I suppose I could back up my configuration, but sometimes I just want a brand-new domain to play with. . . especially while I’m studying for my 70-648 exam and I keep creating convoluted GPOs that don’t always have the intended effect and I need to go back to something cleaner.

So, without further ado, here is the script – easily copied and pasted into a .ps1 file – for anyone else that hates sitting down and clicking through user and group-creation every time they need a new test-organization after getting that crisp, clean domain up and running.

Install your server, run dcpromo.exe, run this script, and voila: an instant lab to break play with. This script has been tested in a Windows Server 2008 R2 domain, but should run just fine as long as you’re running at least Windows Server 2003, PowerShell 2.0, and have the Active Directory Management Gateway Service installed:

# Written By: Slowhand
# Date: August 10th, 2012
# Purpose: Automatically creating test users, groups, and OUs for a study-lab
# Intended for use with a fresh install of AD DS for lab-purposes only
#
# [Please Note]
# Users, groups, and department-OUs will not be created a second time,
# even if you give the organization OU a different name
#
# To successfully re-run the script,
# delete the original organizational OU from the first run-through
#
# This script is provided ‘as-is’, please use at your own risk
Import-Module ActiveDirectory
if (!(Get-Module ActiveDirectory)) {
Write-Host “An Active Directory domain is required before this script can be run”
Write-Host ” “
} else {

# User-defined values
do {
Write-Host “Enter the name of your CSV file, (e.g., C:\Scripts\users.csv)”
[string]$csvpath = Read-Host “CSV file”
} while (!(Get-Item $csvpath))

Write-Host ” “
Write-Host “Please enter the name of lab (e.g., Contoso, ACME, Testlab)”
[string]$organization = Read-Host “Lab name”

Write-Host ” “
Write-Host “Please enter a complex default user password, or users will be disabled upon creation”
[string]$password = Read-Host “Default user password”
# Password not stored securely at this point for lab-purposes only

# Importing a list of users from a csv file
# (The necessary columns for this script are givenName, surname, and department)
$users = Import-Csv -Path $csvpath

Write-Host ” “
Write-Host ” “
Write-Host “CREATING TEST-LAB ENVIRONMENT, PLEASE STAND BY”
Write-Host “==============================================”
Write-Host ” “
Write-Host ” “
# Creating an OU to hold our organization
if (!(Get-ADOrganizationalUnit -LDAPFilter “(OU=$organization)”)) {
# Pull the distinguished name of the domain, as an LDAP query
$distname = (Get-ADDomain).DistinguishedName

Write-Host “Creating a company OU called $organization”
New-ADOrganizationalUnit -Name $organization -Path “$distname” -ProtectedFromAccidentalDeletion $true

$path = “OU=$organization,$distname”

# Some basic OUs to simulate a test company
$OUs = “Departments”,”Users”,”Computers”,”Workstations”,”Servers”

Write-Host ” “
Write-Host “CREATING ORGANIZATIONAL UNITS”
Write-Host “—————————–”
foreach ($OU in $OUs) {

if (!(Get-ADOrganizationalUnit -LDAPFilter “(OU=Computers)”)) {
Write-Host “Creating an OU called $OU in $path”
Write-Host ” “

New-ADOrganizationalUnit -Name $OU -Path “$path” -ProtectedFromAccidentalDeletion $true
} else {
Write-Host “Creating an OU called $OU in OU=Computers,$path”
Write-Host ” “

New-ADOrganizationalUnit -Name $OU -Path “OU=Computers,$path” -ProtectedFromAccidentalDeletion $true
}
}

Write-Host ” “
Write-Host ” “

# Creating individual OUs and groups for each department for GPO purposes
Write-Host “CREATING GROUPS”
Write-Host “—————”

foreach ($user in $users) {
$department = $user.department

# Checking for duplicates in the ‘departments’ column of the CSV file
if (!(Get-ADOrganizationalUnit -LDAPFilter “(OU=$department)”)) {
Write-Host “Creating an OU for the $department department”
New-ADOrganizationalUnit -Name $department -Path “OU=Departments,$path” -ProtectedFromAccidentalDeletion $true

