IT Matters…

Common PowerShell Commands for AD

By ITomation2020-11-092023-01-24Active Directory, PowerShell, Powershell (Scripts)

A list of common PowerShell commands for AD.

Retrieve AD users(s)
Check AD User Existence
Retrieve AD Security Groups
Modify AD Security Groups
AD Cleanup
FSMO Roles
GPO

Retrieve AD user(s)

# get AD user - basic attributes
Get-ADUser "JohnDo"

# get AD user - all attributes
Get-ADUser "JohnDo" -Properties *

# get AD user - additional attribute(s)
Get-ADUser "JohnDo" -Properties PasswordLastSet
Get-ADUser "JohnDo" -Properties whenChanged,whenCreated

# get AD user - output specific attribute
Get-ADUser "JohnDo" -Properties * | Select sAMAccountName, DisplayName
(Get-ADUser "JohnDo" -Properties *).PasswordLastSet
(Get-ADUser "JohnDo" -Properties whenChanged).whenChanged

# computed password expiry date - single user
(Get-ADUser "JohnDo" -Properties PasswordLastSet).PasswordLastSet.`
addDays((Get-ADDefaultDomainPasswordPolicy).MaxPasswordAge.Days)

# computed password expiry date - all enabled users
Get-ADUser -filter {Enabled -eq $True -and PasswordNeverExpires -eq $False} `
-Properties "DisplayName", "msDS-UserPasswordExpiryTimeComputed" | `
Select-Object -Property "Displayname", @{Name="ExpiryDate";Expression={[datetime]::FromFileTime($_."msDS-UserPasswordExpiryTimeComputed")}} | `
sort-object displayname | export-csv c:\expiringPasswords-yyyy-mm-dd.csv

# computed password age
(New-TimeSpan -Start (Get-ADUser "JohnDo" -Properties *).passwordlastset `
-End (Get-Date)).Days

# account lockout info
Get-ADUser "JohnDo" -Properties * | Select-Object `
AccountLockoutTime,LastBadPasswordAttempt,BadPwdCount,LockedOut

# list AD user(s) - Filter
Get-ADUser -Filter 'sAMAccountName -eq "JohnDo"'
Get-ADUser -Filter 'sAMAccountName -like "john*"'
Get-ADUser -Filter 'sAMAccountName -notlike "john*"'
Get-ADUser -Filter 'department -Like "finance*"'

# list AD user(s) - LDAPFilter
Get-ADUser -LDAPFilter '(sAMAccountName=JohnDo)'
Get-ADUser -LDAPFilter '(sAMAccountName=john*)'
Get-ADUser -LDAPFilter '(!(sAMAccountName=john*))'
Get-ADUser -LDAPFilter '(department=finance*)'

# get all AD users with Password never expires set to true
get-aduser -filter * -properties Name, PasswordNeverExpires | where { $_.passwordNeverExpires -eq "true" } | where {$_.enabled -eq "true"}

Check AD user existence

# check if AD user exists
$userID = "JohnDo" #enter userID
$exists = $false
try {
        $user = Get-ADUser $userID -ErrorAction SilentlyContinue
        $exists = $true
}
catch { }
write-host($userID + "|" + $exists)

# check if multiple AD users exist
$users = Get-ADUser -Filter 'name -like "john*"'
write-host("UserName|Exists in AD")
foreach($user in $users) {
    $exists = $false
    try {
            $user = Get-ADUser $userID -ErrorAction SilentlyContinue
            $exists = $true
    }
    catch { }
    write-host($userID + "|" + $exists)
}

Retrieve AD Security Groups

# retrieve AD group - basic attributes
Get-ADGroup 'domain users'

# retrieve AD group - all attributes
Get-ADGroup 'domain users' -Properties *

# retrieve AD group members
Get-ADGroupMember 'domain users'
Get-ADGroupMember 'domain users' | Select Name
(Get-ADGroupMember 'domain users').Name

# list all empty groups
Get-ADGroup -Filter * -Properties Members | `
where {-not $_.members} | select Name

Modify AD Security Groups


# add member(s) to AD security group
Add-ADGroupMember -Identity SecurityGroupName -Members distinguishedName1,distinguishedName12,...

# remove member from AD security group
Remove-ADGroupMember -Identity SecurityGroupName -Members distinguishedName #-confirm:$false

# copy AD group members from one group to another
Get-ADGroupMember -Identity "SourceADGroup" | ForEach-Object {Add-ADGroupMember -Identity "DestinationADGroup" -Members $_.distinguishedName}

AD Cleanup


# get all empty organizational units
(Get-ADOrganizationalUnit -Filter * | Where-Object {-Not (Get-ADObject -Filter * -SearchBase $_.DistinguishedName -SearchScope OneLevel -ResultSetSize 1)}).DistinguishedName

# get all empty security groups
Get-ADGroup -Filter * -Properties Members | where {-not $_.members} | select Name

FSMO Roles

# list FSMO role
Get-ADDomainController -Filter 'OperationMasterRoles -notlike ""' | `
Select Name, OperationMasterRoles

# transfer FSMO roles
Move-ADDirectoryServerOperationMasterRole “destinationDC” `
–OperationMasterRole 0,1,2,3,4

# seize FSMO roles
Move-ADDirectoryServerOperationMasterRole “destinationDC” `
–OperationMasterRole 0,1,2,3,4 -Force

<# where 0=PDCEmulator 1=RIDMaster 2=InfrastructureMaster 3=SchemaMaster 4=DomainNamingMaster #>

GPO

# list all domain GPOs
Get-GPO -All

# Search GPO by name (partial match)
Get-GPO -All | ? {$_.DisplayName -Match "Default Domain"}

One thought on “Common PowerShell Commands for AD”

Immumb says:

2021-05-08 at 16:58

Big to you thanks for the necessary information.

Leave a Reply