PowerShell - Active Directory

We can use Active Directory Users and Computers (ADUC) for many things, such as Queries, or the new Active Directory Administrative Center. However, PowerShell and the ActiveDirectory module can do more, we can script some operations, and we can also get results that we can work with further (e.g., in Excel). If I'm using PowerShell directly, I prefer to use PowerShell ISE, which is part of Windows 7.

To use the ActiveDirectory module on a workstation, we must have installed Active Directory Domain Services (AD DS and AD LDS Tools, which is part of RSAT - Remote Server Administration Tools) and enabled the Active Directory Module for Windows PowerShell property. We also need to have the Windows Server 2008 R2 Active Directory Web Services service installed on at least one domain controller.

• General Properties
• Users (user account) - creating and setting values
• Users (user account) - listing accounts and values
• Groups (group)
• Computers (computer account) - listing accounts and values

General Properties

Using AD commands

If we use PowerShell ISE, we must first import the ActiveDirectory module at each runtime to have the commands for Active Directory available.

Import-Module ActiveDirectory

Browsing Active Directory

We can browse AD the same way as the file system. First, we switch to AD and then use commands like dir, cd, etc.

PS C:\> cd ad:
PS AD:\> dir

Name                 ObjectClass          DistinguishedName
----                 -----------          -----------------
firm                 domainDNS            DC=firm,DC=local
Configuration        configuration        CN=Configuration,...
Schema               dMD                  CN=Schema,CN=Conf...
ForestDnsZones       domainDNS            DC=ForestDnsZones...
DomainDnsZones       domainDNS            DC=DomainDnsZones...

PS AD:\> cd 'DC=firm,DC=local'
PS AD:\DC=firm,DC=local>

Information about the current domain

Get-ADDomain

Information about domain controllers

$dc = Get-ADDomainController -Filter *
$dc | FT Name,Site,OperationMasterRoles,OperatingSystem,IsGlobalCatalog -AutoSize 

Users (user account) - creating and setting values

Creating a user

If we have an Exchange server, we might prefer to use a command that creates the account and the mailbox at the same time. We create the user with the default password 123456 and specify the container in which the account will be created.

$pass = ConvertTo-SecureString -AsPlainText -Force -String '123456' 
New-ADUser bouska -Name 'Petr Bouška' -SamAccountName 'bouska' -Path 'ou=Firm,dc=firm,dc=local' -UserPrincipalName 'bouska@firm.local' -GivenName 'Petr' -Surname 'Bouška' -AcountPassword $pass -Enabled $true

Setting users to change their password at next logon

To set the ChangePasswordAtLogon option, the PasswordNeverExpires setting must not be set.

Get-ADUser -Filter * -SearchBase "OU=Firm,DC=firm,DC=local" | Set-ADUser -PasswordNeverExpires $false
Get-ADUser -Filter * -SearchBase "OU=Firm,DC=firm,DC=local" | Set-ADUser -ChangePasswordAtLogon $true 

Users (user account) - listing accounts and values

Displaying all user properties

Get-ADUser bouska -Properties * 

List of users and the number of bad password attempts

Get-ADUser -Filter * -Properties badPwdCount | FT Name,badPwdCount,Enabled

List of users who have ChangePasswordAtLogon set

When we want to display a list of users who have the ChangePasswordAtLogon parameter set (which we can set using PowerShell or ADUC), we find that there is no such LDAP attribute, so we cannot display those users. What actually happens is that when we set ChangePasswordAtLogon, the pwdLastSet parameter is set to 0 and the PasswordExpired parameter to true. So we can display the users by one of these values.

Get-ADUser -Filter {pwdLastSet -eq 0} -Properties pwdLastSet | FT Name

To display by the PasswordExpired attribute, the following command should work, but in practice it doesn't filter only the true values for me. So I worked around it with the second command, which puts the true values at the beginning of the list.