Write-Host “Creating a group for the $department department”
Write-Host ” “
New-ADGroup -Name $department -SamAccountName $department -GroupCategory Security -GroupScope Global -DisplayName $department -Path “OU=$department,OU=Departments,$path”
}
}

Write-Host ” “
Write-Host ” “

$userpath = “OU=Users,$path”

Write-Host “CREATING USERS”
Write-Host “————–”

# Create users based on a given name, surname, and department
foreach ($user in $users) {

$first = $user.givenName
$last = $user.surname
$department = $user.department
$domain = (Get-ADDomain).DNSRoot
$name = $first + ” ” + $last
$logon = $first + “.” + $last
$userprincipalname = $logon + “@” + $domain

# Actual creation of users in User folder
if (!(Get-ADUser -LDAPFilter “(sAMAccountName=$logon)”)) {
Write-Host “Creating an account for $name”
New-ADUser -Name $name -SamAccountName $logon -GivenName $first -Surname $last -DisplayName $name -Department $department -PasswordNeverExpires $true -Enabled $true -AccountPassword(ConvertTo-SecureString $password -AsPlainText -force) -UserPrincipalName $userprincipalname -Path “$userpath”

Write-Host “Adding user $name to the $department group”
Write-Host ” “

# Add user to groups based on department
Add-ADGroupMember $department $logon
} else {
Write-Host “The user $name already exists, moving on to the next one”
Write-Host ” “
}
}

Write-Host ” “
Write-Host “The default user password is $password”
Write-Host “It does not need to be changed at logon, nor does it expire”
Write-Host ” “
Write-Host “============================================”
Write-Host “FINISHED! ENJOY YOUR LAB AND HAVE A NICE DAY”
Write-Host ” “
Write-Host ” “
} else {
Write-Host “The OU named $organization already exists”
Write-Host ” “
Write-Host “===============================”
Write-Host “ABORTING SETUP, HAVE A NICE DAY”
Write-Host ” “
Write-Host ” “
}
}

The only other thing that’s required for this script to run is a .csv file with three columns: givenName, surname, and department in order to create the users and groups properly. The following sample can be copied and pasted into Notepad and saved as ‘users.csv’, for example:

givenName,surname,department
Tony,Stark,Research
Pepper,Potts,Executives
Phil,Coulson,Security
Nick,Fury,HR
Bruce,Banner,Research
Steve,Rogers,Security
Reed,Richards,Research
Johnny,Storm,Security
Susan,Richards,Research
Ben,Grimm,Security
Peter,Parker,Research
Charles,Xavier,Executives
Scott,Summers,Security
Jean,Gray,HR

Here’s a download link to the script and the csv file for download: instantScript.zip

The starred (*) items are strongly recommended for beginners or anyone new to PowerShell.

Free Resources

• PowerShell: An In-Depth Scripting Crash Course *
• Windows PowerShell Owner’s Manual *
• TechNet Webcast Series – Scripting with Windows PowerShell
• MSDN PowerShell Blog
• Don Jones’ Shellhub * (Features book recommendations, tips, and other resources from one of the foremost experts on PowerShell in the world.)
• MSDN Library – Getting Started with Windows PowerShell *
• 2012 Scripting Games Study Guide: A Resource for Learning PowerShell *
• Microsoft TechNet | Windows PowerShell
• Sapien Technologies Forum | Windows PowerShell (This site features forums for many other scripting languages as well.)
• CodePlex – PowerShell Tools for IT Admins
• IS Decisions | Everything PowerShell
• PowerGUI, a Graphical User Interface and Script Editor for Microsoft Windows PowerShell
• Microsoft’s Channel 9 | Windows PowerShell (v3) Crash Course
• KS-Soft WMI Explorer (Useful for any admin, regardless of the preferred scripting language.)

Other Recommended Resources

• PowerShell in Action, Second Edition
• Learn Windows PowerShell in a Month of Lunches
• Windows PowerShell 2.0 Best Practices
• Windows PowerShell 2.0 Administrator’s Pocket Consultant
• Don Jones’ PowerShell Book Guide
• CBT Nuggets – Microsoft Scripting Windows PowerShell *
• CBT Nuggets – Microsoft Scripting Advanced Windows PowerShell v2 *
• CBT Nuggets – Powershell 3 Foundations *

Today, however, I’m going to talk a little bit about Dr. Radia Joy Perlman, another great woman in the history of computer science. . . and one of the most important people in technology today, period.

Dr. Perlman is the creator of the algorithm for the Spanning Tree Protocol, a topic any networking student is intimately famliar with. Without STP, swithed networks (and internetworks) as we know them today wouldn’t be possible. She also worked on routing protocols, such as IS-IS and OSPF, increasing efficiency and fault-tolerance. At age 37, she earned her PhD in computer science from MIT, discussing the very topic she’s famous for in her doctoral thesis.

Currently a Fellow at Intel, Dr. Perlman has worked for Sun Microsystems, (where she filed for over 50 patents for her work,) and Digital Equipment Corporation. It was while at DEC she worked on her algorithm for STP. She’s written two books,Interconnections: Bridges, Routers, Switches, and Internetworking Protocols and Network Security: Private Communication in a Public World, both of which still pop up as required reading for networking classes and as recommended reading for certain IT certifiations.

When asked to explain her seminal work, she famously replied, “The protocol is really very simple, I can summarize it in a poem!”

Algorhyme

I think that I shall never see
a graph more lovely than a tree.
A tree whose crucial property
is loop-free connectivity.
A tree that must be sure to span
so packets can reach every LAN.
First, the root must be selected.
By ID, it is elected.
Least-cost paths from root are traced.
In the tree, these paths are placed.
A mesh is made by folks like me,
then bridges find a spanning tree.

More reading on Dr. Perlman and her work:

• The Many Sides of Radia Perlman
• MIT’s Inventor of the Week
• Why IEEE Fellow Radia Perlman Hates Technology
• The list of articles goes on and on, you’re gonna have to Google her yourself for more.

This brings me to a thread on TechExams.net from a few years ago that discusses what it takes to be an industry-recognized security professional. Something to note here, this forum assumes that certifications are earned through rigorous study and hands-on experience, not through memorizing stolen test-questions or cramming a book just enough to pass the test. That being said, this particular conversation discusses the much-lauded CISSP certification, which requires professional experience and a degree, in addition to a test, in order to obtain.

Keatron, who teaches courses in network security, had the following advice for another forum-member asking how to get into security:

I’ve had many people sit my CEH class and realize they should have had Security+ level knowledge under their belts first. I by have it, I actually mean have it, not just pass the test.

I would say probably Sec+ (even if you do it self study).
Then MCSA:Sec
Then CEH
Then SSCP
At this point I’d suggest getting some Cisco in there. And you must start with CCNA, Then work the CCSP route (will not be easy, but worth it).

By this time you should be very ready to start preparing for the CISSP.

Again, keep in mind that the assumption here is that a professional would be working as he or she earns these certs, and actually learning the material in a practical way over the course of the two or three years it would take to study for all these tests.

So, the response we get from UnixGuy, another member of the forum who is interested in security-work:

Hmmm, isn’t this tooo long a way to earn a CISSP ??

And here is the big payoff, Keatron’s reasoning for all those other skills and experience:

For UnixGuy, think of it this way. Let’s say you have 6 different certifications that all deal with 6 different areas of Information Security. Think of these as your 6 cans of Coke. Now think of the CISSP as the little plastic stuff that holds a six pack of coke together. Take your 6 cans of coke (your experience and other certs) and the little plastic stuff (your CISSP), add those together and you have a solid six pack that’s held together well. For example, you might have a job as a firewall administrator. You might perform this job well for 6 or 7 years. However, you could be an expert firewall administrator, and not know squat about application security. In reality, the CISSP helps a security professional take all their years of experience, and certifications and FINALLY tie them all together and see clear relationships between it all. But there’s the old saying “garbage in, garbage out”. So in other words, if you are a person with only 1 can of coke (mimimal experience and minimal exposure to certifications), then the little plastic thing (CISSP) wont really do you much good, because you don’t have any cans (experience and certs) to tie together. The CISSP is often described as a mile wide and an inch deep. But it should be understood that you don’t go a mile deep because theoretically, you’ve already been 20 miles deep in several of the domains. I always stress experience first, then certs. However, sometimes you need the cert, to be awarded the opportunity to get the experience. But I often recommend people in the security field get vendor specific certs related to operating systems or network equipment they may be responsbile for securing. You can’t possibly secure a large building if you don’t know where all the doors and windows are. Additionally you need to know how to open and close these doors and windows. Same goes for systems and networks. Here’s a few examples;

