Active Directory PowerShell CmdLets for Computer Account Management

Active Directory PowerShell offers the following cmdlets for computer account mangement - 
  1. New-ADComputer – Creates a new Active Directory computer
  2. Remove-ADComputer – Removes an Active Directory computer
  3. Set-ADComputer – Modifies an Active Directory computer
  4. Add-ADComputerServiceAccount – Adds one or more service accounts to an Active Directory computer
  5. Remove-ADComputerServiceAccount – Removes one or more service accounts from a computer

 You can use these cmdlets to create, manage and delete computer accounts with relative ease.

Active Directory PowerShell CmdLets for Security Group Management

Active Directory PowerShell offers the following cmdlets for security group mangement -
  1. Get-ADGroup – Gets one or more Active Directory groups
  2. New-ADGroup – Creates an Active Directory group
  3. Remove-ADGroup – Removes an Active Directory group
  4. Set-ADGroup – Modifies an Active Directory group
  5. Add-ADGroupMember – Adds one or more members to an Active Directory group
  6. Get-ADGroupMember – Gets the members of an Active Directory group
  7. Remove-ADGroupMember – Removes one or more members from an Active Directory group
  8. Add-ADPrincipalGroupMembership – Adds a member to one or more Active Directory groups
  9. Get-ADPrincipalGroupMembership – Gets the Active Directory groups that have a specified user, computer, or group
  10. Remove-ADPrincipalGroupMembership – Removes a member from one or more Active Directory groups
You can use these cmdlets to create, manage and delete security groups with relative ease.

Active Directory PowerShell CmdLets for User Account Management

Active Directory PowerShell offers the following cmdlets for user account mangement -
  1. Disable-ADAccount – Disables an Active Directory account
  2. Enable-ADAccount – Enables an Active Directory account
  3. Unlock-ADAccount – Unlocks an Active Directory account
  4. Set-ADAccountControl – Modifies user account control (UAC) values for an Active Directory account
  5. Clear-ADAccountExpiration – Clears the expiration date for an Active Directory account
  6. Set-ADAccountExpiration – Sets the expiration date for an Active Directory account
  7. Set-ADAccountPassword – Modifies the password of an Active Directory account
  8. New-ADUser – Creates a new Active Directory user
  9. Remove-ADUser – Removes an Active Directory user
  10. Set-ADUser – Modifies an Active Directory user

You can use these cmdlets to create, manage and delete user accounts with relative ease.

How to Specify the Base and the Scope of your Search when using Active Directory PowerShell

As you may know, under the hood all these Active Directory PowerShell cmdlets do is perform LDAP queries against the Active Directory. If you're familiar with LDAP, then you know that there are at least two essential pieces of information that are required - the Base of the query, which is the object at which the query is rooted, and the Scope of the query, which could be either the single object (base) that is specified or just the object and its immediate children (one level) or the entire tree of objects (tree) that is rooted at the specified objects.

In the case of these Active Directory Power Shell cmdlets, this is no difference. You need to specify the base and the scope of a cmdlet query as well.

The scope of your search can be set to Base, OneLevel, or SubTree. As alluded to above, Base searches the current path/object,  OneLevel searches the specified object and its immediate children of the path/object and SubTree searches the current path/object and ALL its children (i.e. including all grand-children all the way down to each leaf object).

As for the Base itself, it refers to the specific Active Directory object at which to target the search.

So for example, the cmdlet command Get-ADUser -LDAPFilter “(name=Scotty*)” -SearchBase “OU=Executives,OU=Accounts,DC=Contoso,DC=com” -SearchScope OneLevel, the cmdlet would enumerate all user accounts directly in the Executives OU whose name begins wit h Scotty.

Note that in this example, if there were an OU within Executives called say Assistants, and it too contained a user whose name started with Scotty, that user account would not be returned as a part of the search.

How to Specify the Target of your Search when using Active Directory PowerShell

The Active Directory PowerShell cmdlets can be used to specify either a single Active Directory object or multiple Active Directory objects whenever a cmdlet is used.

You can specify an object when using a Power Shell cmdlet in various ways. For example, you could specify the DN of an object, or its GUID, or its SamAccountName, or for that matter its SID. These cmdlets cn automatically identify a target object based on what you specify a long as you have specified one of the common attributes used to identify an object, such as its DN, GUID, SID, sAMAccountName or Name automatically.

(Its no rocket science actually. Its simply that under the hood the cmdlet will try to search for objects using a combination of attribute names along with the value specified, incorporating some basic intelligence ofcourse in that it has the ability to distinguish a GUID from a SID etc., and it uses the results of such searches to identify the object.)

