ADPowershell is available starting Windows Server 2008 R2. To play with AD Powershell cmdlets, you must have at least one Windows Server 2008 R2 domain controller (DC) in your domain.
Installing AD Powershell module:
On a Windows Server 2008 R2 box, open an elevated Powershell console window (powershell.exe) and run the following commands:
PS C:\> import-module servermanagerNOTE: AD Powershell module is installed by default on a DC.
PS C:\> Add-WindowsFeature -Name "RSAT-AD-PowerShell" -IncludeAllSubFeature
Loading AD Powershell module:
Open a Powershell console window and type
PS C:\> import-module activedirectoryActive Directory PSDrive:
If the machine is joined to a domain then a default drive named AD: is created. You can CD into this drive and use all the regular file system commands to navigate the directory. The paths are in X500 format.
PS C:\> cd AD:If you want to create a new drive connected to another domain/forest or use the more readable canonical path format, type:
PS AD:\>
PS AD:\> dir
…
PS AD:\> cd "DC=fabrikam,DC=com"
PS AD:\DC=fabrikam,DC=com> md "OU=myNewOU"
…
PS AD:\DC=fabrikam,DC=com> del "OU=myNewOU"
PS C:\> New-PSDrive -PSProvider ActiveDirectory -Server "contoso.fabrikam.com" -Credential "Contoso\Administrator" -Root "" -Name Contoso -FormatType Canonical
…
PS C:\> cd Contoso:
PS Contoso:\> dir | ft CanonicalName
…
PS Contoso:\> cd "contoso.fabrikam.com/"
Getting cmdlet list, help and examples:
Powershell uses verb-noun name-pair format to name cmdlets. For example:
New-ADGroupTo get a list of AD cmdlets type
Get-ADDomain
PS AD:\> get-help *-AD*To get more info on a specific cmdlet or read examples, type
PS AD:\> get-help New-AD* ## would list all the cmdlets that create new AD objects
PS AD:\> get-help set-aduser -detailedTips: You can use the tab completion feature of Powershell to complete cmdlet names or parameter names. For example after entering the Verb- part of a cmdlet name you can hit <TAB> key to cycle through all of the nouns available for that verb.
PS AD:\> get-help get-aduser -examples
Common tasks:
Here are some examples of commonly performed tasks using AD cmdlets:
PS C:\> New-ADUser –Name "John Smith" –SamAccountName JohnS –DisplayName "John Smith" –Title "Account Manager" –Enabled $true –ChangePasswordAtLogon $true -AccountPassword (ConvertTo-SecureString "p@ssw0rd" -AsPlainText -force) -PassThru
PS C:\> New-ADGroup -Name "Account Managers" -SamAccountName AcctMgrs -GroupScope Global -GroupCategory Security -Description "Account Managers Group" –PassThru
PS C:\> New-ADOrganizationalUnit -Name AccountsDepartment -ProtectedFromAccidentalDeletion $true -PassThru
PS C:\> Get-ADUser -Filter { name –like "john*" } ## Gets all the users whose name starts with John
PS C:\> Add-ADGroupMember -Identity AcctMgrs -Members JohnS
PS C:\> Get-ADGroupMember -Identity AcctMgrs
PS C:\> Get-ADPrincipalGroupMembership -Identity JohnS ## Gets all the groups in which the specified account is a direct member.
PS C:\> Get-ADAccountAuthorizationGroup -Identity JohnS ## Gets the token groups of an account
PS C:\> Unlock-ADAccount -Identity JohnS
PS C:\> Get-ADForest -Current LocalComputer
PS C:\> Get-ADDomain -Current LoggedOnUser
PS C:\> Get-ADDomainController -Filter { name -like "*" } ## Gets all the DCs in the current domain
What next?
In the next post we will give an overview of Active Directory Powershell and talk about various cmdlets we provide in this release.
Enjoy!
Swami
—
Swaminathan Pattabiraman [MSFT]
Developer – Active Directory Powershell Team
-
27 Feb 2009 9:53 AM
Hello Swaminathan, thanks for opening this blog.
Why you _require_ -Server parameter in New-PsDrive? You can provide default value for it pointing to current logon server for example. Same about -root parameter which can easily defaults to “” as in your example.
Why not to make Canonical names default format btw? X500 requres quotes “every,time,when used,because, of, commas”, it right to left so hard to type, and tabcompletion works only on current level ( so you cant do cd mydomain.com\myou\[tab] for example).
