Windows powershell automating user provisioning part 2

Windows Server R2 servers come with the Windows Remote Management WinRM service and is enabled by default; this allows administrators to use PowerShell remoting to access those servers. However, by default, remoting requires mutual authentication which is not a problem when the computer is a member of a domain, but in our case, this is a new server and we need to remote into it to manage the initial configuration.

For a complete explanation and demonstration on remoting to non-domain computers check the previous article: Remote Management with PowerShell — Part 2. This script will modify the TrustedHosts list to do away with the mutual authentication requirement so that the computer from which you run the script can connect to the new server to begin provisioning.

Nothing is trusted in the TrustedHosts list by default. The script will add the Dynamic IP address from the new server to the TrustedHosts list and then remove it to leave the list with nothing trusted again. Running the following command will confirm that no computer is trusted by default in the TrustedHosts list:.

See the following code:. For demonstration purposes this script will add just one role. However, in a production environment, you may want to add multiple roles. Our next step is to examine the code to ensure that the new server will join the abc.

Server where the code is executed locally. For a more detailed explanation and demonstration of Windows PowerShell remoting options, you can review the article Remote management with PowerShell —Part1. However, any variable defined on the local computer will not be directly recognized on the remote computer when using the —ScriptBlock parameter with the Invoke-Command cmdlet.

See the code below:. The preceding code is the last key part to complete the script before it is fully tested. The final update looks like this:. After all this hard work, the final step is to test the script to see if it preforms as expected. You will need to enter your own parameter values to run your script. The following values are defined for our test:. I have now updated it. Once again, many thanks for pointing this out. Really appreciate it! If you have used this form and would like a copy of the information held about you on this website, or would like the information deleted, please email privacy gfisoftware.

Patch checker script: — Read ComputerList. You will need to set the ExecutionPolicy to Unrestricted to allow the script to be executed. Temp Cleaner This script will clean up the common temporary folder locations on a Windows machine.

If you store temp files in a custom location, the correct path will have to be reflected in the Array. You will need to run the script with Administrator privileges. You will need to set your ExecutionPolicy to Unrestricted to allow the script to be executed. Part 2 Should I deploy monitoring software on our servers?

Get your free day trial Get immediate results. Try free for 30 days. I just thought that I had to make a blog response to a fairly nice but slightly missing the point article in Technet Magazine. There are two things which lack consideration, multi site as the first point and the other is a lack of consideration for mature environments. You need to have some logic to first resolve where the users are going to be created. For example use the logic, whatever it happens to be, to determine which home folder server to use.

Then you need to resolve which site the home folder server is in or directly ask the home folder server for its secure channel using NLTEST.

The secure channel will be an ideal DC to provision the user to. When provisioning the exchange mailbox you will step into a similar issue to the issue above, all though this one is easily solvable. You need to establish which site the mailbox resides in before you create the account. If exchange and the account is in the same domain but different sites then you will face replications issues i.

The user account might not have been synchronized to the DC which exchange is talking to. The latter switch is for specifying the DC for the account domain if exchange is running in a resource forest.