Expiring Group Membership
As a systems administrator working with Active Directory your probably proficient in granting access to
Two strong points of PowerShell are the ability to work with Pipelines and Objects. PowerShell is built on top of .NET and has the ability to work with .NET objects as well as sending and receiving information from the pipeline.
To developers, asking them to go from an object based language to one that parses text for input/output would get you laughed at. That is exactly why when Microsoft decided to write a new console and scripting language they decided to work with objects instead of text parsing.
Those familiar with administrating Unix operating systems are aware of programs like grep, sed, and awk. Those three programs allow the administrator to take text as input, manipulate the text, and output commands for the next program.
Windows is an operating system built around Application Programming Interfaces (API) which allow sophisticated interactions with the underlying OS. Those APIs return objects. Objects contain attributes which house information about that specific object as well as methods, or little functions that can be performed on the object. There are many other properties that apply to objects but those are the important ones.
PowerShell, through cmdlets, allow access to the Windows API, surfacing information about processes, services, files, and more. These types of objects come with rich information and allow you to interact with them in a safe way.
To find out what type of object you’re working with in PowerShell pipe any ‘Get’ command to the cmdlet Get-Member.
Get-Process -Name Powershell.exe | Get-Member
You’ll notice some interesting information on the console. First, you see the type of object sent to Get-Member. The process object is part of the System.Diagnostic object library is referred to by System.Diagnostic.Process. The name is long to make sure that there aren’t type name collisions if there are two completely different types of process objects on a computer.
Next you get the name of the property, property type in member type, and definition. The property name is how you access the information inside of the object. To list the Name,Threads,ID, and HandleCount you can use select-object.
Get-Process -Name Powershell | Select-Object -Property Name,Threads,ID,HandleCount
The pipeline is really a important concept. The idea is that you have small programs that do one thing for you. Get-Process retrieves processes. Set-ADUser will manipulate a user in Active Directory. Cmdlets work best when strung together, one outputting objects, another taking objects as inputs. Consider the following:
Get-ADUser -Identity NGetchell | Set-ADUser -Title "Automation Wizard"
Get-ADUser goes out and finds my user account. It then pushes the Microsoft.ActiveDirectory.Management.ADUser object into Set-ADUser. Set-ADUser will now set the title of the incoming object to ‘Automation Wizard’. In this scenario only one user object was manipulated. Image your 1,000+ employee company has been purchased. You’ve been tasked with changing the Company field in AD for each employee.
Get-ADUser -filter * | Set-ADUser -Company 'Getchell.org'
You can now go home early since you completed hours of manual work in seconds. You earned it.