Anyway, thanks even for creating this option at all 🙂
[PS <560> AD:\] Get-ADDomain
Get-ADDomain : Parameter set cannot be resolved using the specified named parameters.
Event if it cant be resolved (why not return my logon domain?) why not to ask me about required parameters, or return all matching objects, like Get-Process do for example?
Same relates to all other your Get-* cmdlets.
Get-ADUser -Filter { name –like “john*” } ## Gets all the users whose name starts with John
Why not Get-ADSomething john* or even Get-ADSomething john ? You can use query by ANR (http://support.microsoft.com/kb/243299) as default parameter, and this will be perfect choice. Or another solution, just dont leave us with this ugly one. BTW, how to get _all_ users? 😉 Get-ADSomething (without params) should work. All other PowerShell cmdlets work this way, just look around.
Is Get-ADAccountAuthorizationGroup is nothing other but Get-ADPrincipalGroupMembership with recurse parameter?
Better to add Get-ADGroupMember and Get-ADPrincipalGroupMembership lacks -recurse parameter. This is high resurce consuming operation sometimes, but its very important and popular scenario.
Why in one case you use “Principal” (Get-ADPrincipalGroupMembership) and in another “Account” (Get-ADAccountAuthorizationGroup)? As it seems to me – its equal meanings there. BTW, IMHO “ADObject” is better and more intuitive 😉
Again…
Get-ADDomainController -Filter { name -like “*” } ## Gets all the DCs in the current domain
Why not just Get-ADDomainController ? 🙂
Thats all for today 🙂 I hope my silly critics somehow help you build the real PowerAD 😉 Thanks for your work.
Vasily Gusev, MVP: Admin Frameworks.
-
27 Feb 2009 10:56 AM
Almost forgotten… About Search-ADAccount… There is no such verb as Search- or Find- in PowerShell, and no need in it.
There is quote from PowerShell concepts about verbs(http://msdn.microsoft.com/en-us/library/ms714428.aspx):
Get
Retrieves a resource. For example, the Get-Content cmdlet retrieves the content of a file. Pairs with Set.
Do not use verbs such as Read, Open, Cat, Type, Dir, Obtain, Dump, Acquire, Examine, Find, or _Search_.
All this functionality that it provides, must be built in the Get-AD* cmdlets.
There is no good in building more and more cmdlets just for separate some aspects of same general task (exept if you get bonuses for it ;)). Get-ADObject (Account/Principal/Whatever) should Get any ad objects in any way that I want (I’m dont want to search, i want GET ;)). Get-ADUser/Computer is just special aliases for some popular types.
Same with Set. Set-ADSomething should set any of Something properties, like password for example. Reset-ADPrincipalPassword doesnt hurt while it “alias” for Set-AdAccount -Password (Get-Credential).
All this will make AD part of PowerShell better integrate in whole system.
And… I’m dont noticed formatting of ad objects, just because I think it will be done some time later prior to release. Is it in plans? 🙂
Vasily Gusev, MVP: Admin Frameworks.
-
3 Mar 2009 1:57 AM
Thanks Vasily for the feedback. Here are some answers to specific questions.
>> 1. Why you _require_ -Server parameter in New-PsDrive?
-Server parameter is optional in all our cmdlets and by default the cmdlets talk to a suitable DC in the computer’s domain.
>> 2. -root parameter which can easily defaults to “”
Fair point.
>> 3. Regarding – Why not Get-ADSomething john* or even Get-ADSomething john ? You can use query by ANR ..
>> Get-ADDomainController -Filter { name -like “*” } ## Gets all the DCs in the current domain
>> Get-ADDomain : Parameter set cannot be resolved using the specified named parameters.
We are working on the default behavior of all the cmdlets and the experience should be better in the next release 🙂
The default parameter set for get directory object cmdlets such as: Get-ADObject, Get-ADUser, Get-ADGroup etc. is -Identity.
The purpose of -Identity is to uniquely identify an object in a domain. Thus we only support identities (such as: distinguishedName, objectGuid, objectSid and samAccountName) that are guaranteed to be unique by the server. For certain special objects (example: Fine Grained Password policy, Site, Domain controller etc.) we support “name” as the identity.
We will write more about Identity in a separate blog.
Since, ANR can potentially return more than objects it does not qualify as Identity. However, you can run a ANR query using filter.
PS C:\> get-aduser -Filter { anr -eq “John” }
For getting all users type:
PS C:\> get-aduser -Filter { name -like “*” }
>> 4. Is Get-ADAccountAuthorizationGroup is nothing other but Get-ADPrincipalGroupMembership with recurse parameter?
