September 1, 2015

PowerShell - Active Directory - Windows 2003/2003R2/2008

Hello. Today I will cover interesting topic. I asked myself how to manage Active Directory using PowerShell in case if your AD role is installed on Windows Server 2003 (2003 R2) or even 2008 (any Service Pack but not R2).

You have to install Active Directory Web Services to manage AD using PowerShell in this case. Here the challenge comes up. Important hotfix (KB969166) is required but it is not available to download. As result it is not possible to deploy ADWS and you get following error message in KB968934.log during installation:

FileVersion of C:\WINDOWS\Assembly\GAC_MSIL\System.DirectoryServices.AccountManagement\\System.DirectoryServices.AccountManagement.dll is Less Than 3.5.30729.4126

If you go to "C:\WINDOWS\Assembly" folder you will see that it is not possible to locate GAC_MSIL folder. It is another story and workaround I will describe a bit later. Let's check System.DirectoryServices.AccountManagement.dll version. It shows 3.5.30729.1. This component was installed by required  .NET Framework 3.5 SP1.

Workaround is actually to get access to GAC_MSIL folder and replace System.DirectoryServices.AccountManagement.dll file with never version to complete installation process. Obviously it is not supported way but it works. Supported and much more easiest way I will show at the end of this post.

To show folder structure under C:\WINDOWS\Assembly path you have to do following steps:
Go to %windows%\assembly folder in CMD.
Type "attrib -r -h -s desktop.ini"
Then "ren desktop.ini desktop.bak" (to revert back the changes run "ren desktop.bak desktop.ini")

When you are able to jump to dll file you can simply replace it with any newer version. I took it from my Windows 8.1 workstation (3.5.30729.70903). Then ADWS installation successfully completed and you can run Active Directory PowerShell module from any domain-joined workstation using RSAT.

I was really surprised when I downloaded Quest PowerShell module and could successfully run scripts against the same Active Directory without ADWS installed. One more great note that I was able to install Dell (Quest) AD PowerShell even on Windows Server 2003.

Here is PowerShell script that I actually wanted to run against Windows Server 2003 Domain Controller:

$Groups = get-qadgroup | where {$_.mail} |
& {
    foreach ($Group in $Groups) {
      $members = get-qadgroupmember -identity $Group |
select -expandproperty userprincipalname |
      foreach ($member in $members) {
          "" | select-object @{Name="Group"; Expr={$Group.mail}},
            @{Name="Member"; Expr={$member}}
} | export-csv GroupsAndMembers.csv -notypeinformation

It will query AD groups with mail attribute only and provide membership report. The results will be exported to CSV file.

9/9/2015 Update. KB969166 can be downloaded here. By the way Quest PowerShell tools can be virtualized as portable app via Cameyo I have it portable with 52MB in size.

No comments:

Post a Comment