Powershell commands for on premise active directory

Question

I want to run powershell commands to access on premise directory data (view/update). I am not owning the IT Support systems in my project to directly access the windows server where the on premise AD is mounted. As a developer what access do i need to run the powershell commands and where should I run them ? Can i run them in my own machine by accessing the windows server.

Answer 1

Ditto to what mak47 said. !!!

You must have the rights and privileges to do this.

Unless you are only reading ADDS, you really should not be poking at it.

***Never/ever run destructive code:

• new
• create
• add
• update
• modify
• delete
• rename
• move

, etc., on a target (host, files, AD, Exchange, et al) without checking yourself first. Master, -WhatIf, -Confirm, and detailed error handling.***

If you are not allowed o install RSAT, then you can use PowerShell implicit Remoting to proxy the ADDS cmdlets to your workstation, if PowerShell Remoting is enabled in your environment. Though note, the cmdlets are only available per Powershell session. So, put the below in your PowerShell Profile, or create a script with the below that you can dot source for use.

$ADSession = New-PSSession -ComputerName vmhost -Credential (Get-Credential)
Invoke-Command -Session $ADSession {Import-Module -Name ActiveDirectory}
Import-PSSession -Session $ADSession -Module ActiveDirectory

See details here:

https://devblogs.microsoft.com/scripting/an-introduction-to-powershell-remoting-part-four-sessions-and-implicit-remoting

https://mikefrobbins.com/2015/08/05/using-powershell-for-remote-server-administration-in-windows-10-rtm-without-the-rsat-tools

Of course the above is not limited to ADDS, as you can do this for Exchange, SQL, SharePoint, etc., to proxy those cmdlets to your workstation.

You work ADDS objects without RSAT at all via ADSI, which is the way it was done before Monad/PowerShell ever existed via VBScript and WMI (WMIC.exe).

Working with Active Directory using PowerShell ADSI adapter

https://social.technet.microsoft.com/wiki/contents/articles/4231.working-with-active-directory-using-powershell-adsi-adapter.aspx

# Searching for an object in Active Directory.
$Searcher            = New-Object DirectoryServices.DirectorySearcher
$Searcher.Filter     = '(&(objectCategory=person)(anr=gusev))'
$Searcher.SearchRoot = 'LDAP://OU=Laptops,OU=Computers,DC=contoso,DC=com'
$Searcher.FindAll()

# Setting "Password never expires" attribute on the user object
$User = [ADSI]"LDAP://cn=Gusev,ou=Users,ou=Lab,dc=contoso,dc=com"
$UAC  = $User.UserAccountControl[0] -bor 65536
$User.Put("userAccountControl",$UAC)
$User.SetInfo()

Use tools that will write the AD PowerShell for you, that you can copy and use as generated or paste in the ISE or VSCode to tweak as needed.

See details here:

Introduction to Active Directory Administrative Center ...

https://www.petri.com/use-active-directory-administrative-center-create-powershell-commands

• Active Directory Administrative Center: Getting Started

https://technet.microsoft.com/en-us/library/dd560651(v=ws.10).aspx

• Active Directory Administrative Center

https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/get-started/adac/active-directory-administrative-center

Answer 2

There are several ways of doing this but the most common is to use Microsoft modules for active directory PowerShell. Here is information on the AD Modules from Microsoft Active Directory Module

You would install RSAT Remote Server Administration Tools on your machine. This will allow you to run all of the built in PowerShell commands that are usually used on servers.

As far as access and where to run the commands, that is a very complicated topic. Active Directory has a granular permission system that can be configured and this will all depend on what the tool you are writing does.

When you install RSAT you can use "Active Directory Users and Computers" This tool will give you a GUI to explore the Domain within the permissions your domain account has. Most of the time I find that you will be able to view a lot of the data and you would be able to use the "Get-" commands with a normal domain logon. Which is a good place to start, from there you can request additional permissions from a domain admin as needed.

I highly suggest that you find time to work with someone who knows AD inside and out. Always learn how to do the activity in the GUI before trying to code anything. From a development standpoint AD dev-ops is the same as writing code in production, its dangerous and should really only be done by someone with expertise as both a developer and a domain administrator.

Answer 3

You'll need RSAT installed on your personal computer if you're gonna work there: https://learn.microsoft.com/en-US/troubleshoot/windows-server/system-management-components/remote-server-administration-tools.

Once you've RSAT you'll have the ActiveDirectory PS module available to you.

As a developer what access do i need to run the powershell commands and where should I run them

Depends on the actions you wanna perform, if you're not gonna perform any changes on AD then read access.

Answer 4

There are a few concerns with this, the first being the demarcation between the development team and the infrastructure team.

Unless you know exactly what you're doing, you shouldn't really be poking around inside AD with write permissions at least and I don't get the impression that's the case otherwise you probably wouldn't be asking!

Rather than trying to circumvent whatever is preventing you from accessing AD directly, you speak to the person responsible for your AD domain and they can give you the domain details to join.