powershell migracio de un domini: por carlossanchez mikeyoshiominguell

PowerShell

PowerShell | Mike Yoshio Minguell i Carlos Snchez

ndexPlantejament del projecte.3Powershell5Per qu?5Per a qu?5Avantatges dels scripts.5Inconvenients dels scripts.5Llibreries de tercers.5Comandes teriques sobre la exportaci:6Exportacio dArxius CSV:6Explicaci:6Comanda:6Parmetres:7Exportaci de Unitats Organitzatives OU:10Explicaci:10Comanda:10Parmetres:11Exportaci de Grups GG, GL, GU:17Explicaci:17Comanda:17Parmetres:17Exportaci de Usuaris:22Explicaci:22Comanda:22Parmetres:23Comandes teriques sobre la importaci:28Importaci dArxius CSV:28Explicaci:28Comanda:28Parmetres:29Importaci dUnitats Organitzatives OU:31Explicaci:31Comanda:32Parmetres:32Importaci de Grups de Seguretat GG, GL, GU:35Explicaci:35Comanda:35Parmetres:36Importaci dUsuaris:41Explicaci:41Comanda:41Parmetres:43Creaci dels scripts dexportaci.57Script de exportaci de les Unitats Organitzatives OU:57Script de exportaci de Grups de Seguretat GG, GL, GU:59Exportaci de GG:59Exportaci de GL:62Exportaci de GU:65Script de exportaci dUsuaris:68Creaci dels scripts de importaci.71Scripts dimportacio de les Unitats Organitzatives OU:71Scripts dimportacio dels Grups de Seguretat GG, GL, GU:71GG:71GL:71GU:71Scripts dimportacio dels Usuaris:71Demostraci prctica ds dels scripts.72Exportaci:72Importaci:72Conclusions tcniques:73Conclusions i opinions personals:74Webgrafa.75

Plantejament del projecte.Per a la realitzaci daquest projecte sens ha proposat dur a terme la exportaci de lestructura de un controlador de domini allotjat en un servidor Windows 2008R2 a un arxiu CSV o similar mitjanant el us de scripting en PowerShell amb el fi de poder importar tota lestructura extreta a un nou servidor, tamb Windows 2008R2, i que sigui plenament funcional i exactament igual que la dorigen.Prviament, com ja hem dit sha de tenir una configuraci ja feta al servidor dorigen. Treballem amb diversos dominis de Active Directory implementats sobre controladors de domini amb Windows Server2008R2 Enterprise. Per a fer practiques i probes ens interessa disposar de la opci de copiar i enganxar contenidors complerts, ja sigui al mateix domini o en un altre diferent. Aix ens permetr mantenir la estructura original fora de perill de qualsevol practica o proba fallida. Des de la aplicaci grfica UEAD (Usuarios y Equipos de Active Directory) nomes podem moure un contenidor per no hi ha cap opci per a duplicar.Tot i que ja hem esmentat una mica per sobre lobjectiu del projecte, per a fer-ho de una manera una mica mes detallada volem aclarir que consistir en la duplicaci de un contenidor pare, en un altre contenidor dest, incloent-hi els principals objectes que contingui el contenidor pare: contenidors fills, grups de seguretat i usuaris que continguin.Desprs destudiar les diferents alternatives:- Copiar manualment objecte a objecte des de laplicaci UEAD.- Crear arxius BAT per lots.- Crear scripts amb PowerShell.Hem arribat a la conclusi de que la millor opci es utilitzar scripts amb PowerShell. Les raons de la nostre elecci sexplicaran una mica mes endavant.El sistema a utilitzar ser: primer obtenir la llista dobjectes del contenidor pare i en segon lloc, a partir de la llista obtinguda crear els objectes en el contenidor dest amb les adaptacions necessries. Mes endavant sexplicaran (subratllats).Daquesta manera quedar el projecte fragmentat en dues fases molt clares: la Exportaci i la Importaci.La primera fase, la Exportaci, consistir en la obtenci de la informaci mnima necessria per a poder realitzar una importaci mes endavant. Aquesta consistir en la obtenci dels diferents objectes llistats a continuaci:- Unitats Organitzatives (OU).- Grups de seguretat:- Grups Globals (GG).- Grups Locals (GL).- Grups Universals (GU).- Usuaris.Una vegada creats els scripts pertinents per a dur a terme la exportaci de la informaci comentada anteriorment, obtindrem un arxiu CSV on podrem trobar la informaci extreta.

La segona fase, la Importaci, bsicament tindr joc sobre larxiu CSV resultant de la exportaci. El qual conte tota la informaci sobre els objectes de estructura que hem exportat del controlador de domini origen.Mitjanant aquesta informaci es podr dur a terme la replica de la estructura en el nou controlador de domini.Com hem esmentat abans, la informaci replicada patir una petita adaptaci. No es res mes enll que afegir a tots els Usuaris i Grups de Seguretat un guio baix _ al final del seu nom. Quedant per exemple un usuari importat daquesta manera: usu1smx_. Com podem apreciar, sentn perfectament que aquest usuari ha sigut replicat degut al guio baix situat al final. El motiu de dur a terme aquestes modificacions s, en primer lloc perqu en cas de que el domini al que importem les dades no estigui vuit no hi hagi oportunitat de crear cap mena de conflicte. Daltre banda, per la simple distinci de si ha estat un element importat o creat directament al nostre servidor.Objectiu principal: Realitzar el duplicat de un contenidor pare en un contenidor dest, ja sigui del mateix domini o de un altre.Objectiu secundari: Que els objectes creats en el contenidor dest tinguin la mateixa configuraci que al contenidor dorigen:- Cada grup tindr els membres originals.- Cada usuari ser membre dels grups originals.Lobjectiu secundari no es realment imprescindible i es pot deixar com a ampliaci donat que aquestes configuracions es poden realitzar de forma senzilla des de laplicaci UEAD sense que arribi a ser una tasca molt tediosa en quan a repetitiva.

PowershellWindows Powershell es una interfcie de consola (CLI) amb possibilitat descriptura i uni de comandes mitjanant ls dinstruccions (scripts en angls). Es molt mes rica e interactiva que els seus predecessors, des de DOS fins a Windows 7. Aquesta interfcie de consola esta dissenyada per que sigui feta servir per administradors de sistemes, amb el propsit de automatitzar tasques o realitzar-les de forma mes controlada.Per qu?Farem s de PowerShell ja que es la plataforma de programaci per excellncia a Windows, a mes dalbergar grans capacitats en comparaci a altres, que ens permetran dur a terme les tasques que necessitem realitzar.A part, aquesta te un suport molt extens, ja sigui per tcnics oficials, frums, la comunitat e incls unes llibreries especialment fetes per la mateixa empresa o diferents usuaris. Per a qu?Ls que li donarem a aquesta ser la creaci de diferents scripts que formaran part de les dues fases esmentades anteriorment (Exportaci e Importaci), i que seran els encarregats de realitzar totes les tasques que siguin necessries per a complir amb els nostres objectius.Avantatges dels scripts.A continuaci esmentarem breument algunes de les avantatges mes notables que te ls dels scripts.La primera, i poder la mes evident, es que ens permeten la seva configuraci plena, es a dir, faran exactament el que nosaltres demanem.Per altre banda, ens fa mes cmodes diferents tasques que podrien ser molt mes tedioses i pesades. Com la creaci de milers de usuaris, posant-nos en un cas simple.Per ltim, tenim la possibilitat de automatitzaci de diferents tasques per a que es puguin executar automticament sense el requisits de la presencia de alg.Inconvenients dels scripts.Podrem destacar que la realitzaci de la tasca per primera vegada, es a dir, quan lScript encara no esta creat es molt mes llarga que les segents execucions, ja que aquest sha de configurar.Per altre banda, si el Script esta mal configurat, no ens resoldr el problema, aix que haurem de fer-ho de manera manual o configurar de nou lScript. Llibreries de tercers.Microsoft es una empresa mundialment coneguda, aix que no es destranyar que tingui una comunitat bastant amplia. La qual ofereix ajuda, en aquest cas, mitjanant diferents llibreries de comandes prescrites a PowerShell amb les seves respectives explicacions i usos per a aquella comanda en concret, creada per qualsevol usuari que hagi decidit penjar-ho.No obstant, nosaltres hem decidit basar-nos nomes en la informaci oficial que Microsoft ens provea mitjanant les seves llibreries oficials. No vol dir aix que les llibreries de la comunitat siguin errnies, sin que tenen enfocaments concrets que a nosaltres no ens podien interessar o que no compartem.

