AD-Powershell for Active Directory Administrators

Table of Contents

 

• Computer object commands
• Group object commands
• Organizational Unit (OU) commands
• User object commands
• See Also

 

Computer object commands

List all computer accounts in a domain

Get-ADComputer –Filter {Name –Like "*"}

View all computers that are logged in for 90 days to the Active Directory

Search-ADaccount -AccountInactive -Timespan 90 -ComputersOnly

OR

$lastLogon = (get-date).adddays(-90).ToFileTime()
Get-ADComputer -filter {lastLogonTimestamp -gt $lastLogon}

Find and delete all disabled Computer accounts in Active Directory

Search-ADAccount -AccountDisabled -ComputersOnly | Sort-Object | Remove-ADComputer

Find and delete disabled computer accounts from a specific OU

Search-ADAccount -AccountDisabled -Searchbase "OU=IT,DC=Contoso,DC=Com" -ComputersOnly | Sort-Object | Remove-ADComputer

Find and delete all computer accounts that no longer have signed up since 11/20/2011 to the Active Directory

Search-ADAccount -AccountInactive -DateTime "20.11.2011" –ComputersOnly | Sort-Object | Remove-ADComputer

List only disabled Computer accounts in Domain

Search-ADAccount -AccountDisabled -ComputersOnly | Format-Table Name

Move Computer to other OU (example: Computer=CLIENT1 to OU=IT)

Get-ADComputer CLIENT1 | Move-ADObject -TargetPath "OU=IT,DC=Contoso,DC=Com"

See Computer account detail (example: Computer=CLIENT1)

Get-ADComputer -Filter {Name -Like "CLIENT1"}

Get a specific computer showing all the properties (example: Computer=CLIENT1)

Get-ADComputer "CLIENT1" -Properties *

List Computers (Name, Operating System, Service Pack, Operating System version)

Get-ADComputer -Filter * -Property * | Format-Table Name,OperatingSystem,OperatingSystemServicePack,OperatingSystemVersion -Wrap –Auto

Export Computers List (Name, Operating System, Service Pack, Operating Systemversion)to CSV File

Get-ADComputer -Filter * -Property * | Select-Object Name,OperatingSystem,OperatingSystemServicePack,OperatingSystemVersion | Export-CSV AllWindows.csv -NoTypeInformation -Encoding UTF8

Get Computer IPv4 Address and DnsHostName

Get-ADComputer -Filter {Name -Like "Computer-Name"} -Properties IPv4Address | Format-List Name,DnsHostName,IPv4Address

Get all Computers in a specific OU (example: OU=IT, Domain=Contoso.com)

Get-ADComputer -SearchBase "OU=IT,DC=Contoso,DC=Com" -filter *

Get all the Computers without a specific DNS suffix

Get-ADComputer -filter "DnsHostName -notlike '*.Contoso.Com'"

Get Computer Service Principal Names (SPNs)

Get-ADComputer "Computer-Name" –Properties ServicePrincipalNames | Select-Object –Expand ServicePrincipalNames

Get Computers Security Identifiers (SIDs)

Get-ADComputer -Filter {Name -like "*"} | Select Name,SID | Format-Table -Auto 

All computer accounts that were created in the last 90 days in the Active Directory

Get-ADComputer -Filter * -Properties whenCreated | ? { ((Get-Date) - $_.whenCreated).Days -lt 90} | Format-Table Name,WhenCreated,Name,DistinguishedName -Autosize -Wrap

All computer accounts that were created as of December 1, 2011 (12/01/2011) in the Active Directory

Get-ADComputer -LDAPFilter "(&(objectCategory=person)(whenCreated>=20111201000000.0Z))" -Properties whenCreated | Format-Table Name,whenCreated,distinguishedName -Autosize -Wrap

All computer accounts that were created here in a given time, between the 10/01/2011 and 12/01/2011 in Active Directory

$Start = Get-Date -Day 01 -Month 10 -Year 2011 -Hour 00
$End = Get-Date -Day 01 -Month 12 -Year 2011 -Hour 23 -Minute 59
Get-ADComputer -Filter * -Properties whenCreated | ? { ($_.whenCreated -gt $Start) -and ($_.whenCreated -le $End) } | Format-Table Name,WhenCreated,DistinguishedName -Autosize -Wrap

All computer accounts, Last Password Set in a given time, between the 10/01/2011 and 12/01/2011 in Active Directory

$Start = Get-Date -Day 01 -Month 10 -Year 2011 -Hour 00
$End = Get-Date -Day 01 -Month 12 -Year 2011 -Hour 23 -Minute 59
Get-ADComputer -Filter * -Properties PasswordLastSet | ? { ($_.PasswordLastSet -gt $Start) -and ($_.PasswordLastSet -le $End) } | Format-Table Name,WhenCreated,DistinguishedName -Autosize -Wrap

All computer accounts, Last Password Set in the last 90 days in Active Directory

$Date = (Get-Date).AddDays(-90)
Get-ADComputer -Filter * -Properties PasswordLastSet | where { $_.PasswordLastSet -le $Date } | Format-Table Name,PasswordLastSet,DistinguishedName -Autosize -Wrap

Group object commands

List all members of a group (example: Group=Experts)

Get-ADGroupMember Experts | Format-Table Name

All properties of a group (example: Group=IT)

