Dedicated to using PowerShell for AD administration. As a starting point, I decided to take 10 common AD administration tasks and look at how they can be simplified using PowerShell:
- Reset user password
- Activate and deactivate accounts
- Unblock user account
- Delete your account
- Find empty groups
- Add users to the group
- List the members of the group
- Find obsolete computer accounts
- Deactivate computer account
- Find computers by type
In addition, the author maintains a blog (using PowerShell, of course), we recommend taking a look - jdhitsolutions.com/blog. And the most relevant you can get from his twitter twitter.com/jeffhicks.
So, below is the translation of the article “Top 10 Active Directory Tasks Solved with PowerShell”.
Managing Active Directory (AD) with Windows PowerShell is easier than you think, and I want to prove it to you. You can simply take the scripts below and use them to solve a number of AD management tasks.
Requirements
To use PowerShell to manage AD, there are several requirements that must be met. I'm going to demonstrate how the AD cmdlets work on a Windows 7 computer as an example.
To use the cmdlets, you must have a Windows Server 2008 R2 domain controller, or you can download and install the Active Directory Management Gateway Service on legacy DCs. Read the documentation carefully before installing; CD restart required.
On the client side, download and install (RSAT) for either Windows 7 or Windows 8. In Windows 7, you will need to open in Control Panels chapter Programs and choose Turn Windows Features On or Off... Find Remote Server Administration Tools and expand the section Role Administration Tools... Select the appropriate items for AD DS and AD LDS Tools, especially note that the item must be selected Active Directory Module for Windows PowerShell as shown in Figure 1. (In Windows 8, all tools are selected by default). We are now ready to go.
Figure 1 Enabling AD DS and AD LDS Tools
I am logged in with an account with domain administrator rights. Most of the cmdlets I'll show will allow you to specify alternative credentials. Anyway, I recommend reading the help ( Get-Help) and examples that I will demonstrate below.
Start a PowerShell session and import the module:
PS C: \> Import-Module ActiveDirectory
The import creates a new PSDrive, but we won't be using it. However, you can see what commands are in the imported module.
PS C: \> get-command -module ActiveDirectory
The beauty of these commands is that if I can use a command for one AD object, then it can be used for 10, 100, and even 1000. Let's see how some of these cmdlets work.
Task 1: Reset User Password
Let's start with a typical task: resetting a user's password. This can be done easily and simply through the cmdlet Set-ADAccountPassword... The tricky part is that the new password must be qualified as a secure string: a piece of text that is encrypted and stored in memory throughout the PowerShell session. First, let's create a variable with a new password:
PS C: \> $ new = Read-Host "Enter the new password" -AsSecureString
Then, let's enter a new password:
We can now retrieve the account (using samAccountname Is the best option) and set a new password. Here's an example for user Jack Frost:
PS C: \> Set-ADAccountPassword jfrost -NewPassword $ new
Unfortunately, there is a bug with this cmdlet: -Passthru, -Whatif, and –Confirm does not work. If you prefer a short cut, try the following:
PS C: \> Set-ADAccountPassword jfrost -NewPassword (ConvertTo-SecureString -AsPlainText -String " [email protected]"-force)
As a result, I need Jack to change the password the next time I log in, and I modify the account using Set-ADUser.
PS C: \> Set-ADUser jfrost -ChangePasswordAtLogon $ True
The results of running the cmdlet are not written to the console. If it needs to be done, use –True... But I can find out if the operation was successful or not by extracting the username using the cmdlet Get-ADUser and specifying the property PasswordExpired as shown in Figure 2.
Rice. 2. The results of the Get-ADUser Cmdlet cmdlet with the PasswordExpired property
Bottom line: Resetting a user's password using PowerShell is not difficult at all. I confess that resetting the password is also easy through a snap. Active Directory Users and Computers console Microsoft Management Console (MMC). But using PowerShell is fine if you need to delegate a task, don't want to deploy the aforementioned snap-in, or reset your password in a large automated IT process.
Task 2: Activate and Deactivate Accounts
Now let's deactivate the account. Let's continue working with Jack Frost. This code uses the parameter –Whatif, which you can see in other cmdlets that make changes to test my command without running it.
PS C: \> Disable-ADAccount jfrost -whatif What if: Performing operation "Set" on Target "CN = Jack Frost, OU = staff, OU = Testing, DC = GLOBOMANTICS, DC = local".
Now let's deactivate for real:
PS C: \> Disable-ADAccount jfrost
And when it's time to activate your account, which cmdlet will help us?