Comandes teriques sobre la exportaci:A continuaci farem menci a la mes pura estructura terica sobre les comandes que utilitzarem a la hora de fer una exportaci de informaci del domini. Potser alguna de les comandes que escollim no sigui la mes optima, o existeixi una de millor per a dur a terme aquella tasca, per redactarem aix basant-nos en la nostre exploraci.Exportaci dArxius CSV:Explicaci:The Export-CSV cmdlet creates a CSV file of the objects that you submit. Each object is represented as a line or row of the CSV. The row consists of a comma-separated list of the values of object properties. You can use this cmdlet to create spreadsheets and share data with programs that take CSV files as input.Comanda:Parameter Set: DelimiterExport-Csv [[-Path] ] [[-Delimiter] ] -InputObject [-Append] [-Encoding {Unicode | UTF7 | UTF8 | ASCII | UTF32 | BigEndianUnicode | Default | OEM} ] [-Force] [-InformationAction {SilentlyContinue | Stop | Continue | Inquire | Ignore | Suspend} ] [-InformationVariable ] [-LiteralPath ] [-NoClobber] [-NoTypeInformation] [-Confirm] [-WhatIf] [ ]

Parameter Set: UseCultureExport-Csv [[-Path] ] -InputObject [-Append] [-Encoding {Unicode | UTF7 | UTF8 | ASCII | UTF32 | BigEndianUnicode | Default | OEM} ] [-Force] [-InformationAction {SilentlyContinue | Stop | Continue | Inquire | Ignore | Suspend} ][-InformationVariable ] [-LiteralPath ] [-NoClobber] [-NoTypeInformation] [-UseCulture] [-Confirm] [-WhatIf] [ ]Parmetres:-Append:Adds the CSV output to the end of the specified file. Without this parameter, Export-CSV replaces the file contents without warning.This parameter is introduced in Windows PowerShell 3.0.

-Delimiter:Specifies a delimiter to separate the property values. The default is a comma (,). Enter a character, such as a colon (:). To specify a semicolon (;), enclose it in quotation marks.

-Encoding:Specifies the encoding for the exported CSV file. Valid values are Unicode, UTF7, UTF8, ASCII, UTF32, BigEndianUnicode, Default, and OEM. The default is ASCII.

-Force:Overwrites the file specified in path without prompting.

-InformationAction:This parameter is introduced in Windows PowerShell 3.0.

-InformationVariable:This parameter is introduced in Windows PowerShell 3.0.

-InputObject:Specifies the objects to export as CSV strings. Enter a variable that contains the objects or type a command or expression that gets the objects. You can also pipe objects to Export-CSV.

-NoClobber:Do not overwrite (replace the contents) of an existing file. By default, if a file exists in the specified path, Export-CSV overwrites the file without warning.

-NoTypeInformation:Omits the type information from the CSV file. By default, the first line of the CSV file contains "#TYPE " followed by the fully-qualified name of the type of the object.

-Path:Specifies the path to the CSV output file. This parameter is required.

-UseCulture:Use the list separator for the current culture as the item delimiter. The default is a comma (,).This parameter is very useful in scripts that are being distributed to users worldwide. To find the list separator for a culture, use the following command: (Get-Culture).TextInfo.ListSeparator.

-LiteralPath:Specifies the path to the CSV output file. Unlike Path, the value of the LiteralPath parameter is used exactly as it is typed. No characters are interpreted as wildcards. If the path includes escape characters, enclose it in single quotation marks. Single quotation marks tell Windows PowerShell not to interpret any characters as escape sequences.

-Confirm:Prompts you for confirmation before running the cmdlet.

-WhatIf:Shows what would happen if the cmdlet runs. The cmdlet is not run.

Exportaci de Unitats Organitzatives OU:Explicaci:The Get-ADOrganizational unit cmdlet gets an organizational unit object or performs a search to retrieve multiple organizational units.The Identity parameter specifies the Active Directory organizational unit to retrieve. You can identify an organizational unit by its distinguished name (DN) or GUID. You can also set the parameter to an organizational unit object variable, such as $ or pass an organizational unit object through the pipeline to the Identity parameter.To search for and retrieve more than one organizational unit, use the Filter or LDAPFilter parameters. The Filter parameter uses the PowerShell Expression Language to write query strings for Active Directory. PowerShell Expression Language syntax provides rich type conversion support for value types received by the Filter parameter. For more information about the Filter parameter syntax, see about_ActiveDirectory_Filter. If you have existing LDAP query strings, you can use the LDAPFilter parameter.This cmdlet retrieves a default set of organizational unit object properties. To retrieve additional properties use the Properties parameter. For more information about the how to determine the properties for computer objects, see the Properties parameter description.

Comanda: Get-ADOrganizationalUnit -Filter [-ResultPageSize ] [-ResultSetSize ] [-SearchBase ] [-SearchScope { | | }] [-AuthType { | }] [-Credential ] [-Partition ] [-Properties ] [-Server ] []

Get-ADOrganizationalUnit [-Identity] [-AuthType { | }] [-Credential ] [-Partition ][-Properties ][-Server ] []

Get-ADOrganizationalUnit -LDAPFilter [-ResultPageSize ] [-ResultSetSize ] [-SearchBase ] [-SearchScope { | | }] [-AuthType { | }] [-Credential ] [-Partition ] [-Properties ] [-Server ] []

Parmetres:- AuthType:Specifies the authentication method to use. Possible values for this parameter include:- Negotiate or 0- Basic or 1The default authentication method is Negotiate.A Secure Sockets Layer (SSL) connection is required for the Basic authentication method.

- Credential:Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default.To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password.You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials.$AdminCredentials = Get-Credential "Domain01\User01"

- Filter:Specifies a query string that retrieves Active Directory objects. This string uses the PowerShell Expression Language syntax. The PowerShell Expression Language syntax provides rich type-conversion support for value types received by the Filter parameter. The syntax uses an in-order representation, which means that the operator is placed between the operand and the value. For more information about the Filter parameter, see about_ActiveDirectory_Filter.Syntax:The following syntax uses Backus-Naur form to show how to use the PowerShell Expression Language for this parameter. ::= "{" "}" ::= | | ::= | "(" ")" ::= "-eq" | "-le" | "-ge" | "-ne" | "-lt" | "-gt"| "-approx" | "-bor" | "-band" | "-recursivematch" | "-like" | "-notlike" ::= "-and" | "-or" ::= "-not" ::= | ::=

- Identity:Specifies the identity of an Active Directory organizational unit object. The parameter accepts the following identity formats. The identifier in parentheses is the LDAP display name for the attribute that contains the identity.Distinguished NameExample: OU=Europe,CN=Users,DC=corp,DC=contoso,DC=comGUID (objectGUID)Example: 599c3d2e-f72d-4d20-8a88-030d99495f20The cmdlet searches the default naming context or partition to find the object. If two or more objects are found, the cmdlet returns a non-terminating error.This parameter can also get this object through the pipeline or you can set this parameter to an object instance.This example shows how to set the parameter to a distinguished name.-Identity "OU=Europe,CN=Users,DC=corp,DC=contoso,DC=com"This example shows how to set this parameter to an organizational unit object instance named "OUinstance".-Identity $OUInstance

- LDAPFilter:Specifies an LDAP query string that is used to filter Active Directory objects. You can use this parameter to run your existing LDAP queries. The Filter parameter syntax supports the same functionality as the LDAP syntax. For more information, see the Filter parameter description and the about_ActiveDirectory_Filter.The following example shows how to set this parameter to search for all objects in the organizational unit specified by the SearchBase parameter with a name beginning with "sara".-LDAPFilter "(name=sara*)" -SearchScope Subtree -SearchBase "DC=NA, DC=fabrikam, DC=com"

- Partition:Specifies the distinguished name of an Active Directory partition. The distinguished name must be one of the naming contexts on the current directory server. The cmdlet searches this partition to find the object defined by the Identity parameter.The following two examples show how to specify a value for this parameter.-Partition "CN=Configuration,DC=EUROPE,DC=TEST,DC=CONTOSO,DC=COM"-Partition "CN=Schema, CN=Configuration, DC=EUROPE, DC=TEST, DC=CONTOSO, DC=COM"In many cases, a default value will be used for the Partition parameter if no value is specified. The rules for determining the default value are given below. Note that rules listed first are evaluated first and once a default value can be determined, no further rules will be evaluated.In AD DS environments, a default value for Partition will be set in the following cases: - If the Identity parameter is set to a distinguished name, the default value of Partition is automatically generated from this distinguished name.- If running cmdlets from an Active Directory provider drive, the default value of Partition is automatically generated from the current path in the drive.- If none of the previous cases apply, the default value of Partition will be set to the default partition or naming context of the target domain.In AD LDS environments, a default value for Partition will be set in the following cases:- If the Identity parameter is set to a distinguished name, the default value of Partition is automatically generated from this distinguished name.- If running cmdlets from an Active Directory provider drive, the default value of Partition is automatically generated from the current path in the drive.- If the target AD LDS instance has a default naming context, the default value of Partition will be set to the default naming context. To specify a default naming context for an AD LDS environment, set the msDS-defaultNamingContext property of the Active Directory service agent (DSA) object (nTDSDSA) for the AD LDS instance.- If none of the previous cases apply, the Partition parameter will not take any default value.

