6 Common Active Directory PowerShell Commands
Active Directory is the most widely used solution for centrally managing users and resources within organizations. In smaller organizations, Active Directory management is relatively simple with a small number of resources, whereas in large enterprises this same administration can be a daunting task without automation. If you're a little foggy on the definition of Active Directory, take a look at our Windows Server training to get up to speed.
Active Directory automation's power lies in information gathering. For example, getting data from a certain user attribute from the entire forest, without PowerShell, is impossible, or applying a certain setting or attribute to a collection of users.
Another very important benefit of Active Directory automation is health checking. We can automate some very important health checks that can either run with a third-party automation tool or through the windows built-in task scheduler. Let's take a look at several popular PowerShell Active Directory commands.
Most Common AD PowerShell Commands
The most widely used commands when working with Active Directory through PowerShell are really the most basic ones. A list of PowerShell commands you should get acquainted with includes the following:
1. Get-ADUser
This command allows us to get the information from a specific user identity in AD or a collection of users with either an array or the wildcard (*) character to get the information of all the users in Active Directory.
We can export the output to a CSV file through the ExportTo-CSV cmdlet, which in turn gives a good option for creating reports requested by management or internal auditors.
We can also choose which output to include in the export by using the Select-Object cmdlet and selecting the specific information such as sAMAccountName, Department, LasLoginTime, HomeDirectories, and so forth.
2. Get-ADComputer
This allows us to extract information from a specific computer account or all the computer accounts in the domain by using the wildcard (*) character. This cmdlet is especially useful for cleaning up the Active Directory for stale computer accounts by selecting the LastPasswordReset object and comparing it to the current date.
If the difference between the date of the last secure channel password reset and the current date has a high value, then that specific computer account can be deleted because it hasn't been in use for a long time.
3. Get-ADObject
This command allows us to extract information from any Active Directory object, not limiting to just users or computers. The big difference between the other cmdlets and this one is that we can use attributes as filters to search. For example, we can run the following command:
Get-ADObject -Filter ‘WhenChanged -gt $ChangeDate’ -IncludeDeletedObjectsHere we search for all objects that were changed after the date specified in the $ChangeDate variable. This is a very powerful cmdlet because it can extract a lot of useful information with a granular search. We can use Get-ADGroup to extract information from a specific AD Group.
4. Get-ADGroupMember
This extracts a list of users which are part of a specific AD Group. This cmdlet can be used with the Get-ADGroup cmdlet after a pipeline. For example:
Get-ADGroup SomeGroup | Get-ADGroupMemberAssigning Configurations & Attributes
The next step is to assign configurations and attributes to users. For that, we will use the counterpart of the cmdlets mentioned before. Almost any GET has a SET counterpart. In our case we can use the following cmdlets:
Set-ADUser
Set-ADComputer
Set-ADObject
Set-ADGroup
Add-ADGroupMemberWith the above mentioned cmdlets, we can get detailed reports on users, computers and groups (the three major object groups in AD), as well as create users, modify attributes, query objects, and create and manage AD Groups.
Automation and Health Checks
When we refer to Active Directory Automation with PowerShell, we have a specific set of scenarios that we can efficiently automate and provide some improvement in our day-to-day management and general Active Directory health — because no one likes a downed PDC or incorrect name resolution on the domain due to changes in DNS.
The first scenario is doing a regular health check in the domain against all the Domain Controllers. This will allow proactive treatment of any issues or configuration inconsistencies.
For this scenario, we will be using a combination of PowerShell and Batch commands to check the overall health of the Domain Controllers.
Import-Module ActiveDirectory -ErrorAction SilentlyContinue -WarningAction SilentlyContinue
$DCs = Get-DomainController -Filter *
ForEach ($DC in $DCs.Hostname)
{
if (Test-Connection -ComputerName $DC -Count 4 -Quiet)
{
$connection = “OK”
$NetLogon = Get-Service -ComputerName $DC -Name “NetLogon” -ErrorAction SilentlyContinue
if ($NetLogon.Status -eq “Running”)
{
$NetLogonStatus = “OK”
}
else { $NetLogonStatus = “$Netlogon.Status” }
$NTDS = Get-Service -ComputerName $DC -Name “NTDS” -ErrorAction SilentlyContinue
if ($NTDS.Status -eq “Running”)
{
$NTDSStatus = “OK”
}
else { $NTDSStatus = “$NTDS.Status” }
$DNS = Get-Service -ComputerName $DC -Name “DNS” -ErrorAction SilentlyContinue
if ($DNS.Status -eq “Running”)
{
$DNSStatus = “OK”
}
Else { $DNSStatus. = “$NTDS.Status” }
$dcdiagnetlogon = dcdiag /test:netlogons /s:$DC
if ($dcdiagnetlogon -match “passed test NetLogons”)
{
$dcdiagnlstatus = “OK”
}
Else { dcdiagnlstatus = $dcdiagnetlogon }
$dcdiagservices = dcdiag /test:services /s:$DC
if {$dcdiagservices -match “passed test services”)
{
$dcdiagsrvstatus = “OK”
}
Else {$dcdiagsrvstatus = $dcdiagservices }
$dcdiagrepl = dcdiag /test:Replications /s:$DC
if ($dcdiagrepl -match “passed test Replications”)
{
$dcdiagreplstatus = “OK”
}
Else {$dcdiagreplstatus = $dcdiagrepl}
$dcdiagFSMO = dcdiag /test:FSMOCheck /s:$DC
if {$dcdiagFSo -match “passed test FsmoCheck”)
{
$dcdiagFSMOStatus = “OK”
}
Else {$dcdiagFSMOStatus = $dcdiagFSMO}
$dcdiagadv = dcdiag /test:Advertising /s:$DC
if ($dcdiagadv -match “passed test advertising”)
{
$dcdiagadvstatus = “OK”
}
Else {$dcdiagadvstatus = $dcdiagadv}The script above first imports the Active Directory module, then we take the names of all the domain controllers in the forest and assign them to an array. Afterward, we parse through that array taking each hostname and running a series of tests.
The first test is a simple connection test, to see if the specified DC is online. Afterward, we move to checking the services that are running. Then we are running the dcdiag command and our batch command.
Under each check we designated a variable called "the test name, plus status" that will either have the value of OK, or the value of the actual test result in case the test failed.
The next step is to either export all this information to a CSV file using the ExportTo-CSV, and send the results out in an email by using the SmtpClient object in PowerShell by writing something like this:
$smtp = New-Object System.Net.Mail.SmtpClient($SMTPServer, $SMTPPort)
$smtp.Send($From,$To, $Subject, $report)After the delivery method is completed, we can create a scheduled task that can run this on a daily basis, a weekly basis, or any other recurring time and date combination we might want. Then we just sit back and enjoy the automatic health checks that will truly take our AD administration to the next level.
What's Next?
If you work in a Windows environment, there's no reason not to use Active Directory within PowerShell to automate tasks. It can increase efficiency — and free time for more important tasks. Need a PowerShell tutorial or refresher, check out CBT Nuggets trainer Jacob Moran's latest PowerShell 6 training.
For a more extensive reference on the Active Directory automation commands we reviewed, these Microsoft Docs are a great resource. Get ready to automate.
delivered to your inbox.
By submitting this form you agree to receive marketing emails from CBT Nuggets and that you have read, understood and are able to consent to our privacy policy.