none
Duplicate AD Object Without "Active Directory" PS Tools

    Question

  • Hello All,

    I need to know of a simple way to duplicate an Active Directory object (in this case a pkiCertificateTemplate), in a few lines of code as possible.  "Lain Robertson" posted a very elegant solution, but it won't work in cases where the "AD PS Tools" are not present on the server.  To my understanding, this PS add-in is not available on Windows 2008 and 2008 R2.  Does anyone know of a simple way to do this?  Below is the script and the reference page.

    Param(
      [parameter(ValueFromPipeline = $true, ValueFromPipelineByPropertyName = $true, mandatory = $true)] $Name,
      [parameter(ValueFromPipeline = $true, ValueFromPipelineByPropertyName = $true, mandatory = $true)] $NewName
    )
    
    try {
      Import-Module -Name ActiveDirectory -Verbose:$false;
    
      $oRootDSE = Get-ADRootDSE;
      Write-Verbose -Message ("Connected to domain controller: "+ $oRootDSE.dnsHostName);
    
    
      try {
        # Pull the template attributes from the schema definition.
        $templateAttributes = (Get-ADObject -Identity ("CN=PKI-Certificate-Template,"+ $oRootDSE.schemaNamingContext) -Properties *).systemMayContain;
        Write-Verbose -Message (("Schema_attributes: "+ [System.String]$templateAttributes) -replace " ", "`n  " -replace "_", " ");
    
        # Include the revision attribute.
        $templateAttributes.Add("revision") | Out-Null;
    
        # Attempt to grab the original template.
        $originalCertificate = Get-ADObject -Identity ("CN=" + $Name + ",CN=Certificate Templates,CN=Public Key Services,CN=Services," + $oRootDSE.configurationNamingContext) -Properties $templateAttributes -Server $oRootDSE.dnsHostName;
        Write-Verbose -Message ("Found template: "+ $originalCertificate.distinguishedName);
    
        # Rename the display name prior to calling New-ADObject, as it's understandly not included in its renaming process.
        $originalCertificate.displayName = $NewName;
    
        # Ensure that msPKI-Cert-Template-OID is unique.
        do {
          $secondLast = (Get-Random).ToString();
          $Last = (Get-Random).ToString();
          $newOID = ($originalCertificate."msPKI-Cert-Template-OID" -replace "(\.[0-9]*){2}$", "") + "." + $secondLast + "." + $Last;
        } while ((Get-ADObject -Filter { msPKI-Cert-Template-OID -eq $newOID } -SearchBase ("CN=Certificate Templates,CN=Public Key Services,CN=Services,"+ $oRootDSE.configurationNamingContext ) -SearchScope OneLevel) -ne $null);
    
        # Assign the new msPKI-Cert-Template-OID value.
        $originalCertificate."msPKI-Cert-Template-OID" = $newOID;
    
        # Call New-ADObject to create the new template.
        New-ADObject -Name $NewName -Type ($originalCertificate.objectClass) -Instance $originalCertificate -Path ($originalCertificate.DistinguishedName.Substring($originalCertificate.DistinguishedName.IndexOf(",")+1));
        Write-Verbose -Message ("Template "+ $Name +" successfully duplicated using the new name of "+ $NewName +".");
    
      } catch [Microsoft.ActiveDirectory.Management.ADIdentityNotFoundException] {
        Write-Error -Message ("Failed to find a template named "+ $Name);
        exit;
      } catch [System.UnauthorizedAccessException] {
        Write-Error -Message "Access denied. You do not have the correct permissions to create the new certificate template.";
        exit;
      } catch {
        Write-Error -Message ("Unhandled exception occurred.");
        exit;
      }
    } catch {
      Write-Error -Message "Failed to load the Active Directory management module."
    }

    REF: New Powershell Template Read Only in Certificate Manager


    - Rashad Rivera www.omegusprime.com


    • Edited by Rashad Rivera Tuesday, July 19, 2016 3:43 PM Consolidated link
    Tuesday, July 19, 2016 3:39 PM

Answers

  • AD Cmdlets (RSAT) is available for WS2003 and later.  The minimum client is Vista.  WS2008 you have to download them.  They come built into WS2008R2 but the feature has to be enabled.  WS2008R2 also automatically installs all when you promote a DC.


