMAML Attribute

Required?

true

required

Variable Length?

false

variableLength

Credential


Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default.

To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password.

You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials.
$AdminCredentials = Get-Credential "Domain01\User01"

The following shows how to set the Credential parameter to these credentials.
-Credential $AdminCredentials

If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error.

Default Value:

Data Type: PSCredential

Attributes

Name Value PSMAML Attribute

Required?

false

required

Variable Length?

false

variableLength

Accept wildcard characters?

false

globbing

Accept Pipeline Input?

false

pipelineInput

Position?

named

position

Value Attributes

Name Value
PSMAML Attribute

Required?

true

required

Variable Length?

false

variableLength

Description

Specifies a description of the object. This parameter sets the value of the Description property for the object. The LDAP Display Name (ldapDisplayName) for this property is "description".

The following example shows how to set this parameter to a sample description.
-Description "Description of the object"

Default Value:

Data Type: string

Attributes

Name Value PSMAML Attribute

Required?

false


required

Variable Length?

false

variableLength

Accept wildcard characters?

false

globbing

Accept Pipeline Input?

true (ByPropertyName)

pipelineInput

Position?

named

position

Value Attributes

Name Value PSMAML Attribute

Required?

true

required

Variable Length?

false

variableLength

DisplayName


Specifies the display name of the object. This parameter sets the DisplayName property of the object. The LDAP Display Name (ldapDisplayName) for this property is "displayName".

The following example shows how to set this parameter.
-DisplayName "Sara Davis Laptop"

Default Value:

Data Type: string

Attributes

Name Value PSMAML Attribute

Required?

false

required

Variable Length?

false

variableLength

Accept wildcard characters?

false

globbing

Accept Pipeline Input?

true (ByPropertyName)

pipelineInput

Position?

named

position

Value Attributes

Name Value PSMAML Attribute

Required?

true

required

Variable Length?

false

variableLength

Instance


Specifies an instance of an organizational unit object to use as a template for a new organizational unit object.

You can use an instance of an existing organizational unit object as a template or you can construct a new organizational unit object by using the Windows PowerShell command line or by using a script. The following examples show how to use these two methods to create organizational unit object templates.

Method 1: Use an existing organizational unit object as a template for a new object. To retrieve an instance of an existing organizational unit object use Get-ADOrganizationalUnit. Then provide this object to the Instance parameter of the New-ADOrganizationalUnit cmdlet to create a new organizational unit object. You can override property values of the new object by setting the appropriate parameters.

$organizationalUnitInstance = Get-ADOrganizationalUnit -Identity accountingAsia
New-ADOrganizationalUnit -Name accountingAustralia -Instance $OrganizationalUnitInstance -Country Australia

Method 2: Create a new ADOrganizationalUnit object and set the property values by using the Windows PowerShell command line interface. Then pass this object to the Instance parameter of the New-ADOrganizationalUnit cmdlet to create the new Active Directory organizational unit object.

$OrganizationalUnitInstance = new-object Microsoft.ActiveDirectory.Management.ADOrganizationalUnit
$OrganizationalUnitInstance.Country = Australia
New-ADOrganizationalUnit -Name accountingAustralia -Instance $OrganizationalUnitInstance

Note: Specified attributes are not validated, so attempting to set attributes that do not exist or cannot be set will raise an error.

Default Value:

Data Type: ADOrganizationalUnit

Attributes

Name Value PSMAML Attribute

Required?

false

required

Variable Length?

false

variableLength

Accept wildcard characters?

false

globbing

Accept Pipeline Input?

false

pipelineInput

Position?

named

position

Value Attributes

Name
Value
PSMAML Attribute

Required?

true

required

Variable Length?

false

variableLength

ManagedBy


Specifies the user or group that manages the object by providing one of the following property values. Note: The identifier in parentheses is the LDAP display name for the property.
Distinguished Name
Example: CN=SaraDavis,OU=Europe,CN=Users,DC=corp,DC=contoso,DC=com
GUID (objectGUID)
Example: 599c3d2e-f72d-4d20-8a88-030d99495f20
Security Identifier (objectSid)
Example: S-1-5-21-3165297888-301567370-576410423-1103
SAM Account Name (sAMAccountName)
Example: saradavis

This parameter sets the Active Directory attribute with an LDAP Display Name of "managedBy".