How can one possibly understand group policy if they’ve never implemented or least labbed it out in preperation for MCSE? How could you know that group policies only apply to computers that are a member of the domain, OU, or site that group policy was applied to if you haven’t done it, or again labbed it out. Not to mention you have to remember to give groups read and apply group policy permissions to the group policy object if it is to have any effect at all. If one doesn’t understand these basics, then how could they possibly even start to secure a Windows based network? How does Kerberos work (in Windows world). What’s sent in clear text and what’s encrypted? How feasible is it for an attacker to forge a ticket and fool another device or computer in the realm to believing it’s legit? If you’ve never implemented a Pix or an ASA then how could you know what it’s default inspection rules for the FTP protocol is? We’re taught that FTP uses ports 20 and 21 only. But is that actually accurate? Is is true that FTP actually uses dynamically allocated ports to actually do the data transfer part of an FTP session? How does the ASA default inspection rules allow for this? And if you know the answer to that, then what security concerns does this behavior and allowance or disallowance by ASA introduce or expose your organization to? Have you observed it’s behavior via ethereal or some other analyzer or sniffer? What about the bazillion other protocols you’re forced to allow into your network? Are you sure DNS only uses port 53? TCP or UDP? Both? When you perform a query for a resource on the web, does the response to query come back in on UDP port 53? What about zone transfers? Is that via port 53 as well? TCP or UDP? Are these zone transfers in cleartext? If they are, what can you implement to encrypt these zone transfers? How does Checkpoint Firewall solutions deal with this behavior? (And saying it just works doesn’t count). Are the ways in which it deals with this behavior introducing unique security considerations? Isn’t it true that the biggest problems with firewall, IDS, and other mechanisms is that they act and behave in a very predictable manner? How does NTFS file systems store data and files? What about NFS? FAT? What about ZFS? So how do ZFS and EXT2 differ in how they store and catergorize data? From a confidentiality perspective, which is more feasible? If you haven’t worked with these file systems you might not know the answers. However, getting certifications can expose you to this very information and least give you some level of knowlegde in those areas.

This list could go on and on. And obviously a CISSP that thinks they only utilize port 21 when they go to an FTP site and download files probably could have benefited from getting little more experience (or getting more cans) before getting the plastic peice (CISSP) to pull it all together. Because pulling it all together with too few cans causes us to have huge “knowledge gaps” and therefore renders us less effective in our roles as information security professionals.

So UnixGuy, the above is some of the major reasons I suggest a path to the CISSP that’s probably a little longer than what you normally hear. Thanks for reading. And I hope it helps. 

Keatron.

I agree with every word of it. You cannot secure a network, a server, a website, or even a stand-alone PC, if you don’t know how those things work in the first place. Security is a second-tier skillset, you have to learn how it works before you can learn how to protect it. ”Security” isn’t some additional field that was invented for us to work in, it’s a term for the in-depth knowledge we gain as we work and learn about these systems that helps prevent exploits and hacks from being executed. UnixGuy’s question is a common one, and he’s not stupid or self-entitled for thinking that the road is too long. Unfortunately, I think that security isn’t taken seriously enough as a whole by this industry, (and many others,) and the result is that most of us don’t know how much work and effort goes into becoming an expert on that level.

Given, even experts make mistakes and sometimes the black-hats (bad guys) are sometimes smarter than the white hats (good guys), but that’s all the more reason to study, train, and prepare yourself if you want to be a CISSP, for example. Some people think the road is too long. . . I think that the road isn’t often long enough. It’s a big, bad world out there full of threats and people who want to steal our information. The more you know, the fewer times you’ll get caught with your pants down.

