Querying Active Directory with PowerShell tools

 

 

With Windows Server 2012 when you install Active Directory the system also installs the Active Directory PowerShell module.

The other PowerShell tool and it is my prefered one in some ways is the Quest ActiveRoles Management Shell for Active Directory it is a free download and has the advantage of being able to query and manipulate legacy Domains back to 2003 and it can be run from an XP workstation not even in a domain.

For a complete listing of AD commands type get-command get-ad*

1

The main commands that I seem to use are:

Get-ADComputer

NAME
Get-ADComputer

SYNOPSIS
Gets one or more Active Directory computers.
SYNTAX
Get-ADComputer [-AuthType <ADAuthType>] [-Credential <PSCredential>] [-Properties <String[]>] [-ResultPageSize
<Int32>] [-ResultSetSize <Int32>] [-SearchBase <String>] [-SearchScope <ADSearchScope>] [-Server <String>] -Filter
<String> [<CommonParameters>]

Get-ADComputer [-Identity] <ADComputer> [-AuthType <ADAuthType>] [-Credential <PSCredential>] [-Partition
<String>] [-Properties <String[]>] [-Server <String>] [<CommonParameters>]

Get-ADComputer [-AuthType <ADAuthType>] [-Credential <PSCredential>] [-Properties <String[]>] [-ResultPageSize
<Int32>] [-ResultSetSize <Int32>] [-SearchBase <String>] [-SearchScope <ADSearchScope>] [-Server <String>]
-LDAPFilter <String> [<CommonParameters>]
DESCRIPTION
The Get-ADComputer cmdlet gets a computer or performs a search to retrieve multiple computers.
Get-ADUser

NAME
Get-ADUser

SYNOPSIS
Gets one or more Active Directory users.

SYNTAX

Get-ADUser [-AuthType <ADAuthType>] [-Credential <PSCredential>] [-Properties <String[]>] [-ResultPageSize
<Int32>] [-ResultSetSize <Int32>] [-SearchBase <String>] [-SearchScope <ADSearchScope>] [-Server <String>] -Filter
<String> [<CommonParameters>]

Get-ADUser [-Identity] <ADUser> [-AuthType <ADAuthType>] [-Credential <PSCredential>] [-Partition <String>]
[-Properties <String[]>] [-Server <String>] [<CommonParameters>]

Get-ADUser [-AuthType <ADAuthType>] [-Credential <PSCredential>] [-Properties <String[]>] [-ResultPageSize
<Int32>] [-ResultSetSize <Int32>] [-SearchBase <String>] [-SearchScope <ADSearchScope>] [-Server <String>]
-LDAPFilter <String> [<CommonParameters>]
DESCRIPTION
The Get-ADUser cmdlet gets a user object or performs a search to retrieve multiple user objects.
Get-ADGroup
NAME
Get-ADGroup

SYNOPSIS
Gets one or more Active Directory groups.
SYNTAX
Get-ADGroup [-AuthType <ADAuthType>] [-Credential <PSCredential>] [-Properties <String[]>] [-ResultPageSize <Int32>] [-ResultSetSize <Int32>] [-SearchBase <String>]    [-SearchScope <ADSearchScope>] [-Server <String>] -Filter
<String> [<CommonParameters>]

Get-ADGroup [-Identity] <ADGroup> [-AuthType <ADAuthType>] [-Credential <PSCredential>] [-Partition <String>] [-Properties <String[]>] [-Server <String>] [<CommonParameters>]

Get-ADGroup [-AuthType <ADAuthType>] [-Credential <PSCredential>] [-Properties <String[]>] [-ResultPageSize <Int32>] [-ResultSetSize <Int32>] [-SearchBase <String>]   [-SearchScope <ADSearchScope>] [-Server <String>]
-LDAPFilter <String> [<CommonParameters>]
DESCRIPTION
The Get-ADGroup cmdlet gets a group or performs a search to retrieve multiple groups from an Active Directory.
Get-ADGroupMember

NAME
Get-ADGroupMember

SYNOPSIS
Gets the members of an Active Directory group.
SYNTAX
Get-ADGroupMember [-Identity] <ADGroup> [-AuthType <ADAuthType>] [-Credential <PSCredential>] [-Partition <String>] [-Recursive [<SwitchParameter>]] [-Server <String>] [<CommonParameters>]
DESCRIPTION
The Get-ADGroupMember cmdlet gets the members of an Active Directory group. Members can be users, groups, and computers.
Get-ADDomainController

NAME
Get-ADDomainController

SYNOPSIS
Gets one or more Active Directory domain controllers based on discoverable services criteria, search parameters or by providing a domain controller identifier, such as the NetBIOS name.
SYNTAX
Get-ADDomainController [[-Identity] <ADDomainController>] [-AuthType <ADAuthType>] [-Credential <PSCredential>] [-Server <String>] [<CommonParameters>]

Get-ADDomainController [-AuthType <ADAuthType>] [-AvoidSelf [<SwitchParameter>]] [-DomainName <String>] [-ForceDiscover [<SwitchParameter>]]                                          [-MinimumDirectoryServiceVersion <ADMinimumDirectoryServiceVersion>]
[-NextClosestSite [<SwitchParameter>]] [-Service <ADDiscoverableService[]>]                 [-SiteName <String>] [-Writable [<SwitchParameter>]] -Discover [<SwitchParameter>] [<CommonParameters>]

Get-ADDomainController [-AuthType <ADAuthType>] [-Credential <PSCredential>] [-Server <String>] -Filter <String> [<CommonParameters>]
DESCRIPTION
The Get-ADDomainController cmdlet gets the domain controllers specified by the parameters. You can get domain controllers by setting the Identity, Filter or Discover parameters.

