Share via

Active Directory Module for Windows PowerShell – Quick start guide

  • Article

ADPowershell is available starting Windows Server 2008 R2. To play with AD Powershell cmdlets, you must have at least one Windows Server 2008 R2 domain controller (DC) in your domain.

Installing AD Powershell module:

On a Windows Server 2008 R2 box, open an elevated Powershell console window (powershell.exe) and run the following commands:

PS C:\> import-module servermanager PS C:\> Add-WindowsFeature -Name "RSAT-AD-PowerShell" -IncludeAllSubFeature

NOTE: AD Powershell module is installed by default on a DC.

Loading AD Powershell module:

Open a Powershell console window and type

PS C:\> import-module activedirectory

Active Directory PSDrive:  

If the machine is joined to a domain then a default drive named AD: is created. You can CD into this drive and use all the regular file system commands to navigate the directory. The paths are in X500 format.

PS C:\> cd AD:PS AD:\> PS AD:\> dir…PS AD:\> cd "DC=fabrikam,DC=com"PS AD:\DC=fabrikam,DC=com> md "OU=myNewOU"… PS AD:\DC=fabrikam,DC=com> del "OU=myNewOU"

If you want to create a new drive connected to another domain/forest or use the more readable canonical path format, type:

PS C:\> New-PSDrive -PSProvider ActiveDirectory -Server "contoso.fabrikam.com" -Credential "Contoso\Administrator" -Root ""  -Name Contoso -FormatType Canonical``… PS C:\> cd Contoso:PS Contoso:\> dir | ft CanonicalName… PS Contoso:\> cd "contoso.fabrikam.com/"

Getting cmdlet list, help and examples:  

Powershell uses verb-noun name-pair format to name cmdlets. For example:

New-ADGroupGet-ADDomain

To get a list of AD cmdlets type

PS AD:\> get-help *-AD*PS AD:\> get-help New-AD*         ## would list all the cmdlets that create new AD objects

To get more info on a specific cmdlet or read examples, type

PS AD:\> get-help set-aduser -detailedPS AD:\> get-help get-aduser -examples

Tips: You can use the tab completion feature of Powershell to complete cmdlet names or parameter names. For example after entering the Verb- part of a cmdlet name you can hit <TAB> key to cycle through all of the nouns available for that verb.

Common tasks:

Here are some examples of commonly performed tasks using AD cmdlets:

PS C:\> New-ADUser –Name "John Smith" –SamAccountName JohnS –DisplayName "John Smith" –Title "Account Manager" –Enabled $true –ChangePasswordAtLogon $true -AccountPassword (ConvertTo-SecureString "p@ssw0rd" -AsPlainText -force) -PassThru

PS C:\> New-ADGroup -Name "Account Managers" -SamAccountName AcctMgrs -GroupScope Global -GroupCategory Security -Description "Account Managers Group" –PassThru

PS C:\> New-ADOrganizationalUnit -Name AccountsDepartment -ProtectedFromAccidentalDeletion $true  -PassThru

PS C:\> Get-ADUser -Filter { name –like "john*" } ## Gets all the users whose name starts with John

PS C:\> Add-ADGroupMember -Identity AcctMgrs -Members JohnS

PS C:\> Get-ADGroupMember -Identity AcctMgrs

PS C:\> Get-ADPrincipalGroupMembership -Identity JohnS  ## Gets all the groups in which the specified account is a direct member.

PS C:\> Get-ADAccountAuthorizationGroup -Identity JohnS  ## Gets the token groups of an account

PS C:\> Unlock-ADAccount -Identity JohnS

PS C:\> Get-ADForest -Current LocalComputer

PS C:\> Get-ADDomain -Current LoggedOnUser

PS C:\> Get-ADDomainController -Filter { name -like "*" }  ## Gets all the DCs in the current domain

What next?

In the next post we will give an overview of Active Directory Powershell and talk about various cmdlets we provide in this release.