- Properties:Specifies the properties of the output object to retrieve from the server. Use this parameter to retrieve properties that are not included in the default set.Specify properties for this parameter as a comma-separated list of names. To display all of the attributes that are set on the object, specify * (asterisk).To specify an individual extended property, use the name of the property. For properties that are not default or extended properties, you must specify the LDAP display name of the attribute.

- ResultPageSize:Specifies the number of objects to include in one page for an Active Directory Domain Services query.The default is 256 objects per page.

- ResultSetSize:Specifies the maximum number of objects to return for an Active Directory Domain Services query. If you want to receive all of the objects, set this parameter to $null (null value). You can use Ctrl+c to stop the query and return of objects.The default is $null.

- SearchBase:Specifies an Active Directory path to search under.When you run a cmdlet from an Active Directory provider drive, the default value of this parameter is the current path of the drive.When you run a cmdlet outside of an Active Directory provider drive against an AD DS target, the default value of this parameter is the default naming context of the target domain.When you run a cmdlet outside of an Active Directory provider drive against an AD LDS target, the default value is the default naming context of the target LDS instance if one has been specified by setting the msDS-defaultNamingContext property of the Active Directory service agent (DSA) object (nTDSDSA) for the AD LDS instance. If no default naming context has been specified for the target AD LDS instance, then this parameter has no default value.

- SearchScope:Specifies the scope of an Active Directory search. Possible values for this parameter are:Base or 0OneLevel or 1Subtree or 2A Base query searches only the current path or object. A OneLevel query searches the immediate children of that path or object. A Subtree query searches the current path or object and all children of that path or object.

- Server:Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance.Domain name values:Fully qualified domain nameExamples: corp.contoso.comNetBIOS nameExample: CORPDirectory server values:Fully qualified directory server nameExample: corp-DC12.corp.contoso.comNetBIOS nameExample: corp-DC12Fully qualified directory server name and portExample: corp-DC12.corp.contoso.com:3268The default value for the Server parameter is determined by one of the following methods in the order that they are listed:-By using Server value from objects passed through the pipeline.-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive.-By using the domain of the computer running Powershell.

Exportaci de Grups GG, GL, GU:Explicaci:The Get-ADGroup cmdlet gets a group or performs a search to retrieve multiple groups from an Active Directory.The Identity parameter specifies the Active Directory group to get. You can identify a group by its distinguished name (DN), GUID, security identifier (SID), Security Accounts Manager (SAM) account name, or canonical name. You can also specify group object variable, such as $.To search for and retrieve more than one group, use the Filter or LDAPFilter parameters. The Filter parameter uses the PowerShell Expression Language to write query strings for Active Directory. PowerShell Expression Language syntax provides rich type conversion support for value types received by the Filter parameter. For more information about the Filter parameter syntax, see about_ActiveDirectory_Filter. If you have existing LDAP query strings, you can use the LDAPFilter parameter.This cmdlet gets a default set of group object properties. To get additional properties use the Properties parameter. For more information about the how to determine the properties for group objects, see the Properties parameter description.Comanda:Get-ADGroup -Filter [-ResultPageSize ] [-ResultSetSize ] [-SearchBase ] [-SearchScope { | | }] [-AuthType { | }] [-Credential ] [-Partition ] [-Properties ] [-Server ] []

Parmetres:- AuthType:Specifies the authentication method to use. Possible values for this parameter include:Negotiate or 0Basic or 1The default authentication method is Negotiate.A Secure Sockets Layer (SSL) connection is required for the Basic authentication method.- Credential:Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default.To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password.

- Filter:Specifies a query string that retrieves Active Directory objects. This string uses the PowerShell Expression Language syntax. The PowerShell Expression Language syntax provides rich type-conversion support for value types received by the Filter parameter. The syntax uses an in-order representation, which means that the operator is placed between the operand and the value. For more information about the Filter parameter, see about_ActiveDirectory_Filter.Syntax:The following syntax uses Backus-Naur form to show how to use the PowerShell Expression Language for this parameter. ::= "{" "}" ::= | | ::= | "(" ")" ::= "-eq" | "-le" | "-ge" | "-ne" | "-lt" | "-gt"| "-approx" | "-bor" | "-band" | "-recursivematch" | "-like" | "-notlike" ::= "-and" | "-or" ::= "-not" ::= | ::= For a list of supported types for , see about_ActiveDirectory_ObjectModel.

- Identity:Specifies an Active Directory group object by providing one of the following values. The identifier in parentheses is the LDAP display name for the attribute.Distinguished NameExample: CN=saradavisreports,OU=europe,CN=users,DC=corp,DC=contoso,DC=comGUID (objectGUID)Example: 599c3d2e-f72d-4d20-8a88-030d99495f20Security Identifier (objectSid)Example: S-1-5-21-3165297888-301567370-576410423-1103Security Accounts Manager (SAM) Account Name (sAMAccountName)Example: saradavisreportsThe cmdlet searches the default naming context or partition to find the object. If two or more objects are found, the cmdlet returns a non-terminating error.This parameter can also get this object through the pipeline or you can set this parameter to an object instance.

- LDAPFilter:Specifies an LDAP query string that is used to filter Active Directory objects. You can use this parameter to run your existing LDAP queries. The Filter parameter syntax supports the same functionality as the LDAP syntax. For more information, see the Filter parameter description and the about_ActiveDirectory_Filter.

- Partition:Specifies the distinguished name of an Active Directory partition. The distinguished name must be one of the naming contexts on the current directory server. The cmdlet searches this partition to find the object defined by the Identity parameter.

- Properties:Specifies the properties of the output object to retrieve from the server. Use this parameter to retrieve properties that are not included in the default set.Specify properties for this parameter as a comma-separated list of names. To display all of the attributes that are set on the object, specify * (asterisk).To specify an individual extended property, use the name of the property. For properties that are not default or extended properties, you must specify the LDAP display name of the attribute.

- ResultPageSize:Specifies the number of objects to include in one page for an Active Directory Domain Services query. The default is 256 objects per page.





Exportaci de Usuaris:Explicaci:The Get-ADUser cmdlet gets a user object or performs a search to retrieve multiple user objects.The Identity parameter specifies the Active Directory user to get. You can identify a user by its distinguished name (DN), GUID, security identifier (SID), Security Accounts Manager (SAM) account name or name. You can also set the parameter to a user object variable, such as $ or pass a user object through the pipeline to the Identity parameter.To search for and retrieve more than one user, use the Filter or LDAPFilter parameters. The Filter parameter uses the PowerShell Expression Language to write query strings for Active Directory. PowerShell Expression Language syntax provides rich type conversion support for value types received by the Filter parameter. For more information about the Filter parameter syntax, see about_ActiveDirectory_Filter. If you have existing LDAP query strings, you can use the LDAPFilter parameter.

Comanda:Get-ADUser -Filter [-ResultPageSize ] [-ResultSetSize ] [-SearchBase ] [-SearchScope { | | }] [-AuthType { | }] [-Credential ][-Partition ][-Properties ] [-Server ] []

Get-ADUser [-Identity] [-AuthType { | }] [-Credential ] [-Partition ] [-Properties ] [-Server ] []Get-ADUser -LDAPFilter [-ResultPageSize ] [-ResultSetSize ] [-SearchBase ] [-SearchScope { | | }] [-AuthType { | }] [-Credential ] [-Partition ] [-Properties ] [-Server ] []

Parmetres:- AuthType:Specifies the authentication method to use. Possible values for this parameter include:Negotiate or 0Basic or 1The default authentication method is Negotiate.A Secure Sockets Layer (SSL) connection is required for the Basic authentication method.

- Credential:Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default.

To specify this parameter, you can type a user name, such as "User1" or "Domain01\User01" or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password.You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object The following example shows how to create credentials.$AdminCredentials = Get-Credential "Domain01\User01"

- Filter:Specifies a query string that retrieves Active Directory objects. This string uses the PowerShell Expression Language syntax. The PowerShell Expression Language syntax provides rich type-conversion support for value types received by the Filter parameter. The syntax uses an in-order representation, which means that the operator is placed between the operand and the value. For more information about the Filter parameter, see about_ActiveDirectory_Filter.Syntax:The following syntax uses Backus-Naur form to show how to use the PowerShell Expression Language for this parameter. ::= "{" "}" ::= | | ::= | "(" ")" ::= "-eq" | "-le" | "-ge" | "-ne" | "-lt" | "-gt"| "-approx" | "-bor" | "-band" | "-recursivematch" | "-like" | "-notlike" ::= "-and" | "-or" ::= "-not" ::= | ::= For a list of supported types for , see about_ActiveDirectory_ObjectModel.