I’ve taken programming classes before: a VB6 course back in 2000, an intro to programming with C++ course in 2002, and then I picked up some C# back in 2006, but none of it ever really sunk in because I didn’t spend enough time with any given language to get any good at it. The only “programming languages” I’d been proficient in were XHTML and CSS2. . . well, up until January of this year that is.

In the Spring semester of 2011, I enrolled in CIS 26 at Laney College in Oakland, which was an introductory programming class that used C as the language of choice. It was both a “for beginners” class as well as a course on how to write code in the C language. I really enjoyed it, and now in the Fall semester I’m enrolled in CIS 25: Object-Oriented Programming with C++. So far, it’s been enjoyable. We’ve covered the usual if-else and switch statements; for, while, and do-while loops; functions; pointers and reference variables; classes and polymorphism. . . the usual fare for an OOP class. The teacher assigns no particular book, he simply lectures and sends out notes he wants us to use, then strongly recommends we pick out a book to use ourselves; one we can read and learn from outside of class.

For my money, I chose to go with Stephen Prata’s C++ Primer Plus:

After all, I went to College of Marin, and he used to teach there. . . oh, and the book comes highly recommended, too. It’s a great read, both for beginners and experienced coders. I’m slowly but surely working my way through the last few chapters now, getting my head around classes, among quite a few other things. This’ll be the longest span of time I’ve ever spent doing any kind of coding, for class or otherwise, and I intend to keep it up.

I’m going to take a data structures & algorithms class at Laney at some point in the future, probably next summer. (Yeah, that’s the only time they offer it.) Before then, however, I intend to already have a leg-up and spend some time working my way through a book or two, then maybe find some coding projects to tackle. Which book(s) I intend to read, I haven’t the foggiest idea yet, but I’m hoping to get some suggestions from my classmates and former co-workers on the subject. I don’t intend to let what I’ve learned drop away this time, and I’ll be damned if I go into that next class without some kind of preparation so I can get the most out of it.

So far, I’ve done a bare-bones install of Exchange 2010 three times, (once almost without any screw-ups,) in a lab environment consisting of a domain controller and a member server both running Windows Server 2008 R2. Baby steps, baby steps.

Why would-be engineers end up as English majors.

** Update: finally found this video on YouTube. **

Reading through it, I began to realize that some of the assumptions I’d made about education in my part of the world is pretty much true. For the most part, people find science and mathematics harder to understand and study than they do subjects like history, English, and others that fall under the umbrella of liberal arts. The question I had to ask myself is why. Why do so many people have such a hard time with one area of focus, but not others? Is it because the college coursework for English majors is less complicated and demanding than what engineering and science majors have to deal with? After spending long hours in study-sessions with Hanif Houston, a recent graduate of UC Berkeley’s English undergradute department, I’d say this isn’t true. His workload consisted of sometimes reading an entire novel per week, analyzing it, and writing several lengthy papers at once. My workload consisted of dozens of math problems, physics questions, and code-writing projects each week; all of these together often times didn’t amount to the amount of time and effort Hanif spent dissecting Shakespeare or building arguments for why Philip Roth’s sarcasm should be bottled and sold as a remedy-cure for common stupidity.

Given, I’m still a lower-division computer science and electrical engineering major, while the comparison is to upper-division English studies. Nonetheless, the CNN article describes people dropping out of their first or second years as science majors to pursue liberal arts degrees instead, taking a path of less resistance. So why is it really, then, that people decide that liberal arts are a path of less resistance to a degree? The obvious answer I can give here is that math and science classes in the public K-12 school system aren’t nearly adequate enough to prepare students for college-level work, but that’s not really the only problem. After all, courses in history, English, art, music, and the like are just as lacking in high school and below. So, perhaps there’s a bigger issue to look at. . . maybe it goes back further and deeper than our educational system.

Growing up, I never quite realized how often I heard the same set of mantras: “I don’t care about the science, as long as it works,” “I’m no good at math,” “when am I ever going to use this stuff?”, and of course, “if you spend all your time studying [math, sciences, or other 'nerdy' subjects], you’ll have no life and never get laid.”

