A list of common PowerShell commands for AD.
Retrieve AD users(s)
Check AD User Existence
Retrieve AD Security Groups
Modify AD Security Groups
AD Cleanup
FSMO Roles
GPO
Retrieve AD user(s)
# get AD user - basic attributes
Get-ADUser "JohnDo"
# get AD user - all attributes
Get-ADUser "JohnDo" -Properties *
# get AD user - additional attribute(s)
Get-ADUser "JohnDo" -Properties PasswordLastSet
Get-ADUser "JohnDo" -Properties whenChanged,whenCreated
# get AD user - output specific attribute
Get-ADUser "JohnDo" -Properties * | Select sAMAccountName, DisplayName
(Get-ADUser "JohnDo" -Properties *).PasswordLastSet
(Get-ADUser "JohnDo" -Properties whenChanged).whenChanged
# computed password expiry date - single user
(Get-ADUser "JohnDo" -Properties PasswordLastSet).PasswordLastSet.`
addDays((Get-ADDefaultDomainPasswordPolicy).MaxPasswordAge.Days)
# computed password expiry date - all enabled users
Get-ADUser -filter {Enabled -eq $True -and PasswordNeverExpires -eq $False} `
-Properties "DisplayName", "msDS-UserPasswordExpiryTimeComputed" | `
Select-Object -Property "Displayname", @{Name="ExpiryDate";Expression={[datetime]::FromFileTime($_."msDS-UserPasswordExpiryTimeComputed")}} | `
sort-object displayname | export-csv c:\expiringPasswords-yyyy-mm-dd.csv
# computed password age
(New-TimeSpan -Start (Get-ADUser "JohnDo" -Properties *).passwordlastset `
-End (Get-Date)).Days
# account lockout info
Get-ADUser "JohnDo" -Properties * | Select-Object `
AccountLockoutTime,LastBadPasswordAttempt,BadPwdCount,LockedOut
# list AD user(s) - Filter
Get-ADUser -Filter 'sAMAccountName -eq "JohnDo"'
Get-ADUser -Filter 'sAMAccountName -like "john*"'
Get-ADUser -Filter 'sAMAccountName -notlike "john*"'
Get-ADUser -Filter 'department -Like "finance*"'
# list AD user(s) - LDAPFilter
Get-ADUser -LDAPFilter '(sAMAccountName=JohnDo)'
Get-ADUser -LDAPFilter '(sAMAccountName=john*)'
Get-ADUser -LDAPFilter '(!(sAMAccountName=john*))'
Get-ADUser -LDAPFilter '(department=finance*)'
# get all AD users with Password never expires set to true
get-aduser -filter * -properties Name, PasswordNeverExpires | where { $_.passwordNeverExpires -eq "true" } | where {$_.enabled -eq "true"}
Check AD user existence
# check if AD user exists
$userID = "JohnDo" #enter userID
$exists = $false
try {
$user = Get-ADUser $userID -ErrorAction SilentlyContinue
$exists = $true
}
catch { }
write-host($userID + "|" + $exists)
# check if multiple AD users exist
$users = Get-ADUser -Filter 'name -like "john*"'
write-host("UserName|Exists in AD")
foreach($user in $users) {
$exists = $false
try {
$user = Get-ADUser $userID -ErrorAction SilentlyContinue
$exists = $true
}
catch { }
write-host($userID + "|" + $exists)
}
Retrieve AD Security Groups
# retrieve AD group - basic attributes
Get-ADGroup 'domain users'
# retrieve AD group - all attributes
Get-ADGroup 'domain users' -Properties *
# retrieve AD group members
Get-ADGroupMember 'domain users'
Get-ADGroupMember 'domain users' | Select Name
(Get-ADGroupMember 'domain users').Name
# list all empty groups
Get-ADGroup -Filter * -Properties Members | `
where {-not $_.members} | select Name
Modify AD Security Groups
# add member(s) to AD security group
Add-ADGroupMember -Identity SecurityGroupName -Members distinguishedName1,distinguishedName12,...
# remove member from AD security group
Remove-ADGroupMember -Identity SecurityGroupName -Members distinguishedName #-confirm:$false
# copy AD group members from one group to another
Get-ADGroupMember -Identity "SourceADGroup" | ForEach-Object {Add-ADGroupMember -Identity "DestinationADGroup" -Members $_.distinguishedName}
AD Cleanup
# get all empty organizational units
(Get-ADOrganizationalUnit -Filter * | Where-Object {-Not (Get-ADObject -Filter * -SearchBase $_.DistinguishedName -SearchScope OneLevel -ResultSetSize 1)}).DistinguishedName
# get all empty security groups
Get-ADGroup -Filter * -Properties Members | where {-not $_.members} | select Name
FSMO Roles
# list FSMO role
Get-ADDomainController -Filter 'OperationMasterRoles -notlike ""' | `
Select Name, OperationMasterRoles
# transfer FSMO roles
Move-ADDirectoryServerOperationMasterRole “destinationDC” `
–OperationMasterRole 0,1,2,3,4
# seize FSMO roles
Move-ADDirectoryServerOperationMasterRole “destinationDC” `
–OperationMasterRole 0,1,2,3,4 -Force
<# where 0=PDCEmulator 1=RIDMaster 2=InfrastructureMaster 3=SchemaMaster 4=DomainNamingMaster #>
GPO
# list all domain GPOs
Get-GPO -All
# Search GPO by name (partial match)
Get-GPO -All | ? {$_.DisplayName -Match "Default Domain"}
One thought on “Common PowerShell Commands for AD”
Big to you thanks for the necessary information.