- Identity:Specifies an Active Directory group object by providing one of the following values. The identifier in parentheses is the LDAP display name for the attribute.Distinguished NameExample: CN=saradavisreports,OU=europe,CN=users,DC=corp,DC=contoso,DC=comGUID (objectGUID)Example: 599c3d2e-f72d-4d20-8a88-030d99495f20Security Identifier (objectSid)Example: S-1-5-21-3165297888-301567370-576410423-1103Security Accounts Manager (SAM) Account Name (sAMAccountName)Example: saradavisreportsThe cmdlet searches the default naming context or partition to find the object. If two or more objects are found, the cmdlet returns a non-terminating error.This parameter can also get this object through the pipeline or you can set this parameter to an object instance.

- LDAPFilter:Specifies an LDAP query string that is used to filter Active Directory objects. You can use this parameter to run your existing LDAP queries. The Filter parameter syntax supports the same functionality as the LDAP syntax. For more information, see the Filter parameter description and the about_ActiveDirectory_Filter.

- Partition:Specifies the distinguished name of an Active Directory partition. The distinguished name must be one of the naming contexts on the current directory server. The cmdlet searches this partition to find the object defined by the Identity parameter.The following two examples show how to specify a value for this parameter.-Partition "CN=Configuration,DC=EUROPE,DC=TEST,DC=CONTOSO,DC=COM"-Partition "CN=Schema,CN=Configuration,DC=EUROPE,DC=TEST,DC=CONTOSO,DC=COM"In many cases, a default value will be used for the Partition parameter if no value is specified. The rules for determining the default value are given below. Note that rules listed first are evaluated first and once a default value can be determined, no further rules will be evaluated.In AD DS environments, a default value for Partition will be set in the following cases: - If the Identity parameter is set to a distinguished name, the default value of Partition is automatically generated from this distinguished name.- If running cmdlets from an Active Directory provider drive, the default value of Partition is automatically generated from the current path in the drive.- If none of the previous cases apply, the default value of Partition will be set to the default partition or naming context of the target domain.- Properties:Specifies the properties of the output object to retrieve from the server. Use this parameter to retrieve properties that are not included in the default set.Specify properties for this parameter as a comma-separated list of names. To display all of the attributes that are set on the object, specify * (asterisk).To specify an individual extended property, use the name of the property. For properties that are not default or extended properties, you must specify the LDAP display name of the attribute.To retrieve properties and display them for an object, you can use the Get-* cmdlet associated with the object and pass the output to the Get-Member cmdlet. The following examples show how to retrieve properties for a group where the Administrator's group is used as the sample group object.

- ResultPageSize:Specifies the number of objects to include in one page for an Active Directory Domain Services query. The default is 256 objects per page.





Comandes teriques sobre la importaci:Un cop explicada tota la teoria sobre lexportaci, s el torn de explicar la importaci Importaci dArxius CSV:Explicaci:The Import-Csv cmdlet creates table-like custom objects from the items in CSV files. Each column in the CSV file becomes a property of the custom object and the items in rows become the property values. Import-Csv works on any CSV file, including files that are generated by the Export-Csv cmdlet.You can use the parameters of the Import-Csv cmdlet to specify the column header row and the item delimiter, or direct Import-Csv to use the list separator for the current culture as the item delimiter.Comanda:Parameter Set: DelimiterImport-Csv [[-Path] ] [[-Delimiter] ] [-Encoding {Unicode | UTF7 | UTF8 | ASCII | UTF32 | BigEndianUnicode | Default | OEM} ] [-Header ] [-InformationAction {SilentlyContinue | Stop | Continue | Inquire | Ignore | Suspend} ] [-InformationVariable ] [-LiteralPath ] [ ]Parameter Set: UseCultureImport-Csv [[-Path] ] -UseCulture [-Encoding {Unicode | UTF7 | UTF8 | ASCII | UTF32 | BigEndianUnicode | Default | OEM} ] [-Header ] [-InformationAction {SilentlyContinue | Stop | Continue | Inquire | Ignore | Suspend} ] [-InformationVariable ] [-LiteralPath ] [ ]

Parmetres: -DelimiterSpecifies the delimiter that separates the property values in the CSV file. The default is a comma (,). Enter a character, such as a colon (:). To specify a semicolon (;), enclose it in quotation marks.If you specify a character other than the actual string delimiter in the file, Import-Csv cannot create objects from the CSV strings. Instead, it returns the strings.

-EncodingSpecifies the type of character encoding that was used in the CSV file. Valid values are Unicode, UTF7, UTF8, ASCII, UTF32, BigEndianUnicode, Default, and OEM. The default is ASCII.This parameter is introduced in Windows PowerShell 3.0.

-HeaderSpecifies an alternate column header row for the imported file. The column header determines the names of the properties of the object that Import-Csv creates.Enter a comma-separated list of the column headers. Enclose each item in quotation marks (single or double). Do not enclose the header string in quotation marks. If you enter fewer column headers than there are columns, the remaining columns will have no header. If you enter more headers than there are columns, the extra headers are ignored.When using the Header parameter, delete the original header row from the CSV file. Otherwise, Import-Csv creates an extra object from the items in the header row.

-InformationActionIf you specify a character other than the actual string delimiter in the file, Import-Csv cannot create objects from the CSV strings. Instead, it returns the strings.

-PathSpecifies the path to the CSV file to import. You can also pipe a path to Import-Csv.

-UseCultureUse the list separator for the current culture as the item delimiter. The default is a comma (,).To find the list separator for a culture, use the following command: (Get-Culture).TextInfo.ListSeparator. If you specify a character other than the delimiter used in the CSV strings, ConvertFrom-CSV cannot create objects from the CSV strings. Instead, it returns the strings.

-LiteralPathSpecifies the path to the CSV file to import. Unlike Path, the value of the LiteralPath parameter is used exactly as it is typed. No characters are interpreted as wildcards. If the path includes escape characters, enclose it in single quotation marks. Single quotation marks tell Windows PowerShell not to interpret any characters as escape sequences.

Importaci dUnitats Organitzatives OU:Explicaci:The New-ADOrganizationalUnit cmdlet creates a new Active Directory organizational unit. You can set commonly used organizational unit property values by using the cmdlet parameters. Property values that are not associated with cmdlet parameters can be set by using the OtherAttributes parameter.You must set the Name parameter to create a new organizational unit. When you do not specify the Path parameter, the cmdlet creates an organizational unit under the default NC head for the domain.The following methods explain different ways to create an object by using this cmdlet.Method 1: Use the New-ADOrganizationalUnit cmdlet, specify the required parameters, and set any additional property values by using the cmdlet parameters.Method 2: Use a template to create the new object. To do this, create a new organizational unit object or retrieve a copy of an existing organizational unit object and set the Instance parameter to this object. The object provided to the Instance parameter is used as a template for the new object. You can override property values from the template by setting cmdlet parameters. For examples and more information, see the Instance parameter description for this cmdlet.Method 3: Use the Import-CSV cmdlet with the New-ADOrganizationalUnit cmdlet to create multiple Active Directory organizational unit objects. To do this, use the Import-CSV cmdlet to create the custom objects from a comma-separated value (CSV) file that contains a list of object properties. Then pass these objects through the pipeline to the New-ADOrganizationalUnit cmdlet to create the organizational unit objects.

Comanda:New-ADOrganizationalUnit [-Name] [-AuthType { | }] [-City ] [-Country ] [-Credential ] [-Description ] [-DisplayName ] [-Instance ] [-ManagedBy ] [-OtherAttributes ] [-PassThru ] [-Path ] [-PostalCode ] [-ProtectedFromAccidentalDeletion ] [-Server ] [-State ] [-StreetAddress ] [-Confirm] [-WhatIf] []

Parmetres: - Name:Specifies the name of the object. This parameter sets the Name property of the Active Directory object. The LDAP Display Name (ldapDisplayName) of this property is "name".

- AuthType:Specifies the authentication method to use. Possible values for this parameter include:Negotiate or 0Basic or 1The default authentication method is Negotiate.A Secure Sockets Layer (SSL) connection is required for the Basic authentication method.

- City:Specifies the user's town or city. This parameter sets the City property of a user. The LDAP display name (ldapDisplayName) of this property is "l".