Enjoy!
Swami

--
Swaminathan Pattabiraman [MSFT]
Developer – Active Directory Powershell Team

Comments

  • Anonymous
    February 27, 2009
    The comment has been removed

  • Anonymous
    February 27, 2009
    Almost forgotten... About Search-ADAccount... There is no such verb as Search- or Find- in PowerShell, and no need in it.There is quote from PowerShell concepts about verbs(http://msdn.microsoft.com/en-us/library/ms714428.aspx):GetRetrieves a resource. For example, the Get-Content cmdlet retrieves the content of a file. Pairs with Set.Do not use verbs such as Read, Open, Cat, Type, Dir, Obtain, Dump, Acquire, Examine, Find, or Search.All this functionality that it provides, must be built in the Get-AD* cmdlets.There is no good in building more and more cmdlets just for separate some aspects of same general task (exept if you get bonuses for it ;)). Get-ADObject (Account/Principal/Whatever) should Get any ad objects in any way that I want (I'm dont want to search, i want GET ;)). Get-ADUser/Computer is just special aliases for some popular types.Same with Set. Set-ADSomething should set any of Something properties, like password for example. Reset-ADPrincipalPassword doesnt hurt while it "alias" for Set-AdAccount -Password (Get-Credential).All this will make AD part of PowerShell better integrate in whole system.And... I'm dont noticed formatting of ad objects, just because I think it will be done some time later prior to release. Is it in plans? :)Vasily Gusev, MVP: Admin Frameworks.

  • Anonymous
    March 02, 2009
    Thanks Vasily for the feedback. Here are some answers to specific questions. > 1. Why you require -Server parameter in New-PsDrive?-Server parameter is optional in all our cmdlets and by default the cmdlets talk to a suitable DC in the computer's domain. > 2. -root parameter which can easily defaults to ""Fair point. > 3. Regarding - Why not Get-ADSomething john* or even Get-ADSomething john ? You can use query by ANR .. > Get-ADDomainController -Filter { name -like "" }  ## Gets all the DCs in the current domain > Get-ADDomain : Parameter set cannot be resolved using the specified named parameters.We are working on the default behavior of all the cmdlets and the experience should be better in the next release :)The default parameter set for get directory object cmdlets such as: Get-ADObject, Get-ADUser, Get-ADGroup etc. is -Identity.The purpose of -Identity is to uniquely identify an object in a domain. Thus we only support identities (such as: distinguishedName, objectGuid, objectSid and samAccountName) that are guaranteed to be unique by the server. For certain special objects (example: Fine Grained Password policy, Site, Domain controller etc.) we support "name" as the identity.We will write more about Identity in a separate blog.Since, ANR can potentially return more than objects it does not qualify as Identity. However, you can run a ANR query using filter.  PS C:> get-aduser -Filter { anr -eq "John" }For getting all users type:  PS C:> get-aduser -Filter { name -like "" } > 4. Is Get-ADAccountAuthorizationGroup is nothing other but Get-ADPrincipalGroupMembership with recurse parameter?Not exactly. Get-ADAccountAuthorizationGroup returns all the security groups in which an account is a direct or indirect member. It does not include Distribution Groups.The returned set may also include additional groups that system would consider the user a member of for authorization purposes. > 5. Why in one case you use "Principal" (Get-ADPrincipalGroupMembership) and in another "Account" (Get-ADAccountAuthorizationGroup)?Good question. We would like to address this in a separate blog. Watch out for a topic on "ADObject model" > 6. About Search-ADAccount... There is no such verb as Search- or Find- in PowerShell, and no need in it.It is a valid verb in Powershell V2 (http://blogs.msdn.com/powershell/archive/2007/05/09/proposed-new-standard-verbs.aspx) > 7. There is no good in building more and more cmdlets just for separate some aspects of same general task.Again a good question, but I would prefer to address this in a separate blog.For now here is a short answer:Get-ADUser/ADComputer are not just special aliases. They retrieve additional data and display them in rich format. They also accept data in rich format inside -Filter parameter.Similarly, Set-ADUser,Set-ADComputer, New-ADUser, New-ADGroup etc. provides additional/relevant parameters for creating/writing the respective objects. > 8. And... I'm dont noticed formatting of ad objects, just because I think it will be done some time later prior to release. Is it in plans? :)Ah.. we thought no one would notice :)Once again thanks for the feedback. Keep them coming.Cheers,Swami