PS C: \> Enable-ADAccount jfrost
These cmdlets can be used in a pipelined expression, allowing you to activate or deactivate as many accounts as you like. For example, this code deactivates all accounts in the Sales department.
PS C: \> get-aduser -filter "department -eq" sales "" | disable-adaccount
Of course, writing a filter for Get-ADUser pretty tricky, but this is where using the parameter –Whatif along with the cmdlet Disable-ADAccount comes to the rescue.
Task 3: Unlock User Account
Consider a situation where Jack has locked his account while trying to enter a new password. Instead of trying to find his account through the GUI, the unlocking procedure can be done with a simple command.
PS C: \> Unlock-ADAccount jfrost
The cmdlet also supports parameters -Whatif and -Confirm.
Task 4: Delete Account
It doesn't matter how many users you delete, it's easy to do with the cmdlet Remove-ADUser... I don't want to remove Jack Frost, but if I wanted to, I would use code like this:
PS C: \> Remove-ADUser jfrost -whatif What if: Performing operation "Remove" on Target "CN = Jack Frost, OU = staff, OU = Testing, DC = GLOBOMANTICS, DC = local".
Or I can enter multiple users and delete them with one simple command:
PS C: \> get-aduser -filter "enabled -eq" false "" -property WhenChanged -SearchBase "OU = Employees, DC = Globomantics, DC = Local" | where ($ _. WhenChanged -le (Get-Date) .AddDays (-180)) | Remove-ADuser -whatif
This command will find and remove any deactivated Employees OU accounts that have not changed for 180 days or more.
Task 5: Finding Empty Groups
Group management is endless and thankless. There are many ways to find empty groups. Some expressions may work better than others, depending on your organization. The code below will find all groups in a domain, including built-in ones.
PS C: \> get-adgroup -filter * | where (-Not ($ _ | get-adgroupmember)) | Select Name
If you have groups with hundreds of members, then using this command can be time consuming; Get-ADGroupMember checks every group. If you can limit or customize, it will be better.
Here's another approach:
PS C: \> get-adgroup -filter "members -notlike" * "-AND GroupScope -eq" Universal "" -SearchBase "OU = Groups, OU = Employees, DC = Globomantics, DC = local" | Select Name, Group *
This command finds all Universal groups that do not have OU Groups membership and displays some of the properties. The result is shown in Figure 3. 
Rice. 3. Searching and filtering universal groups
Task 6: Adding Users to the Group
Let's add Jack Frost to the Chicago IT group:
PS C: \> add-adgroupmember "chicago IT" -Members jfrost
Yes, it's that simple. You can also easily add hundreds of users to groups, although this is a little awkward in my opinion:
PS C: \> Add-ADGroupMember "Chicago Employees" -member (get-aduser -filter "city -eq" Chicago "")
I used the parenthetical pipelined expression to find all users who have a City property in Chicago. The parenthesized code is executed and the resulting objects are passed to the –Member parameter. Each custom object is added to the Chicago Employees group. It doesn't matter if we are dealing with 5 or 5000 users, updating group memberships only takes a few seconds. This expression can also be written using ForEach-Object, which could be more convenient:
PS C: \> Get-ADUser -filter "city -eq" Chicago "" | foreach (Add-ADGroupMember "Chicago Employees" -Member $ _)
Task 7: Displaying a List of Group Members
You might want to know who is in a particular group. For example, you should periodically find out who is a member of the Domain Admins group:
PS C: \> Get-ADGroupMember "Domain Admins"
Figure 4 shows the result.
Rice. 4. Members of the Domain Admins group
The cmdlet lists the AD object for each member of the group. But what about nested groups? My Chicago All Users group is a collection of nested groups. To get a list of all accounts, I just have to use the parameter –Recursive.
PS C: \> Get-ADGroupMember "Chicago All Users" -Recursive | Select DistinguishedName
If you want to go the other way - find what groups the user belongs to - use the user property MemberOf:
PS C: \> get-aduser jfrost -property Memberof | Select -ExpandProperty memberOf CN = NewTest, OU = Groups, OU = Employees, DC = GLOBOMANTICS, DC = local CN = Chicago Test, OU = Groups, OU = Employees, DC = GLOBOMANTICS, DC = local CN = Chicago IT, OU = Groups, OU = Employees, DC = GLOBOMANTICS, DC = local CN = Chicago Sales Users, OU = Groups, OU = Employees, DC = GLOBOMANTICS, DC = local
I used the parameter -ExpandProperty to display names MemberOf like strings.