    \_(ツ)_/

    Tuesday, July 19, 2016 8:04 PM
    Moderator
  • Hi Rashad,

    Unless a recent backport has been made available, the Microsoft ActiveDirectory module was only for Server 2008 R2/Windows 7 and above - as you've already noted.

    "AD Cmdlets" (meaning a product title), discussed here, is another option if you can actually track it down. I knew it went over to Quest and that Quest was consumed by Dell, however, I can't see to easily navigate their site to find the module. My expectation is also that it is a paid option, not free.

    That really takes you back to where you started in the other thread where it's a straight .NET implementation. That'll get the job done, of course. It's just not as efficient from how many lines you need to code, that's all.

    Cheers,
    Lain

    Wednesday, July 20, 2016 12:20 AM

All replies

  • I had to download and install PowerShell on my Windows Server 2003 DC's and on my Windows XP clients. But every OS since came with PowerShell. My Windows Server 2008 R2 DC came with PowerShell V2, which includes the AD modules. But I think I had to enable it or turn on the feature in Server Manager.

    Edit: Link with description of PowerShell V2 on Windows Server 2008 R2:

    https://technet.microsoft.com/en-us/library/dd378784%28v=ws.10%29.aspx


    Richard Mueller - MVP Enterprise Mobility (Identity and Access)


    Tuesday, July 19, 2016 3:57 PM
  • AD CmdLets ae only available if RSAT is installed.

    RSAT is built into WS2008 and later servers.  RSAT for clients can be downloaded for all current clients.  Clients require RSAT Web Service on at least one DC.

    If CA is installed everything you are trying to do cab be done with CA tools and PS CmdLets.

    https://redmondmag.com/articles/2015/08/19/rsat-for-windows-10.aspx


    \_(ツ)_/


    Tuesday, July 19, 2016 4:11 PM
    Moderator
  • Richard,

    Your response does not apply to my situation.  I'm running Windows 2008, not Windows 2008 R2.  I also suspect that the AD Command Lets are not available with Windows 2003, albeit regular or R2.

    In addition, I'm looking for a script to duplicate AD objects without AD Command Lets so my solution can rely on core PowerShell functionality alone such as ADSI or via the .NET CLR interop. 


    - Rashad Rivera www.omegusprime.com



    Tuesday, July 19, 2016 7:57 PM
  • AD Cmdlets (RSAT) is available for WS2003 and later.  The minimum client is Vista.  WS2008 you have to download them.  They come built into WS2008R2 but the feature has to be enabled.  WS2008R2 also automatically installs all when you promote a DC.


    \_(ツ)_/

    Tuesday, July 19, 2016 8:04 PM
    Moderator
  • Hi Rashad,

    Unless a recent backport has been made available, the Microsoft ActiveDirectory module was only for Server 2008 R2/Windows 7 and above - as you've already noted.

    "AD Cmdlets" (meaning a product title), discussed here, is another option if you can actually track it down. I knew it went over to Quest and that Quest was consumed by Dell, however, I can't see to easily navigate their site to find the module. My expectation is also that it is a paid option, not free.

    That really takes you back to where you started in the other thread where it's a straight .NET implementation. That'll get the job done, of course. It's just not as efficient from how many lines you need to code, that's all.

    Cheers,
    Lain

    Wednesday, July 20, 2016 12:20 AM
  • Hi Rashad,

    Unless a recent backport has been made available, the Microsoft ActiveDirectory module was only for Server 2008 R2/Windows 7 and above - as you've already noted.

    "AD Cmdlets" (meaning a product title), discussed here, is another option if you can actually track it down. I knew it went over to Quest and that Quest was consumed by Dell, however, I can't see to easily navigate their site to find the module. My expectation is also that it is a paid option, not free.

    That really takes you back to where you started in the other thread where it's a straight .NET implementation. That'll get the job done, of course. It's just not as efficient from how many lines you need to code, that's all.

    Cheers,
    Lain

    Why do people keep posting this. I have been using ADGWS PowerShell since Windows 2003 AD.  It has always been available.  All current OSs support ADGWS.  WS2008  Server and earlier is a download and install. It is still available in the Microsoft download center.  RSAT with PowerShell Cmdlets is and has  been available for all desktop systems since Vista and is still available as a download.