The following example shows how to specify this parameter.
-ManagedBy ContosoAdmins

Default Value:

Data Type: ADPrincipal

Attributes

Name Value PSMAML Attribute

Required?

false

required

Variable Length?

false

variableLength

Accept wildcard characters?

false

globbing

Accept Pipeline Input?

true (ByPropertyName)

pipelineInput

Position?

named

position

Value Attributes


Name Value PSMAML Attribute

Required?

true

required

Variable Length?

false

variableLength

Name

Specifies the name of the object. This parameter sets the Name property of the Active Directory object. The LDAP Display Name (ldapDisplayName) of this property is "name".

The following example shows how to set this parameter to a name string.
-Name "SaraDavis"

Default Value:

Data Type: string

Attributes

Name Value PSMAML Attribute

Required?

true

required

Variable Length?

false

variableLength

Accept wildcard characters?

false

globbing

Accept Pipeline Input?


true (ByPropertyName)

pipelineInput

Position?

2

position

Value Attributes

Name Value PSMAML Attribute

Required?

true

required

Variable Length?

false

variableLength

OtherAttributes


Specifies object attribute values for attributes that are not represented by cmdlet parameters. You can set one or more parameters at the same time with this parameter. If an attribute takes more than one value, you can assign multiple values. To identify an attribute, specify the LDAPDisplayName (ldapDisplayName) defined for it in the Active Directory schema.

Syntax:
To specify a single value for an attribute:
-OtherAttributes @{'AttributeLDAPDisplayName'=value}
To specify multiple values for an attribute
-OtherAttributes @{'AttributeLDAPDisplayName'=value1,value2,...}

You can specify values for more than one attribute by using semicolons to separate attributes. The following syntax shows how to set values for multiple attributes:
-OtherAttributes @{'Attribute1LDAPDisplayName'=value; 'Attribute2LDAPDisplayName'=value1,value2;...}

The following examples show how to use this parameter.

To set the value of a custom attribute called favColors that takes a set of Unicode strings, use the following syntax:
-OtherAttributes @{'favColors'="pink","purple"}

To set values for favColors and dateOfBirth simultaneously, use the following syntax:
-OtherAttributes @{'favColors'="pink","purple"; 'dateOfBirth'=" 01/01/1960"}

Default Value:

Data Type: hashtable

Attributes

Name Value PSMAML Attribute

Required?

false

required

Variable Length?

false

variableLength

Accept wildcard characters?

false

globbing

Accept Pipeline Input?

false

pipelineInput

Position?

named

position

Value Attributes

Name Value
PSMAML Attribute

Required?

true

required

Variable Length?

false

variableLength

PassThru

Returns the new or modified object. By default (i.e. if -PassThru is not specified), this cmdlet does not generate any output.

Default Value:

Data Type: switch

Attributes

Name Value PSMAML Attribute

Required?

false

required

Variable Length?

false

variableLength

Accept wildcard characters?

false

globbing

Accept Pipeline Input?

false

pipelineInput

Position?

named

position

Value Attributes

Name Value PSMAML Attribute

Required?

true

required

Variable Length?

false

variableLength

Path


Specifies the X.500 path of the Organizational Unit (OU) or container where the new object is created.

In many cases, a default value will be used for the Path parameter if no value is specified. The rules for determining the default value are given below. Note that rules listed first are evaluated first and once a default value can be determined, no further rules will be evaluated.

In AD DS environments, a default value for Path will be set in the following cases:
- If the cmdlet is run from an Active Directory PowerShell provider drive, the parameter is set to the current path of the provider drive.
- If the cmdlet has a default path, this will be used. For example: in New-ADUser, the Path parameter would default to the Users container.
- If none of the previous cases apply, the default value of Path will be set to the default partition or naming context of the target domain.

In AD LDS environments, a default value for Path will be set in the following cases:
- If the cmdlet is run from an Active Directory PowerShell provider drive, the parameter is set to the current path of the provider drive.
- If the cmdlet has a default path, this will be used. For example: in New-ADUser, the Path parameter would default to the Users container.
- If the target AD LDS instance has a default naming context, the default value of Path will be set to the default naming context. To specify a default naming context for an AD LDS environment, set the msDS-defaultNamingContext property of the Active Directory directory service agent (DSA) object (nTDSDSA) for the AD LDS instance.
- If none of the previous cases apply, the Path parameter will not take any default value.

The following example shows how to set this parameter to an OU.

-Path "ou=mfg,dc=noam,dc=corp,dc=contoso,dc=com"

Note: The Active Directory Provider cmdlets, such New-Item, Remove-Item, Remove-ItemProperty, Rename-Item and Set-ItemProperty also contain a Path property. However, for the provider cmdlets, the Path parameter identifies the path of the actual object and not the container as with the Active Directory cmdlets.

