Managing computer accounts
In previous sections, we have seen several operational tasks that can be performed on user accounts in Active Directory using PowerShell. This section focuses on performing similar operations on computer objects.
Managing computer objects is not much different from managing user objects. All you need to do is to use the correct cmdlets and the rest of the process remains the same.
The following topics are covered as a part of managing computer accounts using PowerShell. Let's go through these one by one and understand how we can accomplish them:
- Creating computer accounts
- Modifying computer properties
- Enabling or disabling computer accounts
- Deleting computer accounts
Creating computer accounts
Most system administrators do not create computer accounts manually in Active Directory. Instead, they join computers to the domain and the account gets created automatically. After automatic object creation, the administrator moves the computer accounts from the default container to the desired OU.
Well, this might look quite simple but why is there a need to create a manual computer account? The aforementioned approach will work for small organizations where one set of system administrators will manage everything and they will have all privileges. However, in large organizations, this is not feasible for various reasons. In large organizations the desktop/server builds happen in an automated way using deployment solutions, such as Windows Development Services (WDS) where the build process looks for a computer account in AD to join the server/desktop to the domain. This process is called prestaging of computer accounts and it has a good set of advantages such as choosing the OU where you want to place the computer, group membership, and so on.
So, let's now look at a few examples of creating a computer account. Active Directory provides a cmdlet called New-ADComputer to facilitate the computer account creation.
The following command will create a computer account with the name SRVMEM2 in the default computers container:
New-ADComputer -Name SRVMEM2 -PassThru
To create computer account in a particular Organizational Unit in Active Directory, use the following command:
New-ADComputer -Name SRVMEM2 -Path "OU=Computers,OU=PROD,DC=techibee,DC=AD" -PassThru
Ensure that the OU mentioned in the preceding command exists prior to the computer account creation; if not, the command execution fails.
If you just want to create the computer account but keep it in a disabled state, the following command helps:
New-ADComputer -Name SRVMEM2 -Path "OU=Computers,OU=PROD,DC=techibee,DC=AD" -Enabled $false -PassThru
To see the list of other options for this cmdlet and some examples, read its complete help content. This can done using the following command:
Get-Help New-ADComputer -Full
Modifying computer accounts
Computer account attributes often need to be modified. For example, because many computer accounts are created before the computers are actually assigned to users, attributes such as description, department, and location cannot be configured at the time an account is created. In addition, the ownership of a computer can be transferred to a new user or department, or a computer might be physically moved to a new location. In such circumstances, the computer account attributes need to be modified.
Let's see the PowerShell way of doing this using various cmdlets available for computer objects.
Active Directory PowerShell module has the Set-ADComputer cmdlet for modifying computer account properties in Active Directory. Remember the Set-ADUser cmdlet we used for modifying user object properties? It is similar to that but for computer accounts.
To update the description of a single computer, you can use the following command. This example updates the description of the SRVMEM1 computer object:
Set-ADComputer –identity SRVMEM1 –description "Member Server"
The Set-ADComputer cmdlet has ability to set values for the majority of object attributes. To see the list of attributes it can set, check its help content using the following command:
Get-Help Set-ADComputer -Full
You can use the Get-ADComputer command to check if the description is set as shown in the following screenshot:
Sometimes, you might need to move computer accounts to different OUs as the user might change the location or server accounts in order to segregate them according to their roles; or you might want to move computer accounts from the default OU to respective office location OUs.
Let's see a few of the examples related to computer account movements across Organizational Units. As we have done for user accounts, here too we can make use of the Move-ADObject cmdlet to move computer accounts from one OU to another. The following command moves the SRVMEM1 computer account from the default computer container to Computers OU inside PROD OU:
Move-ADObject -Identity "CN=SRVMEM1,CN=Computers,DC=techibee,DC=ad" - TargetPath "OU=Computers,OU=PROD,DC=techibee,DC=ad" -PassThru
Since it is not possible to provide the full DN of the object we want to move every time, we can either use the Get-ADComputer or Search-ADAccount cmdlet to search by its name or some other property and then pass the output to the Move-ADObject cmdlet. The following example demonstrates this:
Get-ADComputer -Filter "name -eq 'SRVMEM1'" | Move-ADObject - TargetPath "OU=Computers,OU=PROD,DC=techibee,DC=ad" -PassThru
Similarly, we search for a string in the description of the computer objects and move them to the designated OU using the following command:
Get-ADComputer -Filter "description -like '*server*'" | Move-ADObject -TargetPath "OU=Computers,OU=PROD,DC=techibee,DC=ad" -PassThru
This command will look for computer accounts that have the string server in their description and will move them to the designated OU. Similarly, you can search based on any other criteria and move them to different OUs, as shown in the preceding command.
As a system administrator, it is required to keep your Active Directory database clean, tidy, and minimal in size. Also, one must adhere to the security policies of the organization and often needs to reconcile computer accounts data monthly, quarterly, and annually in accordance with those security policies.
The cmdlet we use here is not specific to computer objects; it can also be used for any Active Directory user, computer, or service accounts.
Use the following command to enable a particular computer:
Get-ADComputer -Identity COMP1 | Enable-ADAccount
To enable multiple computer accounts, you can use filters in conjunction with the Get-ADComputer or Search-ADAccount cmdlets. The following command will search for computer accounts inside the given OU and it will enable all of them:
Get-ADComputer -Filter "*" -SearchBase "OU=Computers,OU=PROD,DC=techibee,DC=ad" | Enable-ADAccount - PassThru
Similarly, to disable computer accounts, just replace Enable-ADAccount with the Disable-ADAccount cmdlet. The following command disables all of the computers inside the given OU:
Get-ADComputer -Filter "*" -SearchBase "OU=Computers,OU=PROD,DC=techibee,DC=ad" | Disable-ADAccount - PassThru
Explore more by referring to the help content of these cmdlets. For example, to see the help of the Get-ADComputer cmdlet, you can use the following command:
Get-Help Get-ADComputer -Detailed
You can read the help content from TechNet site as well (http://technet.microsoft.com/en-us/library/ee617192.aspx).