Active Directory PowerShell Quick Reference Active Directory PowerShell Quick Reference

Other Cmdlets Recycle Bin Getting Started User Account Tasks

Add-ADComputerServiceAccount To enable the ‘AD Recycle Bin’ feature: To add the Active Directory module:
Get-ADComputerServiceAccount To see user account details:
Remove-ADComputerServiceAccount Enable-ADOptionalFeature 'Recycle Import-Module activedirectory
Remove-ADServiceAccount Get-ADUser -Identity 'Joe Bloggs'
Set-ADServiceAccount
Bin Feature' -Scope
ForestOrConfigurationSet -Target Get a list of AD Commands:
To search for a user:
Add-ADDomainControllerPasswordReplicationPolicy 'test.local' Get-Command -Module
Get-ADAccountResultantPasswordReplicationPolicy
Get-ADDomainControllerPasswordReplicationPolicy activedirectory Get-ADUser -Filter 'Name -like
To restore an AD Account from the Recycle Bin
Get-ADDomainControllerPasswordReplicationPolicyUsage "Joe Bloggs"'
Remove-ADDomainControllerPasswordReplicationPolicy
For help with a cmdlet, type:
Get-ADObject -Filter Or search for users in a particular OU:
Remove-ADFineGrainedPasswordPolicy 'samaccountname -eq "JoeBloggs"'
Remove-ADFineGrainedPasswordPolicySubject Get-Help Get-ADUser -Full
Set-ADFineGrainedPasswordPolicy -IncludeDeletedObjects | Restore- Get-ADUser -Filter * -SearchBase
ADObject "OU=Sales,OU=Users,DC=test,DC=loc
Add-ADPrincipalGroupMembership Forests and Domains al"
Get-ADPrincipalGroupMembership
Remove-ADPrincipalGroupMembership Service Accounts To see Forest details: To see additional properties, not just the default set:
To see AD Service Accounts:
Disable-ADOptionalFeature Get-ADForest test.local Get-ADUser -Identity 'JoeBlogs' -
Get-ADOptionalFeature
Get-ADServiceAccount -Filter * Properties Description,Office
To see Domain details:
Get-ADObject
Move-ADObject To create a new AD Service Account: To see all the user properties, not just default set:
Get-ADDomain test.local
New-ADObject
Remove-ADObject New-ADServiceAccount -Name To raise the Forest functional level:
Get-ADUser -Identity 'JoeBloggs'
Rename-ADObject "Service1" -SamAccountName -Properties *
Set-ADObject
"Service1" -DisplayName Set-ADForestMode -Identity
"Service1" -AccountPassword To create a new user:
Set-ADOrganizationalUnit test.local -ForestMode
Remove-ADOrganizationalUnit (Read-Host -AsSecureString Windows2008R2Forest New-ADUser -Name "Joe Bloggs" -
"AccountPassword") -Enabled $true SamAccountName "JoeBloggs" -
Get-ADUserResultantPasswordPolicy To raise the Domain functional level:
Remove-ADUser GivenName "Joe" -Surname "Bloggs"
Install an existing AD service account on the local
computer and make the required changes so that the Set-ADDomainMode -Identity -DisplayName "Joe Bloggs" -Path
Get-ADAccountAuthorizationGroup
Get-ADDomainController password can be periodically reset by the computer: test.local -DomainMode 'OU=Users,OU=Sales,DC=test,DC=loc
Windows2008R2Domain al' -OtherAttributes
Move-ADDirectoryServer Install-ADServiceAccount - @{'Title'="Sales Manager"} -
Identity 'Service1' Get the rootDSE from the default domain controller: AccountPassword (Read-Host -
Remove-ADGroupMember
AsSecureString "AccountPassword")
Uninstall an existing AD service account on the local Get-ADRootDSE -Enabled $true
Search-ADAccount
computer:
Move FSMO roles:
Set-ADAccountControl To change the properties of a user:
Set-ADComputer Uninstall-ADServiceAccount -
Set-ADDomain Identity 'Service1' Move- Set-ADUser Joe Bloggs -City
Set-ADForest ADDirectoryServerOperationMasterR London -Remove
To reset the AD Service Account password on the ole -Identity "TESTDC" - @{otherMailbox="Joe.Bloggs"} -Add