    WS2008R2 and all later server product's come with ADGWS by default.

    Don't believe me?  See this: https://blogs.technet.microsoft.com/ashleymcglone/2011/03/17/step-by-step-how-to-use-active-directory-powershell-cmdlets-against-2003-domain-controllers/


    \_(ツ)_/

    Wednesday, July 20, 2016 1:53 AM
    Moderator
  • Hi jrv,

    While it's open to interpretation, in the context I understood the question to be in, I believe you've missed the point.

    Yes, Gateway Services is available for Server 2003 and after, and this allows the server to be a target for PowerShell administration. However, Rashad explicitly mentions in his first paragraph that he is looking to run this locally on the server.

    As outlined at the end of "step 2" of your linked article - and by the very virtue of "step 3" even being present, installing Gateway Services achieves nothing with respect to being able to make use of the ActiveDirectory module locally.

    Does Rashad need to run this particular script locally? I don't know. Ask him. But Gateway Services does not provide the module and it's not part of RSAT for Server 2008/Windows Vista.

    Cheers,
    Lain

    Wednesday, July 20, 2016 2:13 AM
  • Hi jrv,

    While it's open to interpretation, in the context I understood the question to be in, I believe you've missed the point.

    Yes, Gateway Services is available for Server 2003 and after, and this allows the server to be a target for PowerShell administration. However, Rashad explicitly mentions in his first paragraph that he is looking to run this locally on the server.

    As outlined at the end of "step 2" of your linked article - and by the very virtue of "step 3" even being present, installing Gateway Services achieves nothing with respect to being able to make use of the ActiveDirectory module locally.

    Does Rashad need to run this particular script locally? I don't know. Ask him. But Gateway Services does not provide the module and it's not part of RSAT for Server 2008/Windows Vista.

    Cheers,
    Lain

    AD commands can be run against WS2008 and later.  The question was specific to WS2008 and WS2008R2.  For WS2008 the modules are installed from a download.  For WS2008R2 and later all is built into the server.  The CmdLets can be downloaded for any client Vista and later as I noted above. WS2003 is older than Vista.

    For WS2008 only we can only administer remotely as all WS2008 tools have been removed from the downloads site since WS2008 is no longer supported.  It is possible to install a Vista or later VM and then install the RSAT modules into the VM.

    The smarter thing to do is to upgrade the server before it is too late.  I am now dealing with two companies that refused to understand that old systems can become very hard and expensive t support.


    \_(ツ)_/




    Wednesday, July 20, 2016 11:52 AM
    Moderator
  • We should probably note that the Admin tools are available on WS2008.  Yu can use the DS* command line tools to extract to a CSV the use PowerShell to manipulate the CSV and then use the command line tool to update AD.  Of course this takes more advanced skill with PowerShell but it is what we used to do.

    It is also always possible to use ADSI.  In the Gallery are many ADSI scripts that update AD.


    \_(ツ)_/

    Wednesday, July 20, 2016 12:12 PM
    Moderator
  • JRV,

    I need to run commands such as Get-ADObject, Get-NewADObject (and the like), on a Windows 2008 server (not R2) without the use of third party software.  Installing a redistributable from Microsoft or a feature via Server Manager is acceptable.  The goal is to execute an elegant means of duplicating AD objects (in my case pkiCertificateTemplates).  Lain had created such as script in another thread, but it relies upon AD modules (which to my understanding don't exist on Windows 2008).  Using this ADMGS is a non starter for me because of its apparent complexity and the fact that the link is no longer available (see the follow-through via the link you provided and you will see a "We are sorry..." error). 

    This being said, Lain is correct in that I have to use the script I already have posted on the other thread which is specific to a particular objectClass vs generic like what AD modules provide.  I applicate your input and Lain's and thank the entire community for its support.


    - Rashad Rivera www.omegusprime.com



    Friday, July 22, 2016 1:56 AM
  • WS2008 is obsolete and unsupported. Perhaps you should move more completely into the 21st century ;)

    \_(ツ)_/

    Friday, July 22, 2016 10:10 AM
    Moderator