Default Value:

Data Type: string

Attributes

Name Value PSMAML Attribute

Required?

false

required

Variable Length?

false

variableLength

Accept wildcard characters?

false

globbing

Accept Pipeline Input?

true (ByPropertyName)

pipelineInput

Position?

named

position

Value Attributes

Name
Value
PSMAML Attribute

Required?

true

required

Variable Length?

false

variableLength

PostalCode

Specifies the user's postal code or zip code. This parameter sets the PostalCode property of a user. The LDAP Display Name (ldapDisplayName) of this property is "postalCode".

The following example shows how to set this parameter.
-PostalCode "28712"

Default Value:

Data Type: string

Attributes

Name Value PSMAML Attribute

Required?

false

required


Variable Length?

false

variableLength

Accept wildcard characters?

false

globbing

Accept Pipeline Input?

true (ByPropertyName)

pipelineInput

Position?

named

position

Value Attributes

Name Value PSMAML Attribute

Required?

true

required

Variable Length?

false

variableLength

ProtectedFromAccidentalDeletion


Specifies whether to prevent the object from being deleted. When this property is set to true, you cannot delete the corresponding object without changing the value of the property. Possible values for this parameter include:
$false or 0
$true or 1

The following example shows how to set this parameter to true.
-ProtectedFromAccidentalDeletion $true

Default Value: $true

Data Type: System.Nullable[bool]

Attributes

Name Value PSMAML Attribute

Required?

false

required

Variable Length?

false

variableLength

Accept wildcard characters?

false

globbing

Accept Pipeline Input?

true (ByPropertyName)

pipelineInput

Position?

named

position

Value Attributes

Name Value PSMAML Attribute

Required?

true

required

Variable Length?

false

variableLength

Server


Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance.
Domain name values:
Fully qualified domain name
Examples: corp.contoso.com
NetBIOS name
Example: CORP

Directory server values:
Fully qualified directory server name
Example: corp-DC12.corp.contoso.com
NetBIOS name
Example: corp-DC12
Fully qualified directory server name and port
Example: corp-DC12.corp.contoso.com:3268

The default value for the Server parameter is determined by one of the following methods in the order that they are listed:
-By using Server value from objects passed through the pipeline.
-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive.
-By using the domain of the computer running Powershell.

The following example shows how to specify a full qualified domain name as the parameter value.
-Server "corp.contoso.com"

Default Value:

Data Type: string

Attributes

Name Value PSMAML Attribute

Required?

false

required

Variable Length?

false

variableLength

Accept wildcard characters?

false

globbing

Accept Pipeline Input?

false

pipelineInput

Position?

named

position

Value Attributes

Name Value
PSMAML Attribute

Required?

true

required

Variable Length?

false

variableLength

State

Specifies the user's or Organizational Unit's state or province. This parameter sets the State property of a User or Organizational Unit object. The LDAP display name (ldapDisplayName) of this property is "st".

The following example shows how set this parameter.
-State "Nevada"

Default Value:

Data Type: string

Attributes


Name Value PSMAML Attribute

Required?

false

required

Variable Length?

false

variableLength

Accept wildcard characters?

false

globbing

Accept Pipeline Input?

true (ByPropertyName)

pipelineInput

Position?

named

position

Value Attributes

Name Value PSMAML Attribute

Required?

true

required

Variable Length?

false

variableLength

StreetAddress


Specifies the organizational unit's street address. This parameter sets the StreetAddress property of a organizational unit object. The LDAP display name (ldapDisplayName) of this property is "street".

The following example shows how to set this parameter.
-StreetAddress "1200 Main Street"

Default Value:

Data Type: string

Attributes

Name Value PSMAML Attribute

Required?

false

required

Variable Length?

false

variableLength

Accept wildcard characters?

false

globbing

Accept Pipeline Input?


true (ByPropertyName)

pipelineInput

Position?

named

position

Value Attributes

Name Value PSMAML Attribute

Required?

true

required

Variable Length?

false

variableLength

Confirm

Prompts you for confirmation before executing the command.

Default Value:

Data Type: SwitchParameter

Attributes


Name Value PSMAML Attribute

Required?

false

required

Variable Length?

true

variableLength

Accept wildcard characters?

false

globbing

Accept Pipeline Input?

false

pipelineInput

Position?

named

position

Value Attributes

Name Value PSMAML Attribute

Required?

false

required

Variable Length?

false

variableLength


WhatIf

Describes what would happen if you executed the command without actually executing the command.