Not exactly. Get-ADAccountAuthorizationGroup returns all the security groups in which an account is a direct or indirect member. It does not include Distribution Groups.
The returned set may also include additional groups that system would consider the user a member of for authorization purposes.
>> 5. Why in one case you use “Principal” (Get-ADPrincipalGroupMembership) and in another “Account” (Get-ADAccountAuthorizationGroup)?
Good question. We would like to address this in a separate blog. Watch out for a topic on “ADObject model”
>> 6. About Search-ADAccount… There is no such verb as Search- or Find- in PowerShell, and no need in it.
It is a valid verb in Powershell V2 (http://blogs.msdn.com/powershell/archive/2007/05/09/proposed-new-standard-verbs.aspx)
>> 7. There is no good in building more and more cmdlets just for separate some aspects of same general task.
Again a good question, but I would prefer to address this in a separate blog.
For now here is a short answer:
Get-ADUser/ADComputer are not just special aliases. They retrieve additional data and display them in rich format. They also accept data in rich format inside -Filter parameter.
Similarly, Set-ADUser,Set-ADComputer, New-ADUser, New-ADGroup etc. provides additional/relevant parameters for creating/writing the respective objects.
>> 8. And… I’m dont noticed formatting of ad objects, just because I think it will be done some time later prior to release. Is it in plans? 🙂
Ah.. we thought no one would notice 🙂
Once again thanks for the feedback. Keep them coming.
Cheers,
Swami
-
3 Mar 2009 2:16 AM
Brandon Shell pointed out an elegant way to get a list of AD cmdlets. Here it is..
PS C:\> get-command -module ActiveDirectory -verb get
PS C:\> get-command -module ActiveDirectory -noun ADUser
Cheers,
Swami
-
6 Mar 2009 1:09 AM
>The default parameter set for get directory object cmdlets such as: Get-ADObject, Get-ADUser, Get-ADGroup etc. is -Identity.
>get-aduser -Filter { anr -eq “John” }
You can have more than one default parameter (in different parameter sets), so it can easily be -Identity, and then (if input not valid X500 path) fallback to -Anr.
-
6 Mar 2009 1:10 AM
> Ah.. we thought no one would notice 🙂
You joking? 🙂 This is hard to beleive 🙂
-
6 Mar 2009 5:41 PM
@Xaegr
>> Ah.. we thought no one would notice 🙂
> You joking? 🙂 This is hard to beleive 🙂
Yes, I was just joking. Btw, was your comment regarding Provider cmdlet output? Or for all AD cmdlets?
Cheers,
Swami
-
12 Mar 2009 1:23 AM
No, output from get-aduser is fine for me for example.
Only one suggestion, please accept wildcard chars for -Properties parameter 🙂 Not all can remember ad property names form objects, so get-aduser someone -prop *logon* will be useful. And get-aduser someone -prop * of course.
-
12 Mar 2009 10:32 PM
-Properties parameter does support * and returns all properties + ldap attributes set on the object.
It does not support wildcard chars on the parameters. You can query the schema to get a list of all ldap attributes that can be set on an AD object.
Here is a Powershell function that does this:
function GetPossibleLdapAttributes() {
Param ([Parameter(Mandatory=$true, Position=0)] [String] $ObjectClass)
$rootDSE = Get-ADRootDSE
$schemaObject = get-adobject -filter { ldapdisplayname -like $ObjectClass } -Properties mayContain, SystemMayContain -searchbase $rootDSE.SchemaNamingContext
$schemaObject.MayContain
$schemaObject.SystemMayContain
}
Type:
PS C:\> GetPossibleLdapAttributes computer
PS C:\> GetPossibleLdapAttributes user
Cheers,
Swami
-
19 Apr 2009 12:31 PM
On cmdlets like new-aduser could we have -organizationalunit rather than -path (an alias on the parameter would be acceptable).
AD admins think in terms of OUs rather than paths plus it would be consistent with Exchange
-
PeterW8 Dec 2011 10:26 AMServerManager Best Practices for AD scan is showing two problems:
1. ActiveDirectory-Powershell is not installed
I’ve tried enabling it, but I’m told the feature isn’t recognized, even though dism /online /get-features lists it.
2. Strict replication consistency should be enabled
Not sure if I should do this considering the warning about lingering objects and possible forest-wide authentication issues if LOs exist and strict is enabled.
How can I reinstall the ActiveDirectory-Powershell feature and enable it?
Should I worry about the strict setting?
Help!
