- New-ADComputer – Creates a new Active Directory computer
- Remove-ADComputer – Removes an Active Directory computer
- Set-ADComputer – Modifies an Active Directory computer
- Add-ADComputerServiceAccount – Adds one or more service accounts to an Active Directory computer
- Remove-ADComputerServiceAccount – Removes one or more service accounts from a computer
My Active Directory PowerShell Blog
How to perform common Active Directory Management and Reporting Tasks Using PowerShell
Active Directory Security and Active Directory Delegation play a mission-critical role in global security and present an open challenge. A good Active Directory Audit Tool / Active Directory Reporting Tool / Active Directory Auditing Tool / Permissions Analyzer for Active Directory can help Audit Active Directory, generate Active Directory Reports and mitigate Active Directory Risks such as Active Directory Privilege Escalation, and find out who can reset your windows password. Today, even the US Department of Homeland Security runs on Active Directory.Today, tools like the Active Directory Effective Permissions Tab and Active Directory Permissions Analyzer can be used to perform Active Directory Permissions Analysis, prevent Token Bloat, Dump Active Directory ACLs, perform an Active Directory Audit and an Active Directory Access Audit.
Active Directory PowerShell CmdLets for Computer Account Management
Active Directory PowerShell CmdLets for Security Group Management
- Get-ADGroup – Gets one or more Active Directory groups
- New-ADGroup – Creates an Active Directory group
- Remove-ADGroup – Removes an Active Directory group
- Set-ADGroup – Modifies an Active Directory group
- Add-ADGroupMember – Adds one or more members to an Active Directory group
- Get-ADGroupMember – Gets the members of an Active Directory group
- Remove-ADGroupMember – Removes one or more members from an Active Directory group
- Add-ADPrincipalGroupMembership – Adds a member to one or more Active Directory groups
- Get-ADPrincipalGroupMembership – Gets the Active Directory groups that have a specified user, computer, or group
- Remove-ADPrincipalGroupMembership – Removes a member from one or more Active Directory groups
Active Directory PowerShell CmdLets for User Account Management
- Disable-ADAccount – Disables an Active Directory account
- Enable-ADAccount – Enables an Active Directory account
- Unlock-ADAccount – Unlocks an Active Directory account
- Set-ADAccountControl – Modifies user account control (UAC) values for an Active Directory account
- Clear-ADAccountExpiration – Clears the expiration date for an Active Directory account
- Set-ADAccountExpiration – Sets the expiration date for an Active Directory account
- Set-ADAccountPassword – Modifies the password of an Active Directory account
- New-ADUser – Creates a new Active Directory user
- Remove-ADUser – Removes an Active Directory user
- Set-ADUser – Modifies an Active Directory user
How to Specify the Base and the Scope of your Search when using Active Directory PowerShell
In the case of these Active Directory Power Shell cmdlets, this is no difference. You need to specify the base and the scope of a cmdlet query as well.
The scope of your search can be set to Base, OneLevel, or SubTree. As alluded to above, Base searches the current path/object, OneLevel searches the specified object and its immediate children of the path/object and SubTree searches the current path/object and ALL its children (i.e. including all grand-children all the way down to each leaf object).
As for the Base itself, it refers to the specific Active Directory object at which to target the search.
So for example, the cmdlet command Get-ADUser -LDAPFilter “(name=Scotty*)” -SearchBase “OU=Executives,OU=Accounts,DC=Contoso,DC=com” -SearchScope OneLevel, the cmdlet would enumerate all user accounts directly in the Executives OU whose name begins wit h Scotty.
Note that in this example, if there were an OU within Executives called say Assistants, and it too contained a user whose name started with Scotty, that user account would not be returned as a part of the search.
How to Specify the Target of your Search when using Active Directory PowerShell
You can specify an object when using a Power Shell cmdlet in various ways. For example, you could specify the DN of an object, or its GUID, or its SamAccountName, or for that matter its SID. These cmdlets cn automatically identify a target object based on what you specify a long as you have specified one of the common attributes used to identify an object, such as its DN, GUID, SID, sAMAccountName or Name automatically.