Default Value:

Data Type: SwitchParameter

Attributes

Name Value PSMAML Attribute

Required?

false

required

Variable Length?

true

variableLength

Accept wildcard characters?

false

globbing

Accept Pipeline Input?

false

pipelineInput

Position?

named

position


Value Attributes

Name Value PSMAML Attribute

Required?

false

required

Variable Length?

false

variableLength

Input Type

None or Microsoft.ActiveDirectory.Management.ADOrganizationalUnit


An organizational unit object that is a template for the new organizational unit object is received by the Instance parameter.

Return Type

None or Microsoft.ActiveDirectory.Management.ADOrganizationalUnit


Returns the new organizational unit object when the PassThru parameter is specified. By default, this cmdlet does not generate any output.

Notes



  • This cmdlet does not work with an Active Directory Snapshot.
    This cmdlet does not work with a read-only domain controller.


Examples

-------------------------- EXAMPLE 1 --------------------------

Command Prompt: C:\PS>


New-ADOrganizationalUnit -Name UserAccounts -Path "DC=FABRIKAM,DC=COM"

Creates a new OrganizationalUnit named 'UserAccounts' which is protected from accidental deletion.

-------------------------- EXAMPLE 2 --------------------------

Command Prompt: C:\PS>


New-ADOrganizationalUnit -Name UserAccounts -Path "DC=FABRIKAM,DC=COM" -ProtectedFromAccidentalDeletion $false

Creates a new OrganizationalUnit named 'UserAccounts' which is not protected from deletion.

-------------------------- EXAMPLE 3 --------------------------

Command Prompt: C:\PS>


New-ADOrganizationalUnit -Name UserAccounts -Path "DC=FABRIKAM,DC=COM" -OtherAttributes @{seeAlso="CN=HumanResourceManagers,OU=Groups,OU=Managed,DC=Fabrikam,DC=com";managedBy="CN=TomC,DC=FABRIKAM,DC=COM"}

Creates an OrganizationalUnit name 'UserAccounts' which is protected from accidental deletion with properties 'seeAlso' and 'managedBy' set to the specified values.

-------------------------- EXAMPLE 4 --------------------------

Command Prompt: C:\PS>


$ouTemplate = Get-ADOrganizationalUnit "OU=UserAccounts,DC=Fabrikam,DC=com" -properties seeAlso,managedBy; New-ADOrganizationalUnit -name TomCReports -instance $ouTemplate

Uses the data from the OrganizationalUnit 'OU=UserAccounts,DC=Fabrikam,DC=com' as a template for another new OrganizationalUnit.

-------------------------- EXAMPLE 5 --------------------------

Command Prompt: C:\PS>


New-ADOrganizationalUnit -name "Managed" -path "DC=AppNC" -server "FABRIKAM-SRV1:60000"

Creates a new OrganizationalUnit named 'Managed' in an LDS instance.


原文出處: Microsoft TechNet:New-ADOrganizationalUnit
冷日
(冷日)
Webmaster
  • 註冊日: 2008/2/19
  • 來自:
  • 發表數: 15766
[分享]補充一些從 AD 匯出時的小技巧
上面提到要匯入 AD 的 OU 和 Group,但資料來源呢?
除了自己手工建立 CSV 檔以外,最常見的應該還是使用遷移前的 AD 來匯出。

但從 AD 匯出資料的時候會出現一堆 ? 號對吧!?
那是因為我們白痴的 M$ 一直跟 UTF8 沒有打心底相愛!!!

所以,從 AD 匯出資料時,PowerShell 雖然有 Export-CSV 功能,但務必要告訴他使用 UTF8 喔!
Export-CSV D:\Temp\TestReport.csv -Encoding UTF8 –NoType


冷日匯出 OU 的方法:
Get-ADOrganizationalUnit -Filter * -Properties Description | select-object name,distinguishedname,description | export-csv ADOUList.csv

冷日匯出 Group 的方法:
Get-ADGroup -Properties * -Filter * | select name,distinguishedname,description  | export-csv ADGPList.csv

如果不是全部(整個 AD Root)都要匯出的話,則可以用 -SearchBase 來限縮
範例
Get-ADOrganizationalUnit -Filter * -Properties Description -SearchBase 'OU=Sales,OU=UserAccounts,DC=FABRIKAM,DC=COM'
Get-ADGroup -Properties * -Filter * -SearchBase 'OU=Sales,OU=UserAccounts,DC=FABRIKAM,DC=COM'


參考文件:
M$ TechNet:Get-ADOrganizationalUnit
M$ TechNet:Get-ADGroup
前一個主題 | 下一個主題 | 頁首 | | |



Powered by XOOPS 2.0 © 2001-2008 The XOOPS Project|