Five free ways to script Active Directory in PowerShell: Part 1

Free.  Double your money back.  Cheap at twice the price.

Today IT budgets are tighter than packets on a 56k modem.  Have you ever asked your boss to buy some scripting tools to help do your job?  Which response did they give you?

  • "Where do you think you are?  Wal-Mart?"
  • "Sure.  Email me an ROI analysis in triplicate."
  • "Go have a bake sale."

This post is the first in a series highlighting out-of-the-box PowerShell support for Active Directory. If you're just now learning how to use PowerShell with Active Directory, then start here. If you already have some experience in this category, then I'm going to show you some handy tips that will take your skills to the next level.

We are going to explore five free ways you have to work with Active Directory in PowerShell:

  1. CMD utilities
  2. WMI
  3. ADSI
  4. .NET
  5. The Active Directory module

Each post will have demo files attached for your scripting pleasure.

CMD and CSV

Are you serious?  Command line?!  Yes, I know we left that behind for the greener pastures of PowerShell, but I want to show you a few nuggets here.  No one wants to parse flat text output, so we're going straight to the snazzy factor of CSV.  A few of the most handy command line utilities have switches for CSV output.  All we do is snag that CSV output into a PowerShell object, and SHAZAM!  The cmdlet ConvertFrom-CSV is your new best friend.  We don't even have to dump the output to a file first.  We can simply grab the CSV straight from the pipeline.

When you're in a tight spot you can go old-school and automate with the ingredients you have on hand. Just note, however, that your favorite EXE utilities are not always available depending on which tools or resource kits have been installed. In some cases there are better PowerShell ways to get the data, but this is still cool in a "look what I get for free" way!

REPADMIN

Why re-invent the wheel?  If REPADMIN does what you want, then you won't need to roll your own object.  You could easily fashion a poor man's AD replication monitoring solution by capturing REPADMIN output in CSV, analyzing it for failures, and then sending an email alert. Set it as a scheduled task on your tools server. Using Out-GridView is so much easier than trying to read all of the wrapping REPADMIN output lines in the console.

 # A quick replication health report            
repadmin /showrepl * /csv | ConvertFrom-CSV | Out-GridView            
            
# Replication health for a site            
repadmin /showrepl * /csv | ConvertFrom-CSV |            
 Where-Object {$_."Source DSA Site" -eq "Ohio"} | Out-GridView            
            
# Replication health grouped by naming context (database partition)            
repadmin /showrepl * /csv | ConvertFrom-CSV |            
 Sort-Object "Naming Context" | Format-Table -GroupBy "Naming Context"            

image

WHOAMI

I always thought this utility sounded like the name of a goofy party game.  So let's get this party started.  Check out these tricks.

 # A convenient list of my group memberships.            
whoami /groups /fo csv | ConvertFrom-Csv | Out-GridView            
            
# Grab the logged in user SID quickly.            
$UserSID = whoami /user /fo csv | ConvertFrom-Csv | Select-Object -ExpandProperty SID

image

SYSTEMINFO

Now this utility is handy, because it returns a ton of useful WMI data for any machine on the wire.  Some of this data happens to be domain-related.

 # Handy system info            
systeminfo /fo csv | ConvertFrom-Csv |            
 Select-Object "Host Name", "Registered Owner", Domain, "Logon Server" |            
 Format-Table -AutoSize

image

CSVDE

Back when Windows 2000 was released this little utility was amazing.  You can still get some mileage out of it using Import-CSV.  It's a whole lot easier than ADSISEARCHER.  (Did I say that out loud?)

 # We can't leave out the classic CSVDE, a constant since Windows 2000.            
# You could even recycle some existing scripts that use CSVDE.            
csvde -p Subtree -l "cn,description" -d "dc=wingtiptoys,dc=local" -r "(objectClass=group)" -f csvde.txt            
Import-Csv .\csvde.txt | Out-GridView            

image

Dyn-O-Mite

And you thought this was going to be hard.  Our first lesson on AD and PowerShell started at the ground level with some old tools that you've probably used in the past.  These tips will work with any version of Active Directory or PowerShell, letting you get one more year out of those bell bottoms.

AD-cmd.p-s-1.txt

Comments

  • Anonymous
    February 28, 2012
    how about dsquery?

  • Anonymous
    February 28, 2012
    The comment has been removed

  • Anonymous
    October 29, 2014
    Welcome! Today’s post includes demo scripts and links from the Microsoft Virtual Academy event: Using PowerShell for Active Directory . We had a great time creating this for you, and I hope you will share it with anyone needing to ramp up their

  • Anonymous
    March 13, 2015
    Great stuff, thank you!

  • Anonymous
    August 18, 2015
    Hi,

    I am using Search-ADAccount -AccountExpires -Timespan "100". It gives me some confusion that is Powershell 2.0 is returning pretty good number of users which supposed to be correct when Poweshell 4.0 gives me only couple of users list. Command is same and I like to know what's wrong with my query. Please help me to understand.

  • Anonymous
    March 17, 2016
    Am a student, who have started leaning Automating Windows Server Administrative Tasks Using Windows Powershell and am not finding things easy for my self. And I want to know if I can get any assistance from this site.

  • Anonymous
    November 14, 2017
    Hi, yes i am late to learn power shell. but it nice to see the blog here for powershell and its going to be rock for me.Thanks-Ashley McGlone