Managing Computer Accounts - Windows PowerShell for Administration: The Personal Trainer (2015)

Windows PowerShell for Administration: The Personal Trainer (2015)

Chapter 9. Managing Computer Accounts

Computers have attributes that you can manage, including names and group memberships. You can add computer accounts to any container or organizational unit (OU) in Active Directory. However, the best containers to use are Computers, Domain Controllers, and any OUs that you’ve created. The standard Windows tool for working with computer accounts is Active Directory Users And Computers. In Windows PowerShell, you have many commands, each with a specific use. Whether you are logged on to a Windows desktop or Windows Server, you can use the techniques discussed in this section to manage computers.

Commands for Managing Computers

Commands you’ll use to manage computers in Windows PowerShell include:

· Add-Computer Adds computers to a domain or workgroup. You can specify computers by their NetBIOS name, IP address, or fully qualified domain name. To join a domain, you must specify the name of the domain to join. In domains, if a computer doesn’t have a domain account, this command also creates the domain account for the computer. A restart is required to complete the join operation. To get the results of the command, use the –Verbose and –PassThru parameters.

Add-Computer [-OUPath ADPath] [-Server Domain\ComputerName]
[[-ComputerName] ComputerNames] [-DomainName] DomainName
[-Unsecure] [-PassThru] [-Reboot] [[-Credential] CredentialObject]

Add-Computer [[-ComputerName] ComputerNames] [-WorkGroupName]
Name [-PassThru] [-Reboot] [[-Credential] CredentialObject]

· Remove-Computer Removes local and remote computers from their current workgroup or domain. When you remove a computer from a domain, Remove-Computer also disables the computer’s domain account. A restart is required to complete the unjoin operation. For domain computers, you must provide authentication credentials.

Remove-Computer [[-ComputerName] ComputerNames]
[-PassThru] [-Reboot] [[-Credential] CredentialObject]

· Rename-Computer Renames computers in workgroups and domains. When you rename a computer in a domain, Rename-Computer also changes the name in the computer’s domain account. You cannot use Rename-Computer to rename domain controllers. For remote computers, you must provide authentication credentials.

Rename-Computer [[-ComputerName] ComputerName]
[-NewComputerName] NewComputerName [-Credential
CredentialObject] [-Reboot]

· Restart-Computer Restarts the operating system on local and remote computers. Use the –Force parameter to force an immediate restart of the computers.

Restart-Computer [[-ComputerName] ComputerNames] [-AsJob]
[-Authentication AuthType] [[-Credential] CredentialObject]
[-Force] [-Impersonation ImpType] [-ThrottleLimit Limit]

· Stop-Computer Shuts down local or remote computers. The –AsJob parameter runs the command as a background job, providing the computers are configured for remoting.

Stop-Computer [[-ComputerName] ComputerNames] [-AsJob]
[-Authentication AuthType] [[-Credential] CredentialObject]
[-Force] [-Impersonation ImpType] [-ThrottleLimit Limit]

· Test-Connection Sends Internet Control Message Protocol (ICMP) echo request packets (pings) to one or more remote computers, and returns the responses. As long as ICMP is not blocked by a firewall, this can help you determine whether a computer can be contacted across an IP network. You can specify both the sending and receiving computers. You also can set a time-out and the number of pings.

Test-Connection [-Count NumPings] [-Delay DelayBetweenPings]
[-TimeToLive MaxTime] [[-Source] SourceComputers]
[-Destination] DestinationComputers

[-AsJob] [-Authentication AuthType] [-BufferSize Size]
[-Credential CredentialObject] [-Impersonation ImpType]
[-ThrottleLimit Limit]

You’ll usually want to run these commands at an elevated, administrator PowerShell prompt. Regardless, you also might need to provide the appropriate credentials, and you can do this as shown in the following example:

$cred = get-credential
add-computer –domainname imaginedlands –credential $cred

When you use Get-Credential, PowerShell prompts you for a user name and password and then stores the credentials provided in the $cred variable. These credentials are then used for authentication.