- Country:Specifies the country or region code for the user's language of choice. This parameter sets the Country property of a user object. The LDAP Display Name (ldapDisplayName) of this property is "c". This value is not used by Windows 2000.


- Description:Specifies a description of the object. This parameter sets the value of the Description property for the object. The LDAP Display Name (ldapDisplayName) for this property is "description".

- DisplayName:Specifies the display name of the object. This parameter sets the DisplayName property of the object. The LDAP Display Name (ldapDisplayName) for this property is "displayName".

- Instance:Specifies an instance of an organizational unit object to use as a template for a new organizational unit object.You can use an instance of an existing organizational unit object as a template or you can construct a new organizational unit object by using the Windows PowerShell command line or by using a script. The following examples show how to use these two methods to create organizational unit object templates.Method 1: Use an existing organizational unit object as a template for a new object. To retrieve an instance of an existing organizational unit object use Get-ADOrganizationalUnit. Then provide this object to the Instance parameter of the New-ADOrganizationalUnit cmdlet to create a new organizational unit object. You can override property values of the new object by setting the appropriate parameters.$organizationalUnitInstance = Get-ADOrganizationalUnit -Identity accountingAsiaNew-ADOrganizationalUnit -Name accountingAustralia -Instance $OrganizationalUnitInstance -Country AustraliaMethod 2: Create a new ADOrganizationalUnit object and set the property values by using the Windows PowerShell command line interface. Then pass this object to the Instance parameter of the New-ADOrganizationalUnit cmdlet to create the new Active Directory organizational unit object.$OrganizationalUnitInstance = new-object Microsoft.ActiveDirectory.Management.ADOrganizationalUnit$OrganizationalUnitInstance.Country = AustraliaNew-ADOrganizationalUnit -Name accountingAustralia -Instance $OrganizationalUnitInstance- ManagedBy:Specifies the user or group that manages the object by providing one of the following property values. Note: The identifier in parentheses is the LDAP display name for the property.Distinguished NameExample: CN=SaraDavis,OU=Europe,CN=Users,DC=corp,DC=contoso,DC=comGUID (objectGUID)Example: 599c3d2e-f72d-4d20-8a88-030d99495f20Security Identifier (objectSid)Example: S-1-5-21-3165297888-301567370-576410423-1103SAM Account Name (sAMAccountName)Example: saradavisThis parameter sets the Active Directory attribute with an LDAP Display Name of "managedBy".

Importaci de Grups de Seguretat GG, GL, GU:Explicaci:The New-ADGroup cmdlet creates a new Active Directory group object. Many object properties are defined by setting cmdlet parameters. Properties that cannot be set by cmdlet parameters can be set using the OtherAttributes parameter.The Name and GroupScope parameters specify the name and scope of the group and are required to create a new group. You can define the new group as a security or distribution group by setting the GroupType parameter. The Path parameter specifies the container or organizational unit (OU) for the group.The following methods explain different ways to create an object by using this cmdlet.Method 1: Use the New-ADGroup cmdlet, specify the required parameters, and set any additional property values by using the cmdlet parameters.Method 2: Use a template to create the new object. To do this, create a new group object or retrieve a copy of an existing group object and set the Instance parameter to this object. The object provided to the Instance parameter is used as a template for the new object. You can override property values from the template by setting cmdlet parameters. For examples and more information, see the Instance parameter description for this cmdlet.Method 3: Use the Import-CSV cmdlet with the New-ADGroup cmdlet to create multiple Active Directory group objects. To do this, use the Import-CSV cmdlet to create the custom objects from a comma-separated value (CSV) file that contains a list of object properties. Then pass these objects through the pipeline to the New-ADGroup cmdlet to create the group objects.Comanda:New-ADGroup [-Name] [-GroupScope] [-AuthType { | }] [-Credential ] [-Description ] [-DisplayName ] [-GroupCategory ] [-HomePage ] [-Instance ] [-ManagedBy ] [-OtherAttributes ] [-PassThru ] [-Path ] [-SamAccountName ] [-Server ] [-Confirm] [-WhatIf] []

Parmetres: - AuthType:Specifies the authentication method to use. Possible values for this parameter include:Negotiate or 0Basic or 1The default authentication method is Negotiate.A Secure Sockets Layer (SSL) connection is required for the Basic authentication method.




- GroupCategory:Specifies the category of the group. Possible values of this parameter are:Distribution or 0Security or 1This parameter sets the GroupCategory property of the group. This parameter value combined with other group values sets the LDAP Display Name (ldapDisplayName) attribute named "groupType".

- GroupScope:Specifies the group scope of the group. Possible values of this parameter are:DomainLocal or 0Global or 1Universal or 2This parameter sets the GroupScope property of a group object to the specified value. The LDAP display name of this property is "groupType".

- HomePage:Specifies the URL of the home page of the object. This parameter sets the homePage property of an Active Directory object. The LDAP Display Name (ldapDisplayName) for this property is "wWWHomePage".

- Instance:Specifies an instance of a group object to use as a template for a new group object.You can use an instance of an existing group object as a template or you can construct a new group object by using the Windows PowerShell command line or by using a script. The following examples show how to use these two methods to create group object templates.Method 1: Use an existing group object as a template for a new object. Use the Get-ADGroup cmdlet to retrieve a group object then pass this object to the Instance parameter of the New-ADGroup cmdlet to create a new group object. You can override property values of the new object by setting the appropriate parameters.$groupInstance = Get-ADGroup -Identity "KarenTohReports"New-ADGroup -Name "Sara Davis Reports" -Instance $groupInstance GroupType DomainLocalMethod 2: Create a new ADGroup object and set the property values by using the Windows PowerShell command line interface. Then pass this object to the Instance parameter of the New-ADGroup cmdlet to create the new group object.$groupTemplate = New-Object Microsoft.ActiveDirectory.Management.ADGroup$groupTemplateGroupType = DomainLocalNew-ADGroup -Name "Sara Davis Reports" -Instance $groupInstance

- ManagedBy:Specifies the user or group that manages the object by providing one of the following property values. Note: The identifier in parentheses is the LDAP display name for the property.Distinguished NameExample: CN=SaraDavis,OU=Europe,CN=Users,DC=corp,DC=contoso,DC=comGUID (objectGUID)Example: 599c3d2e-f72d-4d20-8a88-030d99495f20Security Identifier (objectSid)Example: S-1-5-21-3165297888-301567370-576410423-1103SAM Account Name (sAMAccountName)Example: saradavisThis parameter sets the Active Directory attribute with an LDAP Display Name of "managedBy".

- Name:Specifies the name of the object. This parameter sets the Name property of the Active Directory object. The LDAP Display Name (ldapDisplayName) of this property is "name".

- OtherAttributes:Specifies object attribute values for attributes that are not represented by cmdlet parameters. You can set one or more parameters at the same time with this parameter. If an attribute takes more than one value, you can assign multiple values. To identify an attribute, specify the LDAPDisplayName (ldapDisplayName) defined for it in the Active Directory schema.Syntax:To specify a single value for an attribute:-OtherAttributes @{'AttributeLDAPDisplayName'=value}To specify multiple values for an attribute-OtherAttributes @{'AttributeLDAPDisplayName'=value1,value2,...}You can specify values for more than one attribute by using semicolons to separate attributes. The following syntax shows how to set values for multiple attributes:-OtherAttributes @{'Attribute1LDAPDisplayName'=value; 'Attribute2LDAPDisplayName'=value1,value2;...}.

- PassThru:Returns the new or modified object. By default (i.e. if -PassThru is not specified), this cmdlet does not generate any output.

- Path:Specifies the X.500 path of the Organizational Unit (OU) or container where the new object is created.In many cases, a default value will be used for the Path parameter if no value is specified. The rules for determining the default value are given below. Note that rules listed first are evaluated first and once a default value can be determined, no further rules will be evaluated.In AD DS environments, a default value for Path will be set in the following cases:- If the cmdlet is run from an Active Directory PowerShell provider drive, the parameter is set to the current path of the provider drive.- If the cmdlet has a default path, this will be used. For example: in New-ADUser, the Path parameter would default to the Users container.- If none of the previous cases apply, the default value of Path will be set to the default partition or naming context of the target domain.

- SamAccountName:Specifies the Security Account Manager (SAM) account name of the user, group, computer, or service account. The maximum length of the description is 256 characters. To be compatible with older operating systems, create a SAM account name that is 20 characters or less. This parameter sets the SAMAccountName for an account object. The LDAP display name (ldapDisplayName) for this property is "sAMAccountName".


- Confirm:Prompts you for confirmation before executing the command.

- WhatIf:Describes what would happen if you executed the command without actually executing the command.