The issue here is that all these things are so damned passive, we don’t realize we think this way. When I used to think of professional writers, for example, I used to imagine the people I saw in movies, like Jack Nicholson in As Good as It Gets, playing Melvin Udall, living in an expensive New York apartment and writing books at his leisure. Or I’d picture Michael Douglas in Wonder Boys fighting writer’s block, Sean Connery in Finding Forrester as a reclusive shut-in, coming out of seclusion to help a young writer earn his professor’s respect. All of these guys had two things in common: they didn’t seem to actually work all that hard for their money, and there’s never a time we see them struggling to earn that money. Easy living, right? Just write books, cash your checks, and have all the time in the world to deal with life’s other little problems. How hard could that be?

Scientists, on the other hand, get a different image in pop-culture. Up until recently, physicists, chemists, mathematicians, biologists, and all flavors of engineers have been portrayed either as quirky side-characters, or as eccentric, awkward head-cases that are either used as foils for more charismatic characters, or as “ugly ducklings” that need to be brought out of their shells by friends or a love interest. (See Q from the James Bond movies, the protagonist of the Nutty Professor movies, Doctor Emmet Brown from the Back to the Future series, etc.) The cases where a scientist is considered a sex symbol, a true main character, are the cases where they are more occupied with flashy action sequences than they are with their area of expertise, (see Doctor Jones from Indiana Jones, Doctor Gordon Freeman in the Half-Life video game series, and Doctor Ian Malcom in Jurassic Park.) This is also true for those “lonely nuclear/astro physicists” played by attractive blondes in James Bond movies. The issue here is, simply put, real science isn’t sexy. Most of those nerdy engineers and scientists used as side-kicks and comic relief in movies aren’t what the majority of people want to be.

I say most, however, because there is an exception to the nerdy scientist image. When the movie, video game, book, or television show in question is attempting to make the science, itself, sexy is when we see the geeky scientists become the charismatic protagonist. One good example of this is Dana Scully from The X-Files, as well as Peter Venkman from Ghostbusters and Hawkeye Pierce from M*A*S*H. Often times, with the notable exception of the latter, the main characters are made to look a lot more sexy by virtue of the fact that the science is either questionably feasable, or dumbed-down in order to make for more exciting action or drama. These are people we want to be, for sure, but for the same reason we want to be those writers from a few paragraphs back: their lives consist of other concerns, outside their jobs, that make their existence a lot more fun than our own. Scully performs autopsies on camera, Dr. Venkman actually does perform experiments in psychology, and Hawkeye spends a lot of time in surgery. These scenes, however, aren’t the main focus of the story, they’re merely vehicles for the characters to further conflict between other characters, set mood, or used as a backdrop for later sequences to play out. (Hawkeye also spends a lot of time drinking in his tent and arguing with higher-ranking army officers about the patients he’s worked on in the OR.)

So what’s the payoff for having read this far? My point is that we either paint math and sciences as too dull, too boring, or too difficult. It’s okay to rationalize your C grade in algebra because no one will fault you for saying it’s not your strong point or that you’ll never get any use out of the quadratic formula in your adult life. On the other side of the coin, we sometimes make technical fields seem easy and fun like they are for Indy and Doc Brown, and people are blown away by how much work they have to do in college to achieve a fraction of the progress these characters make and are disillusioned. This isn’t all too different from martial arts movies, signing up for karate classes, then dropping out after a few weeks because you got your ass kicked in a fight after school. The real world isn’t the movies, and usually the jobs we have to do aren’t exciting or sexy at all, so we pick the perceived easier path in order to avoid that work. Between that slap or reality and the stigma of working in “nerdy” fields of study, in my opinon, it’s no wonder people either switch from, or outright avoid, sciences and engineering in school.

How do we rectify this kind of attitude? I suppose we can try to instill in our kids that hard work is a part of life, and if you pursue your intersts you’ll probably end up having a lot of fun as well as studying your butt off. Regardless of the field, reality needs to be observed and people need to start getting genuinely excited and interested in their pursuits. Being an English major isn’t easy, and physics isn’t as hard as you’ve been lead to believe. And honestly, at the end of the day, both writers and scientists are equally geeky in their own right; so are FBI agents, firefighters, and medical doctors.