When you test a connection to a computer, restart a computer, or stop a computer, note the following:

· The –Authentication parameter sets the authentication level for the WMI connection to the computer. The default value is Packet. Valid values are Unchanged (the authentication level is the same as the previous command), Default (Windows Authentication), None (no COM authentication), Connect (Connect-level COM authentication), Call (Call-level COM authentication), Packet (Packet-level COM authentication), PacketIntegrity (Packet Integrity–level COM authentication), and PacketPrivacy (Packet Privacy–level COM authentication).

· The –Impersonation parameter sets the impersonation level to use when establishing the WMI connection. The default value is Impersonate. Valid values are Default (default impersonation), Anonymous (hides the identity of the caller), Identify (allows objects to query the credentials of the caller), and Impersonate (allows objects to use the credentials of the caller).

As you can see, the default authentication technique is to use Packet-level COM authentication, and the default impersonation technique is to use the credentials of the caller. Most of the time, these are what you’ll want to use. Occasionally, you might want to use Windows Authentication rather than COM authentication. To do this, set the –Authentication parameter to Default.

Test-Connection is the same as Ping. With Test-Connection, you can determine whether you can connect to a computer by its name or IP address. To test the IPv4 address 192.168.10.55, you use the following command:

test-connection 192.168.10.55

To test the IPv6 address FEC0::02BC:FF:BECB:FE4F:961D, you use the following command:

test-connection FEC0::02BC:FF:BECB:FE4F:961D

If you receive a successful reply from Test-Connection, Test-Connection was able to connect to the computer. If you receive a time-out or “Unable to Connect” error, Test-Connection was unable to connect to the computer either because the computer was disconnected from the network, the computer was shut down, or the connection was blocked by a firewall.

Renaming Computer Accounts

Using Rename-Computer, you can easily rename workstations and member servers. If the workstation or member server is joined to a domain, the computer’s account is renamed as well. You should not, however, use Rename-Computer to rename domain controllers, servers running Certificate Services, or servers running any other services that require a specific, fixed server name.

You can rename a workstation or member server using the following command syntax:

rename-computer –ComputerName ComputerName –NewComputerName NewName -reboot

where ComputerName is the current name of the computer, and NewName is the new name for the computer. If you are renaming the local computer, you omit the –ComputerName parameter as shown in the following example:

rename-computer –NewComputerName TechPC12 -reboot

Here, you rename the local computer TechPC12. Because a reboot is required to complete the renaming, you specify that you want to reboot the computer after renaming it. If you need to specify credentials to rename a computer, you can do so as shown in the following example:

$cred = get-credential
rename-computer –NewComputerName TechPC12 –credential $cred
–reboot

Joining Computers to a Domain

Any authenticated user can join a computer to a domain using Add-Computer. If the related computer account hasn’t been created, running Add-Computer also creates the computer account. When a computer joins a domain, the computer establishes a trust relationship with the domain. The computer’s security identifier is changed to match that of the related computer account in Active Directory, and the computer is made a member of the appropriate groups in Active Directory. Typically, this means the computer is made a member of the Domain Computers group. If the computer is later made a domain controller, the computer will be made a member of the Domain Controllers group instead.

REAL WORLD Before trying to join a computer to a domain, you should verify the computer’s network configuration. If the network configuration is not correct, you will need to modify the settings before attempting to join the computer to the domain. Additionally, if the computer account was created previously, only a user specifically delegated permission or an administrator can join the computer to a domain. Users must also have local administrator permissions on the local computer.

