Microsoft is doing all it can to make PowerShell the choice of power-users and automation writers everywhere. Gone are the days of compiling code in .NET in order to do the same thing, now you just need notepad.exe and google. We're big fans of it in the office, especially since Exchange 2007's Management Console does NOT include everything that you can do in PowerShell. Microsoft deliberately failed to implement things that only get done once in a great while, easier to develop that way, which downright forces its use if you have anything resembling a complex environment.
Managing Microsoft's newer generation of products (Win7, Windows Server 2008, Exchange 2007/2010, SQL Server 2008) all have very rich PowerShell hooks. Once Remote Powershell (PowerShell 2.0 IIRC) gets deployed with Server 2008 R2, it'll become even MORE useful for automation writers.
What we've done with it:
- Create a web-page to delegate certain admin tasks to helpdesk users. The web-page fires off commands that get executed in PowerShell. Things it does:
- Create and delete user accounts, including provisioning Exchange 2007 mailboxes and home directories
- Unlocks locked out accounts
- Create/delete groups
- Add/remove users from groups
- Move users between mail-stores
- Set passwords
- Take extracts from the ERP system and push global-address-book data into Active Directory nightly.
- Solve the LegacyExchangeDN problem that cropped up with our Exchange 2003 to Exchange 2007 migration. Had to add an X500 address to everyone that used to be on Exchange 2003. A fairly short PowerShell script fixed it.
- Scripted creation of "group mailboxes" (shared mailboxes in Exchange where multiple users have access to the mailbox), an otherwise manual process due to the nature of the data we need before kicking it off. It greatly standardized the setup of these mailboxes.
- Created a script that walked through all domained machines resetting a specific registry key and restarting a service. It took 18 hours to complete, but it got the job done.
So yes, PowerShell is going to be with us for quite some time.
EDIT: Adding a code-sample, since it was requested
$list=import-csv("groupusers.csv")
$lastseengroup=$list[0].group
$ADGroupPrefix="grp.netware."
$ADGroupSuffix="{redacted -- in the format of ,ou=groups,dc=domain,dc=domain,dc=domain}"
Clear-Variable memberlist
Clear-Variable unknownusers
foreach ($entry in $list) {
if ($($entry.group) -ne $lastseengroup) {
echo "stumbled across new group $($entry.group), committing changes to $lastseengroup"
$newgroup=$ADgroupPrefix+$lastseengroup
$newgroupdn='"'+"cn=$newgroup$ADGroupSuffix"+'"'
echo "getting DN for $newgroup"
$existinggroup=dsquery group domainroot -name $newgroup
if (($existinggroup -ne $null)) {
dsmod group $newgroupdn -chmbr $memberlist
} else {
dsadd group $newgroupdn -scope u -secgrp yes -members $memberlist -desc "Group imported from eDirectory"
}
Clear-Variable memberlist
}
$User=get-user $($entry.member) -ErrorAction SilentlyContinue
if ($User.isvalid) {
$UserDN=$User.distinguishedname
$memberlist=$memberlist+'"'+"$UserDN"+'" '
} else {
$unknownusers=$unknownusers+$($entry.member)
}
$lastseengroup=$($entry.group)
}
dsadd group "cn=$ADGroupPrefix$lastseengroup$ADGroupSuffix" -scope u -secgrp yes -members $memberlist
This takes a CSV file created with a perl script and updates a set of groups. If the group already exists, it replaces the membership with that specified in the file. If the group does not exist, it creates it. This is a one-way sync. Also, not quite in production yet, but close.