local computer: OperationMasterRole @{url="test.local"} -Replace
PDCEmulator,SchemaMaster
Reset-ADServiceAccountPassword - @{title="manager"} -Clear
Identity 'Service1' description
 Active Directory PowerShell Quick Reference
Password Policies
sks
To see the Default Domain Password Policy:
Get-ADDefaultDomainPasswordPolicy
-Identity test.local
To change the properties of the Default Domain
Password Policy:
Set-ADDefaultDomainPasswordPolicy
-Identity test.local -
LockoutDuration 00:40:00 -
LockoutObservationWindow 00:20:00
-MaxPasswordAge 10.00:00:00 -
MinPasswordLength 8
To create a new Fine-Grained Password Policy:
New-ADFineGrainedPasswordPolicy -
Name "Standard Users PSO" -
Precedence 500 -ComplexityEnabled
$true -Description "Standard
Users Password Policy" -
DisplayName "Standard Users PSO"
-LockoutDuration "0.12:00:00" -
LockoutObservationWindow
"0.00:15:00" -LockoutThreshold 10
To see all Fine-Grained Password Policies:
Get-ADFineGrainedPasswordPolicy -
Filter {name -like "*"}
To apply a Fine-Grained Password Policy to a group
of users:
Add-
ADFineGrainedPasswordPolicySubjec
t 'Standard Users PSO' -Subjects
'Standard Users'
To see which users have been applied to a Fine-
Grained Password Policy:
Get-
ADFineGrainedPasswordPolicySubjec
t -Identity 'Standard Users PSO'
Group Tasks
To see group details:
Get-ADGroup -Identity 'Sales
Users'
To create a new group:
New-ADGroup -Name "Sales Users" -
SamAccountName SalesUsers -
GroupCategory Security -
GroupScope Global -DisplayName
‘Sales Users’ -Path
"OU=Groups,OU=Resources,DC=test,D
C=local" -Description "All Sales
Users"
To change the properties of a group:
Set-ADGroup -Identity
'SalesUsers' -GroupCategory
Distribution -GroupScope
Universal -ManagedBy 'JoeBloggs'
-Clear Description
To remove a group:
Remove-ADGroup -Identity
'SalesUsers' -Confirm:$false
To see group members:
Get-ADGroupMember -Identity
'SalesUsers' -Recursive
To add group members:
Add-ADGroupMember -Identity
'SalesUsers' -Members
JoeBloggs,SarahJane
To remove group members:
Remove-ADGroupMember -Identity
'SalesUsers' -Members
JoeBloggs,SarahJane
Active Directory PowerShell Quick Reference
User Account Security Computer Account Tasks
To disable a user account: To see computer account details:
Disable-ADAccount -Identity Get-ADComputer -Filter 'Name -
JoeBloggs like "Server01"'
To enable a user account: To create a new computer account:
Enable-ADAccount -Identity New-ADComputer -Name "Server01" -
JoeBloggs SamAccountName "Server01" -Path
"OU=Computers,OU=Resources,DC=tes
To set the expiration date for a user account: t,DC=local" -Enabled $true -
Location "London"
Set-ADAccountExpiration -Identity
JoeBloggs -DateTime "10/18/2008" To remove a computer account:
To clear the expiration date for a user account: Remove-ADComputer -Identity
"Server01" -Confirm:$false
Clear-ADAccountExpiration -
Identity JoeBloggs
Organisational Unit Tasks
To change the password for a user account:
To see OU details:
Set-ADAccountPassword -Identity
JoeBloggs -Reset -NewPassword Get-ADOrganizationalUnit -
(ConvertTo-SecureString - Identity
AsPlainText "p@ssw0rd" -Force) 'OU=Users,OU=Sales,DC=test,DC=loc
al'
To unlock a user account:
To create a new OU:
Unlock-ADAccount -Identity
JoeBloggs New-ADOrganizationalUnit -Name
Users -Path
'OU=Marketing,DC=test,DC=local'
How to Get More Information
Check out the AD PowerShell Blog
http://blogs.msdn.com/adpowershell/default.aspx
Make sure you visit the following sites for PowerShell Podcasts
For the latest version of this doc check
http://get-scripting.blogspot.com/
http://powerscripting.net/ http://jonathanmedd.net
v0.1