Importaci dUsuaris:Explicaci:The New-ADUser cmdlet creates a new Active Directory user. You can set commonly used user property values by using the cmdlet parameters.Property values that are not associated with cmdlet parameters can be set by using the OtherAttributes parameter. When using this parameter be sure to place single quotes around the attribute name as in the following example.New-ADUser -SamAccountName "glenjohn" -GivenName "Glen" -Surname "John" -DisplayName "Glen John" -Path 'CN=Users,DC=fabrikam,DC=local' -OtherAttributes @{'msDS-PhoneticDisplayName'="GlenJohn"}You must specify the SAMAccountName parameter to create a user.You can use the New-ADUser cmdlet to create different types of user accounts such as iNetOrgPerson accounts. To do this in AD DS, set the Type parameter to the LDAP display name for the type of account you want to create. This type can be any class in the Active Directory schema that is a subclass of user and that has an object category of person.The Path parameter specifies the container or organizational unit (OU) for the new user. When you do not specify the Path parameter, the cmdlet creates a user object in the default container for user objects in the domain. Accounts created with the New-ADUser cmdlet will be disabled if no password is provided.The following methods explain different ways to create an object by using this cmdlet.Method 1: Use the New-ADUser cmdlet, specify the required parameters, and set any additional property values by using the cmdlet parameters.Method 2: Use a template to create the new object. To do this, create a new user object or retrieve a copy of an existing user object and set the Instance parameter to this object. The object provided to the Instance parameter is used as a template for the new object. You can override property values from the template by setting cmdlet parameters. For examples and more information, see the Instance parameter description for this cmdlet.Method 3: Use the Import-CSV cmdlet with the New-ADUser cmdlet to create multiple Active Directory user objects. To do this, use the Import-CSV cmdlet to create the custom objects from a comma-separated value (CSV) file that contains a list of object properties. Then pass these objects through the pipeline to the New-ADUser cmdlet to create the user objects.Comanda:New-ADUser [-Name] [-AccountExpirationDate ] [-AccountNotDelegated ] [-AccountPassword ] [-AllowReversiblePasswordEncryption ] [-AuthType { | }] [-CannotChangePassword ] [-Certificates ][-ChangePasswordAtLogon ] [-City ] [-Company ] [-Country ] [-Credential ] [-Department ] [-Description ] [-DisplayName ][-Division ][-EmailAddress ][-EmployeeID ][-EmployeeNumber ] [-Enabled ] [-Fax ] [-GivenName ] [-HomeDirectory ] [-HomeDrive ] [-HomePage ] [-HomePhone ] [-Initials ] [-Instance ] [-LogonWorkstations ] [-Manager ] [-MobilePhone ] [-Office ] [-OfficePhone ] [-Organization ] [-OtherAttributes ] [-OtherName ][-PassThru ] [-PasswordNeverExpires ] [-PasswordNotRequired ] [-Path ] [-POBox ] [-PostalCode ] [-ProfilePath ] [-SamAccountName ] [-ScriptPath ] [-Server ] [-ServicePrincipalNames ] [-SmartcardLogonRequired ] [-State ] [-StreetAddress ] [-Surname ] [-Title ] [-TrustedForDelegation ] [-Type ] [-UserPrincipalName ] [-Confirm] [-WhatIf] []

Parmetres: - AccountExpirationDate:Specifies the expiration date for an account. When you set this parameter to 0, the account never expires. This parameter sets the AccountExpirationDate property of an account object. The LDAP Display name (ldapDisplayName) for this property is accountExpires.Use the DateTime syntax when you specify this parameter. Time is assumed to be local time unless otherwise specified. When a time value is not specified, the time is assumed to 12:00:00 AM local time. When a date is not specified, the date is assumed to be the current date. The following examples show commonly-used syntax to specify a DateTime object."4/17/2006""Monday, April 17, 2006""2:22:45 PM""Monday, April 17, 2006 2:22:45 PM"

- AccountNotDelegated:Specifies whether the security context of the user is delegated to a service. When this parameter is set to true, the security context of the account is not delegated to a service even when the service account is set as trusted for Kerberos delegation. This parameter sets the AccountNotDelegated property for an Active Directory account. This parameter also sets the ADS_UF_NOT_DELEGATED flag of the Active Directory User Account Control (UAC) attribute. Possible values for this parameter include$false or 0$true or 1

- AccountPassword:Specifies a new password value for an account. This value is stored as an encrypted string.The following conditions apply based on the manner in which the password parameter is used:$null password is specified - No password is set and the account is disabled unless it is requested to be enabledNo password is specified - No password is set and the account is disabled unless it is requested to be enabledUser password is specified - Password is set and the account is disabled unless it is requested to be enabled.

- AllowReversiblePasswordEncryption:Specifies whether reversible password encryption is allowed for the account. This parameter sets the AllowReversiblePasswordEncryption property of the account. This parameter also sets the ADS_UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED flag of the Active Directory User Account Control (UAC) attribute. Possible values for this parameter include:$false or 0$true or 1

- AuthType:Specifies the authentication method to use. Possible values for this parameter include:Negotiate or 0Basic or 1The default authentication method is Negotiate.A Secure Sockets Layer (SSL) connection is required for the Basic authentication method.

- CannotChangePassword:Specifies whether the account password can be changed. This parameter sets the CannotChangePassword property of an account. Possible values for this parameter include:$false or 0$true or 1

- Certificates:Modifies the DER-encoded X.509v3 certificates of the account. These certificates include the public key certificates issued to this account by the Microsoft Certificate Service. This parameter sets the Certificates property of the account object. The LDAP Display Name (ldapDisplayName) for this property is "userCertificate".Syntax: To add values:-Certificates @{Add=value1,value2,...}To remove values:-Certificates @{Remove=value3,value4,...}To replace values:-Certificates @{Replace=value1,value2,...}To clear all values:-Certificates $nullYou can specify more than one operation by using a list separated by semicolons. For example, use the following syntax to add and remove Certificate values-Certificates @{Add=value1,value2,...};@{Remove=value3,value4,...}The operators will be applied in the following sequence:..Remove..Add..Replace- ChangePasswordAtLogon:Specifies whether a password must be changed during the next logon attempt. Possible values for this parameter include:$false or 0$true or 1This parameter cannot be set to $true or 1 for an account that also has the PasswordNeverExpires property set to true.

- City:Specifies the user's town or city. This parameter sets the City property of a user. The LDAP display name (ldapDisplayName) of this property is "l".

- Company:Specifies the user's company. This parameter sets the Company property of a user object. The LDAP display name (ldapDisplayName) of this property is "company".

- Country:Specifies the country or region code for the user's language of choice. This parameter sets the Country property of a user object. The LDAP Display Name (ldapDisplayName) of this property is "c". This value is not used by Windows 2000.


- Department:Specifies the user's department. This parameter sets the Department property of a user. The LDAP Display Name (ldapDisplayName) of this property is "department".



- Division:Specifies the user's division. This parameter sets the Division property of a user object. The LDAP Display Name (ldapDisplayName) of this property is "division".

- EmailAddress:Specifies the user's e-mail address. This parameter sets the EmailAddress property of a user object. The LDAP Display Name (ldapDisplayName) of this property is "mail".

- EmployeeID:Specifies the user's employee ID. This parameter sets the EmployeeID property of a user object. The LDAP Display Name (ldapDisplayName) of this property is "employeeID".

- EmployeeNumber:Specifies the user's employee number. This parameter sets the EmployeeNumber property of a user object. The LDAP Display Name (ldapDisplayName) of this property is "employeeNumber".

- Enabled:Specifies if an account is enabled. An enabled account requires a password. This parameter sets the Enabled property for an account object. This parameter also sets the ADS_UF_ACCOUNTDISABLE flag of the Active Directory User Account Control (UAC) attribute. Possible values for this parameter include:$false or 0$true or 1

- Fax:Specifies the user's fax phone number. This parameter sets the Fax property of a user object. The LDAP Display Name (ldapDisplayName) of this property is "facsimileTelephoneNumber".

- GivenName:Specifies the user's given name. This parameter sets the GivenName property of a user object. The LDAP Display Name (ldapDisplayName) of this property is "givenName".

- HomeDirectory:Specifies a user's home directory. This parameter sets the HomeDirectory property of a user object. The LDAP Display Name (ldapDisplayName) for this property is "homeDirectory".

- HomeDrive:Specifies a drive that is associated with the UNC path defined by the HomeDirectory property. The drive letter is specified as ":" where indicates the letter of the drive to associate. The must be a single, uppercase letter and the colon is required. This parameter sets the HomeDrive property of the user object. The LDAP Display Name (ldapDisplayName) for this property is "homeDrive".

- HomePage:Specifies the URL of the home page of the object. This parameter sets the homePage property of an Active Directory object. The LDAP Display Name (ldapDisplayName) for this property is "wWWHomePage".