Task 8: Find Outdated Computer Accounts
I am often asked this question: "How do I find outdated computer accounts?" And I always answer: "What is outdated for you?" Companies vary in their definitions of when a computer (or user, it doesn't matter) account is deprecated and no longer usable. As for me, I pay attention to those accounts for which passwords have not been changed for a certain period of time. This period for me is 90 days - if the computer has not changed the password along with the domain during this period, most likely it is offline and outdated. The cmdlet is used Get-ADComputer:
PS C: \> get-adcomputer -filter "Passwordlastset -lt" 1/1/2012 "" -properties * | Select name, passwordlastset
The filter works great with a hard value, but this code will update for all computer accounts that haven't changed their passwords since January 1, 2012. The results are shown in Figure 5.
Rice. 5. Find outdated computer accounts
Another option: suppose you are at least at the functional level of a Windows 2003 domain. Filter by the property LastLogontimeStamp... This value is the number of 100 nanosecond intervals since January 1, 1601, and is stored in GMT, so working with this value is a bit tricky:
PS C: \> get-adcomputer -filter "LastlogonTimestamp -gt 0" -properties * | select name, lastlogontimestamp, @ (Name = "LastLogon"; Expression = (:: FromFileTime ($ _. Lastlogontimestamp))), passwordlastset | Sort LastLogonTimeStamp
Rice. 6. Convert the LastLogonTimeStamp value to the usual format
To create a filter, I need to convert a date, for example January 1, 2012, into the correct format. Conversion is carried out in FileTime:
PS C: \> $ cutoff = (Get-Date "1/1/2012"). ToFileTime () PS C: \> $ cutoff 129698676000000000
Now I can use this variable in the filter for Get-ADComputer:
PS C: \> Get-ADComputer -Filter "(lastlogontimestamp -lt $ cutoff) -or (lastlogontimestamp -notlike" * ")" -property * | Select Name, LastlogonTimestamp, PasswordLastSet
The above code finds the same computers shown in Figure 5.
Task 9: Deactivate Computer Account
Perhaps when you find inactive or outdated accounts, you want to deactivate them. This is quite easy to do. We will use the same cmdlet that we used with user accounts. You can refine it by using samAccountname account.
PS C: \> Disable-ADAccount -Identity "chi-srv01 $" -whatif What if: Performing operation "Set" on Target "CN = CHI-SRV01, CN = Computers, DC = GLOBOMANTICS, DC = local".
Or using a pipelined expression:
PS C: \> get-adcomputer "chi-srv01" | Disable-ADAccount
I can also use my code to find outdated accounts and deactivate them all:
PS C: \> get-adcomputer -filter "Passwordlastset -lt" 1/1/2012 "" -properties * | Disable-ADAccount
Task 10: Find computers by type
I am also often asked the question of how to find computer accounts by type, such as servers or workstations. This requires a certain amount of creativity on your part. There is nothing in AD that differentiates the server from the client, except perhaps the OS. If your computer is running Windows Server 2008, there are a few extra steps to take.
First, you need to get a list of OS, and then we filter the accounts by the available OS.
PS C: \> Get-ADComputer -Filter * -Properties OperatingSystem | Select OperatingSystem -unique | Sort OperatingSystem
The results are shown in Figure 7.
Rice. 7. Extract OS list
I want to find all computers that have a server OS:
PS C: \> Get-ADComputer -Filter "OperatingSystem -like" * Server * "" -properties OperatingSystem, OperatingSystem ServicePack | Select Name, Op * | format-list
The results are shown in Figure 8.
As with other AD Get cmdlets, you can customize your search parameters and restrict the query to specific OUs, if necessary. All of the expressions I've shown can be integrated into large PowerShell expressions. For example, you can sort, group, apply filters, export to CSV, or create and email HTML reports - all from PowerShell! In this case, you do not have to write a single squeak.
Here's a bonus for you: the user password-age report saved in an HTML file:
PS C: \> Get-ADUser -Filter "Enabled -eq" True "-AND PasswordNeverExpires -eq" False "" -Properties PasswordLastSet, PasswordNeverExpires, PasswordExpired | Select DistinguishedName, Name, pass *, @ (Name = "PasswordAge"; Expression = ((Get-Date) - $ _. PasswordLastSet)) | sort PasswordAge -Descending | ConvertTo-Html -Title "(! LANG: Password Age Report" | Out-File c:\Work\pwage.htm !}
While this expression may look a little intimidating, with a little knowledge of PowerShell it is easy to use. And only the last piece of advice remains: how to define a custom property called PasswordAge... The value represents the interval between today and the PasswordLastSet property. Then I sort the results for my new property. Figure 9 shows the output for my small test domain.