(Its no rocket science actually. Its simply that under the hood the cmdlet will try to search for objects using a combination of attribute names along with the value specified, incorporating some basic intelligence ofcourse in that it has the ability to distinguish a GUID from a SID etc., and it uses the results of such searches to identify the object.)
In addition to being able to specify the value of a common attribute, it also lets you specify an LDAP filter, which it then dynamically calculates to determine the target. For example you could use the cmdlet Get-ADUser -LDAPFilter “(name=Scotty*) and in this case it would return a list of all domain user accounts whose name starts with Scotty.
Active Directory PowerShell CmdLets for Generating Active Directory based Reports
These 23 cmdlets are –
- Search-ADAccount – Gets Active Directory user, computer, and service accounts
- Get-ADAccountAuthorizationGroup – Gets the Active Directory security groups that contain an account
- Get-ADAccountResultantPasswordReplicationPolicy – Gets the resultant password replication policy for an Active Directory account
- Get-ADComputer – Gets one or more Active Directory computers
- Get-ADComputerServiceAccount – Gets the service accounts that are hosted by an Active Directory computer
- Get-ADDefaultDomainPasswordPolicy – Gets the default password policy for an Active Directory domain
- Get-ADDomain – Gets an Active Directory domain
- Get-ADDomainController – Gets one or more Active Directory domain controllers, based on discoverable services criteria, search parameters, or by providing a domain controller identifier, such as the NetBIOS name
- Get-ADDomainControllerPasswordReplicationPolicy – Gets the members of the Allowed List or the Denied List of the RODC PRP
- Get-ADDomainControllerPasswordReplicationPolicyUsage – Gets the resultant password policy of the specified ADAccount on the specified RODC
- Get-ADFineGrainedPasswordPolicy – Gets one or more Active Directory fine-grained password policies
- Get-ADFineGrainedPasswordPolicySubject – Gets the users and groups to which a fine-grained password policy is applied
- Get-ADForest – Gets an Active Directory forest
- Get-ADGroup – Gets one or more Active Directory groups
- Get-ADGroupMember – Gets the members of an Active Directory group
- Get-ADObject – Gets one or more Active Directory objects
- Get-ADOptionalFeature – Gets one or more Active Directory optional features
- Get-ADOrganizationalUnit – Gets one or more Active Directory OUs
- Get-ADPrincipalGroupMembership – Gets the Active Directory groups that have a specified user, computer, or group
- Get-ADRootDSE – Gets the root of a domain controller information tree
- Get-ADServiceAccount – Gets one or more Active Directory service accounts
- Get-ADUser – Gets one or more Active Directory users
- Get-ADUserResultantPasswordPolicy – Gets the resultant password policy for a user
To view examples for a specific cmdlet, simply type Get-Help
Finally, if you want to see the full help file for the cmdlet, type Get-Help
Additional information on some of these cmdlets will follow in additional blogposts.
Active Directory Administration with Windows PowerShell
The Active Directory module for Windows PowerShell in Windows Server 2008 R2 is a Windows PowerShell module (named ActiveDirectory) that consolidates a group of cmdlets.
IT administrators can use these AD cmdlets to manage numerous aspects of IT management related to Active Directory including account management, group management, OU management, password policy management and domain management.
The Active Directory Module for Windows PowerShell in Windows Server 2008 R2 build 7100 (Release Candidate) includes 76 cmdlets.
It is available by default on Windows Server 2008 machines and can be installed on Windows 7 machines using the Remote Server Administration Tools (RSAT) feature.
When you install the Active Directory module, Windows PowerShell and the Microsoft .NET Framework 3.5.1 are installed by default.
To start it, simply click on Start, then select Administrative Tools, then click on Active Directory Powershell.
In additional posts, I will cover a variety of other aspects of the Windows PowerShell for Active Directory