- HomePhone:Specifies the user's home telephone number. This parameter sets the HomePhone property of a user. The LDAP Display Name (ldapDisplayName) of this property is "homePhone".- Initials:Specifies the initials that represent part of a user's name. You can use this value for the user's middle initial. This parameter sets the Initials property of a user. The LDAP Display Name (ldapDisplayName) of this property is "initials".

- Instance:Specifies an instance of a user object to use as a template for a new user object.You can use an instance of an existing user object as a template or you can construct a new user object for template use. You can construct a new user object using the Windows PowerShell command line or by using a script. The following examples show how to use these two methods to create user object templates.Method 1: Use an existing user object as a template for a new object. To retrieve an instance of an existing user object, use a cmdlet such as Get-ADUser. Then provide this object to the Instance parameter of the New-ADUser cmdlet to create a new user object. You can override property values of the new object by setting the appropriate parameters.$userInstance = Get-ADUser -Identity "saraDavis"New-ADUser -SAMAccountName "ellenAdams" -Instance $userInstance -DisplayName "EllenAdams"Method 2: Create a new ADUser object and set the property values by using the Windows PowerShell command line interface. Then pass this object to the Instance parameter of the New-ADUser cmdlet to create the new Active Directory user object.$userInstance = new-object Microsoft.ActiveDirectory.Management.ADUser$userInstance.DisplayName = "Ellen Adams"New-ADUser -SAMAccountName "ellenAdams" -Instance $userInstance

- LogonWorkstations:Specifies the computers that the user can access. To specify more than one computer, create a single comma-separated list. You can identify a computer by using the Security Accounts Manager (SAM) account name (sAMAccountName) or the DNS host name of the computer. The SAM account name is the same as the NetBIOS name of the computer.The LDAP display name (ldapDisplayName) for this property is "userWorkStations".

- Manager:Specifies the user's manager. This parameter sets the Manager property of a user. This parameter is set by providing one of the following property values. Note: The identifier in parentheses is the LDAP display name for the property.Distinguished NameExample: CN=SaraDavis,CN=Europe,CN=Users,DC=corp,DC=contoso,DC=comGUID (objectGUID)Example: 599c3d2e-f72d-4d20-8a88-030d99495f20Security Identifier (objectSid)Example: S-1-5-21-3165297888-301567370-576410423-1103SAM Account Name (sAMAccountName)Example: saradavisThe LDAP Display Name (ldapDisplayName) of this property is "manager".

- MobilePhone:Specifies the user's mobile phone number. This parameter sets the MobilePhone property of a user object. The LDAP Display Name (ldapDisplayName) of this property is "mobile".

- Name:Specifies the name of the object. This parameter sets the Name property of the Active Directory object. The LDAP Display Name (ldapDisplayName) of this property is "name".

- Office:Specifies the location of the user's office or place of business. This parameter sets the Office property of a user object. The LDAP display name (ldapDisplayName) of this property is "office".

- OfficePhone:Specifies the user's office telephone number. This parameter sets the OfficePhone property of a user object. The LDAP display name (ldapDisplayName) of this property is "telephoneNumber".

- Organization:Specifies the user's organization. This parameter sets the Organization property of a user object. The LDAP display name (ldapDisplayName) of this property is "o".

- OtherAttributes:Specifies object attribute values for attributes that are not represented by cmdlet parameters. You can set one or more parameters at the same time with this parameter. If an attribute takes more than one value, you can assign multiple values. To identify an attribute, specify the LDAPDisplayName (ldapDisplayName) defined for it in the Active Directory schema.Syntax:To specify a single value for an attribute:-OtherAttributes @{'AttributeLDAPDisplayName'=value}To specify multiple values for an attribute-OtherAttributes @{'AttributeLDAPDisplayName'=value1,value2,...}You can specify values for more than one attribute by using semicolons to separate attributes. The following syntax shows how to set values for multiple attributes:-OtherAttributes @{'Attribute1LDAPDisplayName'=value; 'Attribute2LDAPDisplayName'=value1,value2;...}.

- OtherName:Specifies a name in addition to a user's given name and surname, such as the user's middle name. This parameter sets the OtherName property of a user object. The LDAP Display Name (ldapDisplayName) of this property is "middleName".

- PassThru:Returns the new or modified object. By default (i.e. if -PassThru is not specified), this cmdlet does not generate any output.

- PasswordNeverExpires:Specifies whether the password of an account can expire. This parameter sets the PasswordNeverExpires property of an account object. This parameter also sets the ADS_UF_DONT_EXPIRE_PASSWD flag of the Active Directory User Account Control attribute. Possible values for this parameter include:$false or 0$true or 1

- PasswordNotRequired:Specifies whether the account requires a password. A password is not required for a new account. This parameter sets the PasswordNotRequired property of an account object.

- Path:Specifies the X.500 path of the Organizational Unit (OU) or container where the new object is created.In many cases, a default value will be used for the Path parameter if no value is specified. The rules for determining the default value are given below. Note that rules listed first are evaluated first and once a default value can be determined, no further rules will be evaluated.In AD DS environments, a default value for Path will be set in the following cases:- If the cmdlet is run from an Active Directory PowerShell provider drive, the parameter is set to the current path of the provider drive.- If the cmdlet has a default path, this will be used. For example: in New-ADUser, the Path parameter would default to the Users container.- If none of the previous cases apply, the default value of Path will be set to the default partition or naming context of the target domain.In AD LDS environments, a default value for Path will be set in the following cases:- If the cmdlet is run from an Active Directory PowerShell provider drive, the parameter is set to the current path of the provider drive.- If the cmdlet has a default path, this will be used. For example: in New-ADUser, the Path parameter would default to the Users container.- If the target AD LDS instance has a default naming context, the default value of Path will be set to the default naming context. To specify a default naming context for an AD LDS environment, set the msDS-defaultNamingContext property of the Active Directory service agent (DSA) object (nTDSDSA) for the AD LDS instance.- If none of the previous cases apply, the Path parameter will not take any default value.

- POBox:Specifies the user's post office box number. This parameter sets the POBox property of a user object. The LDAP Display Name (ldapDisplayName) of this property is "postOfficeBox".

- PostalCode:Specifies the user's postal code or zip code. This parameter sets the PostalCode property of a user. The LDAP Display Name (ldapDisplayName) of this property is "postalCode".

- ProfilePath:Specifies a path to the user's profile. This value can be a local absolute path or a Universal Naming Convention (UNC) path. This parameter sets the ProfilePath property of the user object. The LDAP display name (ldapDisplayName) for this property is "profilePath".

- SamAccountName:Specifies the Security Account Manager (SAM) account name of the user, group, computer, or service account. The maximum length of the description is 256 characters. To be compatible with older operating systems, create a SAM account name that is 20 characters or less. This parameter sets the SAMAccountName for an account object. The LDAP display name (ldapDisplayName) for this property is "sAMAccountName".

- ScriptPath:Specifies a path to the user's log on script. This value can be a local absolute path or a Universal Naming Convention (UNC) path. This parameter sets the ScriptPath property of the user. The LDAP display name (ldapDisplayName) for this property is "scriptPath".


- ServicePrincipalNames:Specifies the service principal names for the account. This parameter sets the ServicePrincipalNames property of the account. The LDAP display name (ldapDisplayName) for this property is servicePrincipalName. This parameter uses the following syntax to add remove, replace or clear service principal name values.Syntax:To add values:-ServicePrincipalNames @{Add=value1,value2,...}To remove values:-ServicePrincipalNames @{Remove=value3,value4,...}To replace values:-ServicePrincipalNames @{Replace=value1,value2,...}To clear all values:-ServicePrincipalNames $nullYou can specify more than one change by using a list separated by semicolons. For example, use the following syntax to add and remove service principal names.@{Add=value1,value2,...};@{Remove=value3,value4,...}The operators will be applied in the following sequence:..Remove..Add..Replace

- SmartcardLogonRequired:Specifies whether a smart card is required to logon. This parameter sets the SmartCardLoginRequired property for a user. This parameter also sets the ADS_UF_SMARTCARD_REQUIRED flag of the Active Directory User Account Control attribute. Possible values for this parameter are:$false or 0$true or 1

- State:Specifies the user's or Organizational Unit's state or province. This parameter sets the State property of a User or Organizational Unit object. The LDAP display name (ldapDisplayName) of this property is "st".

- StreetAddress:Specifies the user's street address. This parameter sets the StreetAddress property of a user object. The LDAP display name (ldapDisplayName) of this property is "streetAddress".

- Surname:Specifies the user's last name or surname. This parameter sets the Surname property of a user object. The LDAP display name (ldapDisplayName) of this property is "sn".