Get-ADUser -Filter {PasswordExpired -eq $true} -Properties PasswordExpired  | FT Name, PasswordExpired  
Get-ADUser -Filter * -Properties PasswordExpired | Sort-Object PasswordExpired -Descending | FT name,PasswordExpired -AutoSize

List of disabled user accounts

Two options using different commands.

Get-ADUser -Filter {Enabled -eq $false} | FT name
Search-ADAccount -AccountDisabled -UsersOnly | Sort-Object Name | FT Name,DistinguishedName -AutoSize

List of locked user accounts

Search-ADAccount -LockedOut -UsersOnly | Sort-Object Name | FT Name,DistinguishedName -AutoSize

List of users who haven't logged in for the last 30 days

Search-ADAccount -AccountInactive -TimeSpan "30" -UsersOnly | Sort-Object LastLogonDate | FT Name,LastLogonDate,Enabled,LockedOut,PasswordExpired,DistinguishedName -AutoSize

Groups (group)

List of groups a user is a member of

Get-ADPrincipalGroupMembership -Identity bouska 

Adding a user to a group

Add-ADPrincipalGroupMembership -Identity bouska -MemberOf 'G Some group' 

List of users in a group

Get-ADGroupMember -Identity 'group 1' | FT name  

List of users and the number of groups they are members of

Get-ADUser -Filter * -SearchBase "OU=firm,DC=firm,DC=local" -ResultPageSize 10 | ForEach-Object { 
  $groupc = (Get-ADPrincipalGroupMembership $_.SamAccountName | Measure-Object).Count 
  Write-Host $_.SamAccountName $groupc
}

List of groups based on a filter and list their members

Get-ADGroup -Filter { name -like "Group *" } | ForEach-Object { $_.SamAccountName 
   Get-ADGroupMember $_.SamAccountName | ForEach-Object { Write-Host "   " $_.name }
}

Computers (computer account) - listing accounts and values

Computers with Windows 7 OS

Get-ADComputer -Filter {OperatingSystem -like "Windows 7*"}  -Properties OperatingSystem, CanonicalName, whenCreated | Sort-Object Name | FT Name, OperatingSystem, CanonicalName, whenCreated -AutoSize

Computers with disabled account

Search-ADAccount -ComputersOnly -AccountDisabled | Sort-Object Name | FT Name,DistinguishedName,LastLogonDate -AutoSize

Computers that haven't logged in for a long time

We can either use how many days they haven't logged in, using TimeSpan, or since when they haven't logged in, using DateTime. But in both cases, it seems that the date doesn't quite match, and records from 14 days ago are displayed.

Added. This situation is a bit more complicated, and I described it in detail in the article Powershell - last computer or user login.

Search-ADAccount -ComputersOnly -AccountInactive -TimeSpan "30" | Sort-Object LastLogonDate | FT Name,LastLogonDate,Enabled,LockedOut -AutoSize
Search-ADAccount -ComputersOnly -AccountInactive -DateTime "1.11.2010" | Sort-Object LastLogonDate | FT Name,LastLogonDate,Enabled,LockedOut -AutoSize

In some cases, we may need to display other values, so an alternative using Get-ADComputer and a filter may be useful.

$logonDate = New-Object System.DateTime(2010,9,19)
Get-ADComputer -Filter { lastLogon -le $logonDate } | FT
Get-ADComputer -Filter { lastLogon -le $logonDate } -Properties LastLogonTimeStamp, OperatingSystem  | Select-Object Name, DistinguishedName , OperatingSystem, LastLogonTimeStamp | Sort-Object Name

Computers that haven't changed their password for a long time

Computers that last changed their password 45 days ago. Computers in the domain must change their password regularly (default is every 30 days), if they don't, it means they are inactive.

$lastSetdate = [DateTime]::Now - [TimeSpan]::Parse("45")
Get-ADComputer -Filter {PasswordLastSet -le $lastSetdate} -Properties passwordLastSet -ResultSetSize $null | FT samaccountname,DistinguishedName,PasswordLastSet