PowerShell commands for managing Active Directory Learn how to use PowerShell to manage Active Directory effectively with these 8 essential commands.
What do you think about when you hear the word PowerShell? For many administrators, the first thing that comes to mind is Active Directory (AD) management. This isn’t surprising, as AD and PowerShell have been linked together from the beginning of PowerShell’s development and have enjoyed an incredibly close relationship ever since. In fact, when looking at the cmdlets available in PowerShell, it becomes clear that AD has come first in many ways.
Get Users That Do Not Have Passwords Set
One of the most important aspects of keeping your network secure is making sure that all users have strong passwords set. You can use the following PowerShell command to get a list of all users that do not have passwords set: Get-ADUser -Filter ‘PasswordNotRequired -eq $true’. This will return a list of all users that do not have to set a password, which could be a security risk. To see a list of all users and their password status, you can run the command: Get-ADUser -Filter * -Properties PasswordNotRequired Select-Object Name, PasswordNotRequired. This will give you a more complete picture of which users still need to set passwords.
Get Users Who Are Enabled and Disabled
You can use the Get-ADUser cmdlet to get a list of all users in Active Directory, including disabled users. To only get enabled users, you can add the -Filter {Enabled -eq $true} parameter. To get only disabled users, you can use the -Filter {Enabled -eq $false} parameter. Alternatively, you can run Get-ADUser where Enabled -eq $true or Get-ADUser where Enabled -eq $false
Get All Objects In A Specific OU: If you want to see all objects (users and groups) within an OU and their attributes, run the following command:
Get-ADObject –SearchBase OU=Accounts –Filter *
Get Users Whose Last Logon Time Was After a Specified Date
One of the most common tasks when managing Active Directory is finding users who haven’t logged in recently. This can be accomplished using the Get-ADUser cmdlet and specifying a date with the LastLogonTimeStamp attribute. For example, the following command will return all users whose last logon time was after January 1, 2019:
Get-ADUser -Filter {LastLogonTimeStamp -gt 1/1/2019}
Clear the AD User Last Logon Timestamp
This command will clear the last logon timestamp for all users in the domain. This is useful if you need to synchronize user accounts across multiple domains and you want to prevent stale data from being replicated.
To clear the last logon timestamp for all users in the domain, run the following command: Get-ADUser -Filter {lastLogonTimeStamp -lt $null} Set-ADUser -Clear LastLogonTimestamp You can also modify this command to only target a specific OU. For example, Get-ADUser -Filter {lastLogonTimeStamp -lt $null} Set-ADUser -Clear LastLogonTimestamp ou=OU1
Use the Active Directory Module for Windows PowerShell
To use the Active Directory Module for Windows PowerShell, you first need to install the RSAT (Remote Server Administration Tools) on your workstation. Once installed, you can then import the module into your PowerShell session using the Import-Module cmdlet. To connect to a remote domain controller, you can use the Get-ADDomainController cmdlet. To get a list of all users in a particular OU, you can use the Get-ADUser cmdlet.
Rename Groups With PowerShell
Group names are often changed as organizations evolve. For example, a group called Sales might be renamed to Marketing. You can use the Rename-ADObject cmdlet to change the name of a group object. This cmdlet is available in Windows Server 2012 and later versions.
To rename a group, you need to specify the identity of the group object and set the Name parameter to the new name.
Remove Members From A Group Using PowerShell
You can use the Remove-ADGroupMember cmdlet to remove users, groups, service accounts, and computers from an AD group. This cmdlet can be used to remove one or more than one AD group member at a time. The following are the steps to remove members from an AD group using PowerShell:
1) Get the distinguished name of the group from which you want to remove members.
2) Use the Get-ADGroupMember cmdlet to get a list of members in the group.
Search The AD Recycle Bin For Deleted Objects
When an object is deleted from Active Directory, it’s not actually gone forever. The object is moved into the AD Recycle Bin, where it remains until it’s either restored or permanently deleted. You can use the following PowerShell command to search the AD Recycle Bin for deleted objects:
Get-ADObject -Filter ‘isRecycled=true’
This will return a list of all objects in the recycle bin.