Get-ADGroup IT -Properties *

List only Universal Security groups

Get-ADGroup –LDAPFilter "(&(objectCategory=group)(groupType:1.2.840.113556.1.4.803:=-2147483640))"

List only Global Security groups

Get-ADGroup –LDAPFilter "(&(objectCategory=group)(groupType:1.2.840.113556.1.4.803:=-2147483646))"

List only Domain Local Security groups

Get-ADGroup –LDAPFilter "(&(objectCategory=group)(groupType:1.2.840.113556.1.4.803:=-2147483644))"

List all Group memberships for a user (example: User=EdPrice)

Get-ADAccountAuthorizationGroup EdPrice

Move a Group to another OU (example: Group=Experts, Old-OU=IT, New-OU=Service, Domain=Contoso.com)

Move-ADObject "CN=Experts,OU=IT,DC=Contoso,DC=com" -TargetPath "OU=Service,DC=Contoso,DC=com"

Add members to a group (example: Group=Experts, User=EdPrice)

Add-ADGroupmember Experts -Member EdPrice

Delete Group (example: Group=Experts)

Remove-ADGroup Experts

Delete a User from a Group (example: Group=Experts, User=EdPrice)

Remove-ADGroupMember Experts -Member EdPrice

Set Description for a Group (example: Group=JoinPC, Description=This group is allowed join PCs to Domain)

Set-ADGroup JoinPC -Description "This group is allowed join PCs to Domain"

Add Users from one Group to another Group (example: from Group1=DataUsers to Group2=SQLUsers)

Get-ADGroupMember DataUsers | Select sAMAccountName | ForEach { Add-ADGroupMember SQLUsers -Members $_.sAMAccountName }

Comparing two Groups to see the Group memberships (example: Group1=Administratorso, Group2=DNSAdmins)

Compare-Object ( Get-ADGroupMember Administrators) ( Get-ADGroupMember DNSAdmins) -IncludeEqual

Organizational Unit (OU) commands

All OUs in Domain

Get-ADOrganizationalUnit -Filter {Name -like „*“} | FT Name, DistinguishedName -A

Create OU (example: OU=IT, Domain=Contoso.com)

New-ADOrganizationalUnit -Name IT -Path "DC=Contoso,DC=Com"

Contents of a specific OU (example: OU=IT, Domain=Contoso.com)

Get-ADObject -Filter {Name -Like "*"} -Searchbase "OU=IT,DC=Contoso,DC=Com"

Rename OU (example: Old-Name=IT, New-Name=Admin, Domain=Contoso.com)

Rename-ADObject "OU=IT,DC=Contoso,DC=Com" -NewName Admin

Delete OU including contents (example: OU=IT, Domain=Contoso.com)

Remove-ADOrganizationalUnit IT -Recursive

Delete user from specific OU (example: User=EdPrice, OU=IT, Domain=Contoso.com)

Remove-ADObject "CN=EdPrice,OU=IT,DC=Contoso,DC=Com"

Move all objects from one OU to another OU (example: Old-OU=IT, New-OU=Manager, Domain=Contoso.com)

Get-ADObject -Filter {Name -Like "*"} -Searchbase "OU=IT,DC=Contoso,DC=Com" -SearchScope OneLevel | Move-ADObject -TargetPath "OU=Manager,DC=Contoso,DC=Com"

User object commands

List all User accounts in the Domain

Get-ADUser –Filter *

List all User accounts in a specific OU (example: OU=IT, Domain=Contoso.com)

Get-ADUser –Filter * -Searchbase "OU=IT,DC=Contoso,DC=Com" | FT

List all User accounts from specific City (example: City=NewYork)

Get ADUser -Filter {city - like "NewYork"} | FT

List only disabled User accounts in Domain

Search-ADAccount –AccountDisabled –Usersonly | FT Name

List all User accounts whose First Name is Ed

Get-ADUser –Filter {givenName –Like "Ed"} | FT

List all User accounts whose Last Name is Price

Get-ADUser –Filter {Surname –Like "Price"} | FT

List all User accounts from the specific Department (example: Department=Support) 

Get-ADUser –Filter {Department –Like "Support"} | FT

List a User's Group memberships (example: User=Richard)

Get-ADPrincipalGroupMembership -Identity Richard

List all Users from specific Group and move Users to another OU (example: Group=People, Target OU=NewYork, Domain=Contoso.com)

Get-ADGroupMember People -Recursive | Move-ADObject  –TargetPath "OU=NewYork,DC=Contoso,DC=Com"

Remove all users in an OU from a specific Group (example: Group=People, OU=NewYork, Domain=Contoso.com)

$Users = Get-ADUser -Filter * -Searchbase "OU=NewYork,DC=Contoso,DC=Com"
Remove-ADGroupMember -Identity People -Member $Users -Confirm:0

---

See Also

Here are two great article about Active Directory LDAP Syntax and Active Directory Characters to Escape:

• Active Directory: Characters to Escape (Richard Mueller - MVP)
• Active Directory: LDAP Syntax Filters (Richard Mueller - MVP)
• Move (Transfering or Seizing) FSMO roles with AD-Powershell command to another Domain Controller
• How To Revert Back or downgrade Windows Server 2008 R2 Forest and Domain functional Level
• PowerShell Portal
• Wiki: Portal of TechNet Wiki Portals