- Title:Specifies the user's title. This parameter sets the Title property of a user object. The LDAP display name (ldapDisplayName) of this property is "title".

- TrustedForDelegation:Specifies whether an account is trusted for Kerberos delegation. A service that runs under an account that is trusted for Kerberos delegation can assume the identity of a client requesting the service. This parameter sets the TrustedForDelegation property of an account object. This value also sets the ADS_UF_TRUSTED_FOR_DELEGATION flag of the Active Directory User Account Control attribute. Possible values for this parameter are:$false or 0$true or 1

- Type:Specifies the type of object to create. Set the Type parameter to the LDAP display name of the Active Directory Schema Class that represents the type of object that you want to create. The selected type must be a subclass of the User schema class. If this parameter is not specified it will default to "User".

- UserPrincipalName:Each user account has a user principal name (UPN) in the format @. A UPN is a friendly name assigned by an administrator that is shorter than the LDAP distinguished name used by the system and easier to remember. The UPN is independent of the user object's DN, so a user object can be moved or renamed without affecting the user logon name. When logging on using a UPN, users no longer have to choose a domain from a list on the logon dialog box.

- Confirm:Prompts you for confirmation before executing the command.

- WhatIf:Describes what would happen if you executed the command without actually executing the command.

Creaci dels scripts dexportaci.Un cop entesa la teoria, i amb les idees una mica clares sobre el que sha de fer en el projecte es el moment de comenar a treballar en la creaci dels scripts que faran possible lexportaci de la nostre estructura del controlador de domini origen.Per a fer aquesta creaci, ens basarem en les comandes explicades en apartats anteriors, per sense fer us de tots els parmetres, nomes aquells que hem ressaltat en un fons de color blau. Script de exportaci de les Unitats Organitzatives OU:Get-ADOrganizationalUnit -Searchbase "OU=ou93265, dc=losmaic, dc=com" -filter * | Select-Object -Property Name, DistinguishedName | export-csv -Delimiter ";" -path "C:\Data\Domini1.csv"

Get-ADOrganizationalUnit -Searchbase "OU=ougs, OU=ou93265, DC=losmaic, DC=com" -filter * | Select-Object -Property Name, DistinguishedName | export-csv -Delimiter ";" -path "C:\Data\Domini2.csv"

Get-ADOrganizationalUnit -Searchbase "OU=ougm, OU=ou93265, DC=losmaic, DC=com-filter * |Select-Object -Property Name, DistinguishedName | export-csv -Delimiter ";" -path "C:\Data\Domini3.csv"

Doncs be, el primer script consistir en la obtenci de la estructura de Unitats Organitzatives (OU). Per a fer aix farem s de la comanda: Get-ADOrganizationalUnit, aquesta comanda com esta esmentat a la part terica el que fara ser agafar un objecte del Active Directory (AD), en aquest cas com el seu nom indica una Unitat Organitzativa (OU).Tot seguit, tenim clares diferents de les opcions que necesitarem; que ser, la ruta on comenar a obtenir objectes del AD,aix ho solucionarem amb el parametre de la comanda: Searchbase, que ens dir des don comenar a fer la busqueda dins del domini, en aquest cas podem observar que a cada una de les parts del script aquesta varia, ja que volem buscar a tres llocs concretament: La OU pare "OU=ou93265, dc=losmaic, dc=com", i les seves dues OU filles directament, "OU=ougs, OU=ou93265, DC=losmaic, DC=com" i "OU=ougm, OU=ou93265, DC=losmaic, DC=com.El segent que necesitarem es passar el filtre, com en aquest cas no necessitem que agafi cap mena de OU en concret, sin que las volem totes, farem servir el parametre Filter seguit de el signe * que significar que agafi qualsevol OU que trobi sense discriminar.Un cop establerts aquests dos parmetres podem observar que sha fet s de una pipeline |, fins aqu la primera part de la nostre comanda. Amb el que portem ja obtindrem tota la informaci de totes les unitats organitzatives fins al moment. Pero com no desitgem tenir-la tota, sin que nomes ens calen certes propietats el que farem per solucionar aix ser aplicar un Select-Objecte Property i li direm que agafi el Name i el DistinguisghedName que son els dos camps de informaci que ens seran necessaris per a la seva posterior importaci.Per ultim, tenint ja la informaci desitjada nomes queda realitzar el Export-CSV que ens exportara la informaci al arxiu CSV, per tamb aplicarem certes modificacions a aquest, com ser el delimitador; Delimiter ; posarem un ; com a serparador, i per ultim el parametre obligatori, el path indicant la ruta on desitgem que es guardin els CSV resultants. En aquests casos s: C:\Data\NomdelCSV.csv.

Script de exportaci de Grups de Seguretat GG, GL, GU:Exportaci de GG:Get-ADGroup -SearchScope OneLevel -Searchbase "OU=ou93265,dc=losmaic,dc=com" -filter {GroupScope -eq "Global"} | Select-Object -Property Name | Export-csv -Delimiter ";" -path C:\Data\Exported_GG_raiz.csv

Get-ADGroup -SearchScope OneLevel -Searchbase "OU=ougm,OU=ou93265,dc=losmaic,dc=com" -filter {GroupScope -eq "Global"} | Select-Object -Property Name | Export-csv -Delimiter ";" -path C:\Data\Exported_GG_GM.csv

Get-ADGroup -SearchScope OneLevel -Searchbase "OU=ousmx,OU=ougm,OU=ou93265,dc=losmaic,dc=com" -filter {GroupScope -eq "Global"} | Select-Object -Property Name | Export-csv -Delimiter ";" -path C:\Data\Exported_GG_SMX.csv

Get-ADGroup -SearchScope OneLevel -Searchbase "OU=ousmx2,OU=ougm,OU=ou93265,dc=losmaic,dc=com" -filter {GroupScope -eq "Global"} | Select-Object -Property Name | Export-csv -Delimiter ";" -path C:\Data\Exported_GG_SMX2.csv

Get-ADGroup -SearchScope OneLevel -SearchBase "OU=ougs,OU=ou93265,DC=losmaic,DC=com"-filter {GroupScope -eq "Global"} |Select-Object -Property Name | Export-csv -Delimiter ";" -path C:\Data\Exported_GG_GS.csv

Get-ADGroup -SearchScope OneLevel -SearchBase "OU=ouasix1,OU=ougs,OU=ou93265,DC=losmaic,DC=com" -filter {GroupScope -eq "Global"} | Select-Object -Property Name | Export-csv -Delimiter ";" -path C:\Data\Exported_GG_ASIX.csv

Get-ADGroup -SearchScope OneLevel -SearchBase "OU=ouasix2,OU=ougs,OU=ou93265,DC=losmaic,DC=com" -filter {GroupScope -eq "Global"} | Select-Object -Property Name | Export-csv -Delimiter ";" -path C:\Data\Exported_GG_ASIX2.csv

Get-ADGroup -SearchScope OneLevel -SearchBase "OU=oudaw1,OU=ougs,OU=ou93265,DC=losmaic,DC=com" -filter {GroupScope -eq "Global"} | Select-Object -Property Name | Export-csv -Delimiter ";" -path C:\Data\Exported_GG_DAW1.csv

Get-ADGroup -SearchScope OneLevel -SearchBase "OU=oudaw2,OU=ougs,OU=ou93265,DC=losmaic,DC=com" -filter {GroupScope -eq "Global"} | Select-Object -Property Name | Export-csv -Delimiter ";" -path C:\Data\Exported_GG_DAW2.csv

Seguint doncs amb lordre, el segent pas ser lexportaci dels Grups de Seguretat; Globals, Locals i Universals. Estiguem atents ja que nomes aqu es dura a terme lexplicaci de lexportaci de grups, ja que la unica diferencia entre aquests ser la configuraci del parametre {GroupScope -eq "Global"} en el qual haurem de establir el valor del grup que volguem escollint entre [Global, DomainLocal o Universal]. Pero deixant aix de banda que ser explicat mes endavant comencem lexplicacio de lexportaci dels grups.Per comenar cal dir que la comanda en aquest cas ser Get-ADGroup, que obtindr un objecte del Active Directory que com el seu nom indica, seran els grups.El segent pas es indicar en quants nivells volem que aquest agafi grups, aix ho podrem dur a terme amb el SearchScope, al qual li posarem com a opcion OneLevel el que fara aix es dir que nomes agafi els grups del nivell en el que configurem el segent parametre, el SearchBase al qual ens dir des de on comenar a buscar aquests grups.Resumint aix, tal i com tenim la configuraci de lscript superior li estem dient que agafi els grups

powershell migracio de un domini: por carlossanchez mikeyoshiominguell

Documents