In addition to being able to specify the value of a common attribute, it also lets you specify an LDAP filter, which it then dynamically calculates to determine the target. For example you could use the cmdlet Get-ADUser -LDAPFilter “(name=Scotty*) and in this case it would return a list of all domain user accounts whose name starts with Scotty.

Active Directory PowerShell CmdLets for Generating Active Directory based Reports

Microsoft PowerShell for Active Directory offers 76 cmdlets by default. Of these 76 cmdlets, 23 cmdlets are for retreiving information from an Active Directory and could theoretically be used to obtain data that could then be rolled up into an IT management or an IT security report.



These 23 cmdlets are –
  1. Search-ADAccount – Gets Active Directory user, computer, and service accounts
  2. Get-ADAccountAuthorizationGroup – Gets the Active Directory security groups that contain an account
  3. Get-ADAccountResultantPasswordReplicationPolicy – Gets the resultant password replication policy for an Active Directory account
  4. Get-ADComputer – Gets one or more Active Directory computers
  5. Get-ADComputerServiceAccount – Gets the service accounts that are hosted by an Active Directory computer
  6. Get-ADDefaultDomainPasswordPolicy – Gets the default password policy for an Active Directory domain
  7. Get-ADDomain – Gets an Active Directory domain
  8. Get-ADDomainController – Gets one or more Active Directory domain controllers, based on discoverable services criteria, search parameters, or by providing a domain controller identifier, such as the NetBIOS name
  9. Get-ADDomainControllerPasswordReplicationPolicy – Gets the members of the Allowed List or the Denied List of the RODC PRP
  10. Get-ADDomainControllerPasswordReplicationPolicyUsage – Gets the resultant password policy of the specified ADAccount on the specified RODC
  11. Get-ADFineGrainedPasswordPolicy – Gets one or more Active Directory fine-grained password policies
  12. Get-ADFineGrainedPasswordPolicySubject – Gets the users and groups to which a fine-grained password policy is applied
  13. Get-ADForest – Gets an Active Directory forest
  14. Get-ADGroup – Gets one or more Active Directory groups
  15. Get-ADGroupMember – Gets the members of an Active Directory group
  16. Get-ADObject – Gets one or more Active Directory objects
  17. Get-ADOptionalFeature – Gets one or more Active Directory optional features
  18. Get-ADOrganizationalUnit – Gets one or more Active Directory OUs
  19. Get-ADPrincipalGroupMembership – Gets the Active Directory groups that have a specified user, computer, or group
  20. Get-ADRootDSE – Gets the root of a domain controller information tree
  21. Get-ADServiceAccount – Gets one or more Active Directory service accounts
  22. Get-ADUser – Gets one or more Active Directory users
  23. Get-ADUserResultantPasswordPolicy – Gets the resultant password policy for a user
These cmdlets can be used to obtain information from your Active Directory regarding a variety of resoures ranging from user accounts to fine grained password policies.
You can always obtain additional information on these cmdlets by typing Get-Help into PowerShell, where is the name of the cmdlet you want more information on. This command will give you the basic help for the cmdlet.

To view examples for a specific cmdlet, simply type Get-Help  -examples into PowerShell, where is the name of the cmdlet you to see examples for.

Finally, if you want to see the full help file for the cmdlet, type Get-Help  -full into PowerShell, where  is the name of the cmdlet you want full help information for.

Additional information on some of these cmdlets will follow in additional blogposts.

Active Directory Administration with Windows PowerShell

Microsoft Windows PowerShell is a command-line shell and scripting language that can help IT adminstrators perform system administration easily and efficiently.

The Active Directory module for Windows PowerShell in Windows Server 2008 R2 is a Windows PowerShell module (named ActiveDirectory) that consolidates a group of cmdlets.


IT administrators can use these AD cmdlets to manage numerous aspects of IT management related to Active Directory including account management, group management, OU management, password policy management and domain management.

The Active Directory Module for Windows PowerShell in Windows Server 2008 R2 build 7100 (Release Candidate) includes 76 cmdlets.

It is available by default on Windows Server 2008 machines and can be installed on Windows 7 machines using the Remote Server Administration Tools (RSAT) feature.

When you install the Active Directory module, Windows PowerShell and the Microsoft .NET Framework 3.5.1 are installed by default.

To start it, simply click on Start, then select Administrative Tools, then click on Active Directory Powershell.

In additional posts, I will cover a variety of other aspects of the Windows PowerShell for Active Directory