Upd:
The post contains the translation of the article on the portal
0
I have the following working script that checks if a large list of users in a CSV file is a member of an AD group and writes the results to results.csv.
Not sure how to convert the script so I can change $ group = "InfraLite" to $ group = DC. \ List_Of_AD_Groups.CSV.
Thus, the script does not just return matches for one AD group, but so it returns matches for 80 AD groups contained in List_of_AD_groups.csv. Writing YES / NO for each AD group in a new CSV column (or, if this is not possible, creating a separate CSV file for each group with results will also.
I could do it manually by changing the value from $ group and the export file name and rerunning the script 80 times, but had to be quick with PS to do this
e.g. results.csv?:
NAME AD_GROUP1 AD_GROUP2 AD_GROUP80 etc etc. user1 yes no yes user2 no no yes user3 no yes no echo "UserName`InfraLite" >> results.csv $ users = GC. \ user_list.csv $ group = "InfraLite" $ members = Get-ADGroupMember -Identity $ group -Recursive | Select -ExpandProperty SAMAccountName foreach ($ user in $ users) (if ($ members -contains $ user) (echo "$ user $ group`tYes" >> results.csv) else (echo "$ user`tNo" >> results .csv))
2 answers
Sorting:
Activity
0
A trivial solution to your problem would be to wrap your existing code in another loop and create an output file for each group:
$ groups = Get-Content "C: \ groups.txt" foreach ($ group in $ groups) ($ members = Get-ADGroupMember ... ...)
A cleaner approach would be to create a group mapping template, clone it for each user, and populate a copy with the user's group memberships. Something like this should work:
$ template = @ () Get-Content "C: \ groups.txt" | ForEach-Object ($ template [$ _] = $ false) $ groups = @ () Get-ADGroup -Filter * | ForEach-Object ($ groups [$ _. DistinguishedName] = $ _. Name) Get-ADUser -Filter * -Properties MemberOf | ForEach-Object ($ groupmap = $ template.Clone () $ _. MemberOf | ForEach-Object ($ groups [$ _]) | Where-Object ($ groupmap.ContainsKey ($ _)) | ForEach-Object ($ groupmap [$ _] = $ true) New-Object -Type PSObject -Property $ groupmap) | Export-Csv "C: \ user_group_mapping.csv" -NoType
0
I've been playing with this for a while and I think I found a way to get you exactly what you were after.
I think Ansgar was on the right track, but I couldn't get him to do what it did after. He mentioned that at the time of writing, he did not have access to the AD environment.
This is what I came up with:
$ UserArray = Get-Content "C: \ Temp \ Users.txt" $ GroupArray = Get-Content "C: \ Temp \ Groups.txt" $ OutputFile = "C: \ Temp \ Something.csv" # Setting up a hashtable for later use $ UserHash = New-Object -TypeName System.Collections.Hashtable # Outer loop to add users and membership to UserHash $ UserArray | ForEach-Object ($ UserInfo = Get-ADUser $ _ -Properties MemberOf # Strips the LPAP syntax to just the SAMAccountName of the group $ Memberships = $ UserInfo.MemberOf | ForEach-Object (($ _. Split (",")) .replace ("CN =", "")) #Adding the User = Membership pair to the Hash $ UserHash.Add ($ _, $ Memberships)) # Outer loop to create an object per user $ Results = $ UserArray | ForEach-Object (# First create a simple object $ User = New-Object -TypeName PSCustomObject -Property @ (Name = $ _) # Dynamically add members to the object, based on the $ GroupArray $ GroupArray | ForEach-Object (#Checking $ UserHash to see if group shows up in user "s membership list $ UserIsMember = $ UserHash. ($ User.Name) -contains $ _ #Adding property to object, and value $ User | Add-Member -MemberType NoteProperty -Name $ _ -Value $ UserIsMember) #Returning the object to the variable Return $ User) #Convert the objects to a CSV, then output them $ Results | ConvertTo-CSV -NoTypeInformation | Out-File $ OutputFile
Let's hope it all makes sense. I commented as much as I could. It would be very easy to convert to ADSI if you didn't have RSAT installed on whatever machine you run it on. If you need it, let me know and I'll make some quick changes.