  • Anonymous
    March 02, 2009
    Brandon Shell pointed out an elegant way to get a list of AD cmdlets. Here it is..PS C:> get-command -module ActiveDirectory -verb getPS C:> get-command -module ActiveDirectory -noun ADUserCheers,Swami

  • Anonymous
    March 05, 2009
    The default parameter set for get directory object cmdlets such as: Get-ADObject, Get-ADUser, Get-ADGroup etc. is -Identity. get-aduser -Filter { anr -eq "John" }You can have more than one default parameter (in different parameter sets), so it can easily be -Identity, and then (if input not valid X500 path) fallback to -Anr.

  • Anonymous
    March 05, 2009
    Ah.. we thought no one would notice :)You joking? :) This is hard to beleive :)

  • Anonymous
    March 06, 2009
    @Xaegr > Ah.. we thought no one would notice :) You joking? :) This is hard to beleive :)Yes, I was just joking. Btw, was your comment regarding Provider cmdlet output? Or for all AD cmdlets?Cheers,Swami

  • Anonymous
    March 11, 2009
    No, output from get-aduser is fine for me for example.Only one suggestion, please accept wildcard chars for -Properties parameter :) Not all can remember ad property names form objects, so get-aduser someone -prop logon will be useful. And get-aduser someone -prop * of course.

  • Anonymous
    March 12, 2009
    -Properties parameter does support * and returns all properties + ldap attributes set on the object. It does not support wildcard chars on the parameters. You can query the schema to get a list of all ldap attributes that can be set on an AD object. Here is a Powershell function that does this: function GetPossibleLdapAttributes() {    Param ([Parameter(Mandatory=$true, Position=0)] [String] $ObjectClass)    $rootDSE = Get-ADRootDSE    $schemaObject = get-adobject  -filter { ldapdisplayname -like $ObjectClass } -Properties mayContain, SystemMayContain -searchbase  $rootDSE.SchemaNamingContext    $schemaObject.MayContain    $schemaObject.SystemMayContain } Type: PS C:> GetPossibleLdapAttributes computer PS C:> GetPossibleLdapAttributes user Cheers, Swami

  • Anonymous
    April 19, 2009
    On cmdlets like new-aduser could we have -organizationalunit rather than -path  (an alias on the parameter would be acceptable).AD admins think in terms of OUs rather than paths plus it would be consistent with Exchange

  • Anonymous
    December 08, 2011
    ServerManager Best Practices for AD scan is showing two problems:ActiveDirectory-Powershell is not installedI've tried enabling it, but I'm told the feature isn't recognized, even though dism /online /get-features lists it.Strict replication consistency should be enabledNot sure if I should do this considering the warning about lingering objects and possible forest-wide authentication issues if LOs exist and strict is enabled.How can I reinstall the ActiveDirectory-Powershell feature and enable it?Should I worry about the strict setting?Help!

  • Anonymous
    June 13, 2014
    To load any module upon opening PowerShell, do the following:Open PowerShell Type: $profile Create the path and file if required --OR-- for all PowerShell/ISE/USERS: create the file C:WindowsSystem32WindowsPowerShellv1.0profile.ps1 Open the .ps1 in PowerShellISE Modify to include modules you require, i.e.: Import-Module ActiveDirectory Save Test (close all PowerShells, open new one) Cake?