 

One thing to note when using these commands is that filter does not always work the way you might think it should.

here is an example

PS C:\Users\Administrator> Get-ADUser -Filter {name -like “*admin*”}
DistinguishedName : CN=Administrator,CN=Users,DC=example,DC=com
Enabled : True
GivenName :
Name : Administrator
ObjectClass : user
ObjectGUID : f19d3d13-169f-4dab-94dd-dc6786d12359
SamAccountName : Administrator
SID : S-1-5-21-771749751-4163724236-1264096806-500
Surname :
UserPrincipalName :

 

PS C:\Users\Administrator> Get-ADUser -Filter {distinguishedname -like “*admin*”}

if you filter name like *admin* you get users with admin in there name but distiguishedname is either -eq the entire Distinguished name or nothing

PS C:\Users\Administrator> Get-ADUser -Filter {distinguishedname -eq ‘CN=Administrator,CN=Users,DC=example,DC=com’}
DistinguishedName : CN=Administrator,CN=Users,DC=example,DC=com
Enabled : True
GivenName :
Name : Administrator
ObjectClass : user
ObjectGUID : f19d3d13-169f-4dab-94dd-dc6786d12359
SamAccountName : Administrator
SID : S-1-5-21-771749751-4163724236-1264096806-500
Surname :
UserPrincipalName :

Another thing to note is that not all properties are passed on to the pipeline unless              -properties * is added. This can be good because you can control what properties are passed.

All of the following properties can be passed through the pipeline:

AccountExpirationDate
accountExpires
AccountLockoutTime
AccountNotDelegated
adminCount
AllowReversiblePasswordEncryption
BadLogonCount
badPasswordTime
badPwdCount
CannotChangePassword
CanonicalName
Certificates
City
CN
codePage
Company
CompoundIdentitySupported
Country
countryCode
Created
createTimeStamp
Deleted
Department
Description
DisplayName
DistinguishedName
Division
DoesNotRequirePreAuth
dSCorePropagationData
EmailAddress
EmployeeID
EmployeeNumber
Enabled
Fax
GivenName
HomeDirectory
HomedirRequired
HomeDrive
HomePage
HomePhone
Initials
instanceType
isCriticalSystemObject
isDeleted
KerberosEncryptionType
LastBadPasswordAttempt
LastKnownParent
lastLogoff
lastLogon
LastLogonDate
lastLogonTimestamp
LockedOut
logonCount
logonHours
LogonWorkstations
Manager
MemberOf
MNSLogonAccount
MobilePhone
Modified
modifyTimeStamp
msDS-User-Account-Control-Computed
Name
nTSecurityDescriptor
ObjectCategory
ObjectClass
ObjectGUID
objectSid
Office
OfficePhone
Organization
OtherName
PasswordExpired
PasswordLastSet
PasswordNeverExpires
PasswordNotRequired
POBox
PostalCode
PrimaryGroup
primaryGroupID
PrincipalsAllowedToDelegateToAccount
ProfilePath
ProtectedFromAccidentalDeletion
pwdLastSet
SamAccountName
sAMAccountType
ScriptPath
sDRightsEffective
ServicePrincipalNames
SID
SIDHistory
SmartcardLogonRequired
State
StreetAddress
Surname
Title
TrustedForDelegation
TrustedToAuthForDelegation
UseDESKeyOnly
userAccountControl
userCertificate
UserPrincipalName
uSNChanged
uSNCreated
whenChanged
whenCreated

 

Not all of them can be filtered but you can search for them with the where-object cmdlet. It is better to use filter when you can and only pass the properties that you need as this can speed up querying dramatically.

The following examples do the same thing but the first one is a better practise.

2

For all these get commands there are correspond set commands. Each get command can be piped to a set command.

For example if I wanted to change the postal code to 4219 from 4218 I can do the following:

Get-ADUser -Properties postalcode -Filter {postalcode -eq “4218”} |

Set-ADUser -PostalCode “4219”

3

And the postal code changed.

 

Now using the Quest Active Directory Tools.

I have installed the pssnapin on my member server to load the snapin run the command:

Add-PSSnapin Quest.ActiveRoles.ADManagement

If you are going to used these tools it is a good idea to put this command in your profile that way it will load every time you open PowerShell. To Get a listing of all the commands type:

Get-Command get-qad*

CommandType Name
———– —-
Cmdlet Get-QADCertificate
Cmdlet Get-QADCertificateRevocationList
Cmdlet Get-QADComputer
Cmdlet Get-QADDiagnosticLogStatus
Cmdlet Get-QADGroup
Cmdlet Get-QADGroupMember
Cmdlet Get-QADInactiveAccountsPolicy
Cmdlet Get-QADLocalCertificateStore
Cmdlet Get-QADManagedObject
Cmdlet Get-QADMemberOf
Cmdlet Get-QADObject
Cmdlet Get-QADObjectSecurity
Cmdlet Get-QADPasswordSettingsObject
Cmdlet Get-QADPasswordSettingsObjectAppliesTo
Cmdlet Get-QADPermission
Cmdlet Get-QADPKIObject
Cmdlet Get-QADProgressPolicy
Cmdlet Get-QADPSSnapinSettings
Cmdlet Get-QADRootDSE
Cmdlet Get-QADUser

I find these commands easier to use. As an example get-qaduser will give me a listing of all users in the directory.

4

filtering is easier to I can just use name go* and it gives me every user starting with go

5

And a simple | fl * will give me all the attributes

6

I find the following easier to do with Quest than with the AD cmdlets

7

And the Post code is changed back.

8