When logged on to the computer you want to join to a domain, you can use Add-Computer to simultaneously join a computer to a domain and create a computer account in the domain with the following command syntax:

add-computer –DomainName DomainName –reboot

where DomainName is the name of the Active Directory domain to join. Because you must reboot the computer to complete the join operation, you typically will want to include the –Reboot parameter. This isn’t required, however. If you don’t specify the organizational unit to use, the default organizational unit is used. Consider the following example:

$cred = get-credential
add-computer –domainname imaginedlands –credential $cred –reboot

Here, you join the local computer to the imaginedlands.com domain and create the related computer account in the default Computers container. If the computer’s name is TechPC85, the full path to this computer object is CN=TechPC85,CN=Computers,DC=imaginedlands,DC=com.

TIP Add the –PassThru and –Verbose parameters to get detailed results. Additionally, when you join a computer to a domain, you can specify the domain controller to use with the –Server parameter. Specify the server name in Domain\ComputerName format, such as imaginedlands\DcServer14. If you don’t specify the domain controller to use, any available domain controller is used.

Additionally, you can use the –OUPath parameter to specify the distinguished name of the OU into which the computer account should be placed. Consider the following example:

$cred = get-credential
add-computer –domainname imagined –outpath ou=engineering,dc=imaginedlands,dc=com
–credential $cred -reboot

Here, you join the local computer to the imaginedlands.com domain and create the related computer account in the Engineering OU. If the computer’s name is TechPC85, the full path to this computer object is CN=TechPC85,OU=Engineering,DC=imaginedlands,DC=com.

When running Add-Computer from another computer and connecting to the computer you want to join to a domain, you use the following command syntax:

add-computer –DomainName DomainName –computername ComputerNames
-reboot

where DomainName is the name of the Active Directory domain to join and ComputerNames is a comma-separated list of computers joining the domain. As before, this command creates the related computer account if necessary and you optionally can use the –OUPath parameter to specify the distinguished name of the OU into which the computer account should be placed.

Consider the following example:

$cred = get-credential
add-computer –domainname imaginedlands –computername EngPC14, EngPC17 –outpath ou=engineering,dc=imaginedlands,dc=com
–credential $cred -reboot

Here, you join EngPC14 and EngPC15 to the imaginedlands.com domain and create the related computer account in the Engineering OU.

You can read the list of computers to join to a domain from a file as well. Here is an example:

add-computer –domainname imaginedlands –computername
(get-content c:\data\clist.txt)

Here, you add the computers listed in the C:\Data\CList.txt file to the imaginedlands.com domain. If you are renaming the local computer as well as other computers, you can type “.” or “localhost” as the computer name.

Adding Computers to a Workgroup

In addition to using Add-Computer to add computers to domains, you can use Add-Computer to add computers to workgroups. To add the local computer to a specified workgroup, use the following syntax:

add-computer –WorkgroupName WorkgroupName –reboot

where WorkgroupName is the name of the workgroup to join. Because you must reboot the computer to complete the join operation, you typically will want to include the –Reboot parameter. This isn’t required, however.

Consider the following example:

$cred = get-credential
add-computer –workgroupname testing –credential $cred –reboot

Here, you join the local computer to the Testing workgroup. Add the –PassThru and –Verbose parameters to get detailed results.

When running Add-Computer from another computer and connecting to the computer you want to join to a workgroup, you use the following command syntax:

add-computer –WorkgroupName WorkgroupName –computername
ComputerNames -reboot

where WorkgroupName is the name of the workgroup to join, and ComputerNames is a comma-separated list of computers joining the domain.

Consider the following example:

$cred = get-credential
add-computer –workgroupname testing –computername TestPC11,
TestPC12 –credential $cred -reboot

Here, you join TestPC11 and TestPC12 to the Testing workgroup.

You can read the list of computers to join to a workgroup from a file as well. Here is an example:

add-computer –workgroupname testing –computername
(get-content c:\data\clist.txt)

Here, you add the computers listed in the C:\Data\CList.txt file to the Testing workgroup. If you are renaming the local computer as well as other computers, you can type “.” or “localhost” as the computer name.

Removing Computers from Domains and Workgroups

Only authorized users can remove a computer from a domain or workgroup. Removing a computer from a domain disables the computer account in the domain and breaks the trust relationship between the computer and the domain. The computer’s security identifier is changed to match that of a computer in a workgroup. The computer then joins the default workgroup, called Workgroup.

You remove computers from a domain or workgroup using Remove-Computer. Consider the following example:

$cred = get-credential
remove-computer –credential $cred –reboot

Here, you remove the local computer from its current domain or workgroup and make it a member of the default workgroup, Workgroup.

When running Add-Computer from another computer and connecting to the computer you want to manage, you use the following command syntax:

remove-computer –computername ComputerNames -reboot

where ComputerNames is a comma-separated list of computers to remove from domains or workgroups.

Consider the following example:

$cred = get-credential
remove-computer –computername TestPC11, TestPC12 –credential
$cred -reboot

Here, you remove TestPC11 and TestPC12 from their current domain or workgroup and make them members of the default workgroup, Workgroup.

Managing the Restart and Shutdown of Computers

You’ll often find that you need to shut down or restart systems. One way to do this is to run Shutdown-Computer or Restart-Computer at the PowerShell prompt, which you can use to work with both local and remote systems. Another way to manage system shutdown or restart is to schedule a shutdown. Here, you can use the Schtasks utility to specify when shutdown should be run, or you can create a script with a list of shutdown commands for individual systems.

Although Windows systems usually start up and shut down without problems, they can occasionally stop responding during these processes. If this happens, try to determine the cause. Some of the reasons systems might stop responding include the following:

· The system is attempting to execute or is running a startup or shutdown script that has not completed or is itself not responding (and in this case, the system might be waiting for the script to time out).

· A startup initialization file or service might be the cause of the problem and, if so, you might need to troubleshoot startup items using the System Configuration (Msconfig) utility. Disabling a service, startup item, or entry in a startup initialization file might also solve the problem.

· The system might have an antivirus program that is causing the problem. In some cases, the antivirus program might try to scan the floppy disk drive when you try to shut down the system. To resolve this, configure the antivirus software so that it doesn’t scan the floppy drive or other drives with removable media on shutdown. You can also try temporarily disabling or turning off the antivirus program.

· Improperly configured sound devices can cause startup and shutdown problems. To determine what the possible source is, examine each of these devices in turn. Turn off sound devices and then restart the computer. If the problem clears up, you have to install new drivers for the sound devices you are using, or you might have a corrupted Start Windows or Exit Windows sound file.

· Improperly configured network cards can cause startup and shutdown problems. Try turning off the network adapter and restarting. If that works, you might need to remove and then reinstall the adapter’s driver or obtain a new driver from the manufacturer.

· Improperly configured video adapter drivers can cause startup and shutdown problems. From another computer, remotely log on and try to roll back the current video drivers to a previous version. If that’s not possible, try uninstalling and then reinstalling the video drivers.

When logged on to the computer you want to restart or shut down, you can type restart-computer or stop-computer to restart or shut down the computer, respectively. To force an immediate restart or shutdown, add the –Force parameter.

When running Restart-Computer or Stop-Computer from another computer and connecting to the computer you want to restart or stop, you use the following command syntax:

restart-computer –computername ComputerNames

or

stop-computer –computername ComputerNames

where ComputerNames is a comma-separated list of computers to restart or stop. As before, you can use the –Force parameter to force a restart or shutdown. You also might need to specify credentials. You can do that as shown in this example:

$cred = get-credential
stop-computer –computername TestPC11, TestPC12 –credential $cred

Here, you shut down TestPC11 and TestPC12 using specific credentials.

You can read the list of computers to restart or shut down from a file as well. Here is an example:

$cred = get-credential
restart-computer –computername (get-content c:\data\clist.txt)
–credential $cred -force

Here, you restart the computers listed in the C:\Data\CList.txt file using specific credentials.