Getting Started with PowerShell and Active Directory

PowerShell is a powerful tool. It’s also very different than the cmd and VBScript way of doing things that we’ve suffered through since the beginning of time. About a year ago, I set out to rewrite our custom imaging scripts and AD automation tasks that were mostly VBScript using PowerShell. I took on this effort in part (ok, in whole) as an excuse to learn PowerShell. If you haven’t taken the plunge yet, I’ll introduce some basics and get you set up to start chugging along on your own.

First thing is first, you need the Active Directory PowerShell modules and PowerShell 2.0. You need to grab a copy of the Remote Server Administration Toolkit (RSAT) for your OS and architecture from the Microsoft Download site. After you install it, enable the Active Directory Commandline Tools feature. If you’re on Windows 7 or later, you’re done. If you’re on Vista, please accept my condolences and grab PowerShell 2.0 or later from Microsoft Update.

The next thing that you need is to be able to actually run the cmdlets from the AD module against your domain controllers. If you’re on 2008 R2 or later, this is enabled by default. If you’re on Server 2008 or 2003, you need to install the Active Directory Management Gateway Service on at least one Domain Controller in each domain that you wish to manage with PowerShell. Some of the prerequisites for this may require a reboot, so plan to do this during a maintenance window.

Ok, phew. So now we can actually start using PowerShell to manage AD objects! Fire up a PowerShell prompt and run import-module activedirectory. That will load the AD module and we can start having fun.

Do you want to see all user accounts in your domain?  get-aduser -filter * will do the trick. You’ll notice that each user is presented like this:

DistinguishedName : CN=Some User,OU=My Users,DC=My,DC=Domain,DC=ORG
Enabled : True
GivenName : Some
Name : Some User
ObjectClass : user
ObjectGUID : blahblah-1111-111a-dddd-blahblahblahblah
SamAccountName : suser
SID : S-1-5-blahblahblah
Surname : User
UserPrincipalName : [email protected]

Woah, that’s a lot of info! And guess what, it’s an OBJECT! That means that we can select individual properties or pipeline the whole damn thing. Pretty cool, right? Say that you just want the SAMAccountName for all of the users in your domain. That’s what the select-object cmdlet is for.

get-aduser -filter * | select-object samaccountname

will spit out just the account name for each user we just saw in the previous command.

We can also save a set of objects to a variable for manipulation later. If you run $users = get-aduser -filter * and then type $users, you’ll see the whole output. This is useful when scripting PowerShell.

Let’s get to something useful, ok? What if we wanted to know a bunch of information about every account in the domain, including the last time it was logged in and whether or not it’s enabled. What’s that? You want it in a CSV so that you can poke around at it in Excel? That’s fine.

Get-ADUser -Filter * -Properties name, samaccountname, description, distinguishedname,enabled,lastlogondate |
Select-Object name, samaccountname, description, distinguishedname,enabled,lastlogondate |
Export-CSV c:scriptsusers.csv -NoTypeInformation

That looks a little complicated, but let’s break it down. The first line is basically the first command we ran, but we’ve added -Properties, which retrieves specific properties from the user accounts that aren’t returned by default. The pipe operator | takes the output of one command and spits it into the next – this will be very familiar to anyone that’s worked in Linux. So, we’ve taken all of the user accounts and piped it to a select-object, which we understand from before as well.  Then, we pipe that to export-csv  which basically formats everything nice and neatly into a csv file. There is also an import-csv cmdlet, which can be used as a data source, but we’re not going to get into that today.

If you ever want to see what options are available for a command, or how it handles things being piped to it, there are excellent manpage-style help files available. get-help get-aduser -full will show you all of the options available for the get-aduser cmdlet and will also include some sample commands to point you in the right direction.

The Active Directory module has 76 cmdlets available, so get-aduser is just the tip of the iceberg. get-command -module activedirectory will show you all of them and you can use get-help to see what they do and start playing around.

I hope this helps you get over your fear of PowerShell and get you started with some PowerShell-based reporting! You’ll have your whole account creation process automated in no time! (protip: use new-aduser)


Leave a Reply

Follow TheNubbyAdmin!

follow us in feedly

Raw RSS Feed:

Contact Me!

Want to hire me as a consultant? Have a job you think I might be interested in? Drop me a line:

Contact Me!

Subscribe via Email

Your email address is handled by Google FeedBurner and never spammed!

The Nubby Archives

Circle Me on Google+!

Photos from Flickr

Me on StackExchange

The IT Crowd Strava Group

%d bloggers like this: