Common PowerShell Commands for AD

A list of common PowerShell commands for AD.

Retrieve AD user(s)

# get AD user - basic attributes
Get-ADUser "JohnDo"
# get AD user - all attributes
Get-ADUser "JohnDo" -Properties *
# get AD user - additional attribute(s)
Get-ADUser "JohnDo" -Properties PasswordLastSet
Get-ADUser "JohnDo" -Properties whenChanged,whenCreated
# get AD user - output specific attribute
Get-ADUser "JohnDo" -Properties * | Select sAMAccountName, DisplayName
(Get-ADUser "JohnDo" -Properties *).PasswordLastSet
(Get-ADUser "JohnDo" -Properties whenChanged).whenChanged
# computed password expiry date - single user
(Get-ADUser "JohnDo" -Properties PasswordLastSet).PasswordLastSet.`
addDays((Get-ADDefaultDomainPasswordPolicy).MaxPasswordAge.Days)

# computed password expiry date - all enabled users
Get-ADUser -filter {Enabled -eq $True -and PasswordNeverExpires -eq $False} `
-Properties "DisplayName", "msDS-UserPasswordExpiryTimeComputed" | `
Select-Object -Property "Displayname", @{Name="ExpiryDate";Expression={[datetime]::FromFileTime($_."msDS-UserPasswordExpiryTimeComputed")}} | `
sort-object displayname | export-csv c:\expiringPasswords-yyyy-mm-dd.csv
# computed password age
(New-TimeSpan -Start (Get-ADUser "JohnDo" -Properties *).passwordlastset `
-End (Get-Date)).Days
# account lockout info
Get-ADUser "JohnDo" -Properties * | Select-Object `
AccountLockoutTime,LastBadPasswordAttempt,BadPwdCount,LockedOut
# list AD user(s) - Filter
Get-ADUser -Filter 'sAMAccountName -eq "JohnDo"'
Get-ADUser -Filter 'sAMAccountName -like "john*"'
Get-ADUser -Filter 'sAMAccountName -notlike "john*"'
Get-ADUser -Filter 'department -Like "finance*"'
# list AD user(s) - LDAPFilter
Get-ADUser -LDAPFilter '(sAMAccountName=JohnDo)'
Get-ADUser -LDAPFilter '(sAMAccountName=john*)'
Get-ADUser -LDAPFilter '(!(sAMAccountName=john*))'
Get-ADUser -LDAPFilter '(department=finance*)'

 

Check AD user existence

# check if AD user exists
$userID = "JohnDo" #enter userID
$exists = $false
try {
        $user = Get-ADUser $userID -ErrorAction SilentlyContinue
        $exists = $true
}
catch { }
write-host($userID + "|" + $exists)

# check if multiple AD users exist
$users = Get-ADUser -Filter 'name -like "john*"'
write-host("UserName|Exists in AD")
foreach($user in $users) {
    $exists = $false
    try {
            $user = Get-ADUser $userID -ErrorAction SilentlyContinue
            $exists = $true
    }
    catch { }
    write-host($userID + "|" + $exists)
}

 

Retrieve Security Groups

# retrieve AD group - basic attributes
Get-ADGroup 'domain users'

# retrieve AD group - all attributes
Get-ADGroup 'domain users' -Properties *

# retrieve AD group members
Get-ADGroupMember 'domain users'
Get-ADGroupMember 'domain users' | Select Name
(Get-ADGroupMember 'domain users').Name

# list all empty groups
Get-ADGroup -Filter * -Properties Members | `
where {-not $_.members} | select Name

 

FSMO Roles

# list FSMO role
Get-ADDomainController -Filter 'OperationMasterRoles -notlike ""' | `
Select Name, OperationMasterRoles

# transfer FSMO roles
Move-ADDirectoryServerOperationMasterRole “destinationDC” `
–OperationMasterRole 0,1,2,3,4

# seize FSMO roles
Move-ADDirectoryServerOperationMasterRole “destinationDC” `
–OperationMasterRole 0,1,2,3,4 -Force

<# where 0=PDCEmulator 1=RIDMaster 2=InfrastructureMaster 3=SchemaMaster 4=DomainNamingMaster #>

Leave a Comment

Your email address will not be published. Required fields are marked *