Datasheet

ManualsBrandsWiley ManualsSoftware978-1-1180-2731-8

40 CHAPTER 1

•

USING POWERSHELL WITH ACTIVE DIRECTORY

Use the Active Directory Services Interface

Prior to Windows Server 2008 R2, if you wanted to manage Active Directory with

PowerShell, you were limited to using the Active Directory Services Interface

(ADSI). ADSI is a set of Common Object Model (COM) interfaces that allow you

to programmatically work with directory services such as Active Directory. ADSI

is very  exible, and once you get the hang of it, it’s actually quite easy to work with.

However, there is a learning curve involved, and sometimes your results can be

inconsistent depending on the environment you’re working in.

In Windows Server 2008 R2, you’re provided with the Active Directory module,

which simpli es a lot of tasks for which you previously needed ADSI. Even though

there are many new Active Directory cmdlets, ADSI will still be needed for more

complex tasks that you’ll want to perform.  erefore, a solid understanding of how

to work with ADSI is necessary.

When you work with ADSI to manage objects in Active Directory, you’ll be doing

one of the following things: reading an object, updating an object, creating an

object, or deleting an object. All of ADSI’s functionality revolves around these

operations.

Retrieve an Object

 e  rst step to any ADSI task is to bind to the object that you’re working with. For

example, if you want to read a user’s logon name, then you  rst need to bind to the

user’s object. You can use ADSI to bind to an object using the following PowerShell

command:

$user = [ADSI]”LDAP://cn=Nora Shea,cn=users,dc=contoso,dc=com”

In this example, the

user

variable is being populated with Nora Shea’s user object.

In this command, the distinguished name of Nora’s user object (

cn=Nora Shea,

cn=users,dc=contoso,dc=com

) is used to identify which object to retrieve. By

specifying

LDAP://

at the beginning of the path, you tell ADSI that the provider is

an LDAP-capable directory service such as Active Directory. It’s important to note

that this provider name is case sensitive. If you used

ldap://

instead of

LDAP://

you would get an error.  e

[ADSI]

statement at the beginning of the command is

called a type adapter. Its purpose is to ensure that the object retrieved conforms to

a speci c object type, which ensures consistency across the objects you work with.

By specifying ADSI as the type adapter, you’re telling PowerShell that the object is a

System.DirectoryServices.DirectoryEntry

object.  is means the object

will have the properties and methods that all

DirectoryEntry

objects have. In

c01.indd 40c01.indd 40 5/12/2011 1:07:55 PM5/12/2011 1:07:55 PM