Common PowerShell Commands for AD

By ITomationActive Directory, PowerShell, Powershell (Scripts)

A list of common PowerShell commands for AD.

Retrieve AD users(s)
Check AD User Existence
Restore Deleted AD User(s)
Retrieve AD Security Groups
Modify AD Security Groups
AD Cleanup
FSMO Roles
GPO

Retrieve AD user(s)

# get AD user - basic attributes
Get-ADUser "JohnDo"

# get AD user - all attributes
Get-ADUser "JohnDo" -Properties *

# get AD user - additional attribute(s)
Get-ADUser "JohnDo" -Properties PasswordLastSet
Get-ADUser "JohnDo" -Properties whenChanged,whenCreated

# get AD user - output specific attribute
Get-ADUser "JohnDo" -Properties * | Select sAMAccountName, DisplayName
(Get-ADUser "JohnDo" -Properties *).PasswordLastSet
(Get-ADUser "JohnDo" -Properties whenChanged).whenChanged

# computed password expiry date - single user
(Get-ADUser "JohnDo" -Properties PasswordLastSet).PasswordLastSet.`
addDays((Get-ADDefaultDomainPasswordPolicy).MaxPasswordAge.Days)

# computed password expiry date - all enabled users
Get-ADUser -filter {Enabled -eq $True -and PasswordNeverExpires -eq $False} `
-Properties "DisplayName", "msDS-UserPasswordExpiryTimeComputed" | `
Select-Object -Property "Displayname", @{Name="ExpiryDate";Expression={[datetime]::FromFileTime($_."msDS-UserPasswordExpiryTimeComputed")}} | `
sort-object displayname | export-csv c:\expiringPasswords-yyyy-mm-dd.csv
# computed password age
(New-TimeSpan -Start (Get-ADUser "JohnDo" -Properties *).passwordlastset `
-End (Get-Date)).Days

# account lockout info
Get-ADUser "JohnDo" -Properties * | Select-Object `
AccountLockoutTime,LastBadPasswordAttempt,BadPwdCount,LockedOut

# list AD user(s) - Filter
Get-ADUser -Filter 'sAMAccountName -eq "JohnDo"'
Get-ADUser -Filter 'sAMAccountName -like "john*"'
Get-ADUser -Filter 'sAMAccountName -notlike "john*"'
Get-ADUser -Filter 'department -Like "finance*"'

# list AD user(s) - LDAPFilter
Get-ADUser -LDAPFilter '(sAMAccountName=JohnDo)'
Get-ADUser -LDAPFilter '(sAMAccountName=john*)'
Get-ADUser -LDAPFilter '(!(sAMAccountName=john*))'
Get-ADUser -LDAPFilter '(department=finance*)'

# get all AD users with Password never expires set to true
get-aduser -filter * -properties Name, PasswordNeverExpires | where { $_.passwordNeverExpires -eq "true" } | where {$_.enabled -eq "true"}

 

Check AD user existence

# check if AD user exists
$userID = "JohnDo" #enter userID
$exists = $false
try {
        $user = Get-ADUser $userID -ErrorAction SilentlyContinue
        $exists = $true
}
catch { }
write-host($userID + "|" + $exists)

# check if multiple AD users exist
$users = Get-ADUser -Filter 'name -like "john*"'
write-host("UserName|Exists in AD")
foreach($user in $users) {
    $exists = $false
    try {
            $user = Get-ADUser $userID -ErrorAction SilentlyContinue
            $exists = $true
    }
    catch { }
    write-host($userID + "|" + $exists)
}

 

Restore Deleted AD User(s)

# restore deleted user from the AD Recycle Bin
Get-ADObject -Filter 'sAMAccountName -eq "JDoe"' -IncludeDeletedObjects | Restore-ADObject

 

Retrieve AD Security Groups

# retrieve AD group - basic attributes
Get-ADGroup 'domain users'

# retrieve AD group - all attributes
Get-ADGroup 'domain users' -Properties *

# retrieve AD group members
Get-ADGroupMember 'domain users'
Get-ADGroupMember 'domain users' | Select Name
(Get-ADGroupMember 'domain users').Name

# list all empty groups
Get-ADGroup -Filter * -Properties Members | `
where {-not $_.members} | select Name

 

Modify AD Security Groups


# add member(s) to AD security group
Add-ADGroupMember -Identity SecurityGroupName -Members distinguishedName1,distinguishedName12,...

# remove member from AD security group
Remove-ADGroupMember -Identity SecurityGroupName -Members distinguishedName #-confirm:$false

# copy AD group members from one group to another
Get-ADGroupMember -Identity "SourceADGroup" | ForEach-Object {Add-ADGroupMember -Identity "DestinationADGroup" -Members $_.distinguishedName}

 

AD Cleanup


# get all empty organizational units
(Get-ADOrganizationalUnit -Filter * | Where-Object {-Not (Get-ADObject -Filter * -SearchBase $_.DistinguishedName -SearchScope OneLevel -ResultSetSize 1)}).DistinguishedName

# get all empty security groups
Get-ADGroup -Filter * -Properties Members | where {-not $_.members} | select Name

 

FSMO Roles

# list FSMO role
Get-ADDomainController -Filter 'OperationMasterRoles -notlike ""' | `
Select Name, OperationMasterRoles

# transfer FSMO roles
Move-ADDirectoryServerOperationMasterRole “destinationDC” `
–OperationMasterRole 0,1,2,3,4

# seize FSMO roles
Move-ADDirectoryServerOperationMasterRole “destinationDC” `
–OperationMasterRole 0,1,2,3,4 -Force

<# where 0=PDCEmulator 1=RIDMaster 2=InfrastructureMaster 3=SchemaMaster 4=DomainNamingMaster #>

 

GPO

# list all domain GPOs
Get-GPO -All

# Search GPO by name (partial match)
Get-GPO -All | ? {$_.DisplayName -Match "Default Domain"}

One thought on “Common PowerShell Commands for AD

Leave a Reply

Your email address will not be published. Required fields are marked *