Good afternoon, dear readers and subscribers, we continue to explore the possibilities of Powershell and Active Directory with you. As you remember, she has all user and computer accounts in the NTDS.dit database, everything is great and centralized. When a company has more than one system administrator, a situation may result that garbage and unnecessary credentials accumulate in it. We are all people and we can forget some things, and at some moments we can be distracted, which will also lead to forgetting important information. And we come to the conclusion that inactive users (fired or forgotten) accumulate in the Actvie Directory, in any case, a good system administrator should identify them, disable them and then delete them at will, which we will do.
Through the ADUC snap-in
Last time I already gave you an example of using the Active Directory Users and Computers snap-in, through which we searched for missing computers on the local network that had not appeared for a month. Now let's do the same with user accounts. I have AD on Windows Server 2012 R2, open ADUC, for this press WIN + R and enter dsa.msc.
In the request form that opens, specify:
- Request name> I have lost users
- Description if necessary
- Request root> here you can leave the entire domain, or specify it on the desired OU
Then we press the button request.
On the users tab, we see the item "Number of days since the last login", for example, I set 60 days.
As a result, you will get the list of inactive employee accounts you need.
Through the powershell snap-in
All the same can be done through Powershell. Immediately I will give a code whose task is to search for inactive users, for this I chose a period of 45 days, disconnecting user data and moving to a specially designated OU.
$ date_with_offset = (Get-Date) .AddDays (-45)
$ users = Get-ADUser -Properties LastLogonDate -Filter (LastLogonDate -lt $ date_with_offset) | Sort LastLogonDate
foreach ($ user in $ users) (set-aduser $ user -enabled $ false; move-adobject -identity $ user -targetpath "ou = Fired, ou = Msk L. users, ou = Location, dc = msk, dc = contoso, dc = com ")
Get-ADUser -Properties LastLogonDate -Filter (LastLogonDate -lt $ date_with_offset) | Sort LastLogonDate | FT Name, LastLogonDate -AutoSize | Out-File c: \ Script \ users.txt
- In the first line, you declare a variable in which you set the search term
- Create a variable and sample by the last login time
- Moving users
- Making a report to a file
More useful things for working with the user. Before using the commands below, you need to load the Active Directory module via the command
Get-Help Get-ADUser
In this article, we'll take a look at PowerShell's capabilities for managing Active Directory domain groups. We'll walk through how to create a new group in AD, add users to it (or delete), list the group's users, and a few other useful domain group tricks that are extremely useful in day-to-day administration. The following basic cmdlets are available in the Active Directory PowerShell Module to manage AD groups:
To use these cmdlets in your PowerShell session, a special AD interaction module must be loaded - Active Directory Module for Windows PowerShell... This module was first introduced in Windows Server 208 R2. In Windows Server 2012 and later, this module is enabled by default. On client computers, it can be installed and enabled as one of the RSAT components. You can check if the module is loaded like this:
Get-Module -Listavailable
As you can see, the ActiveDirectory module is loaded. If not, import it with the command:
Import-Module activedirectory
A complete list of module commands can be obtained as follows:
Get-Command -Module ActiveDirectory
There are 147 cmdlets available in the module, of which 11 can work with groups.
Get-Command -Module ActiveDirectory -Name "* Group *"
Here is a list of them:
- Add-ADPrincipalGroupMembership
- Get-ADAccountAuthorizationGroup
- Get-ADGroup
- Get-ADGroupMember
- Get-ADPrincipalGroupMembership
- New-ADGroup
- Remove-ADGroup
- Remove-ADPrincipalGroupMembership
- Set-ADGroup
Create a new group in the specified container (OU) Active Directory using the command New-ADGroup:
New-ADGroup "TestADGroup" -path "OU = Groups, OU = Moscow, DC = corp, dc = winitpro, DC = ru" -GroupScope Global -PassThru –Verbose
Using the attribute Description you can set a description of the group, and using DisplayName change the display name.
The parameter GroupScope you can set one of the following types of groups:
- 0 = DomainLocal
- 1 = Global
- 2 = Universal
You can create a distribution group like this:
New-ADGroup "TestADGroup-Distr" -path "OU = Groups, OU = Moscow, DC = corp, dc = winitpro, DC = ru" -GroupCategory Distribution -GroupScope Global -PassThru –Verbose
Add-AdGroupMember - add users to AD group
You can add users to an Active Directory group using the Add- AdGroupMember... Let's add two users to the new group:
Add-AdGroupMember -Identity TestADGroup -Members user1, user2
If the list of users to add to a group is rather large, you can save the list of accounts to a CSV file, then import this file and add each user to the group.
The CSV file format is as follows (list of users, one per line, column name is users)
Import-CSV. \ Users.csv -Header users | ForEach-Object (Add-AdGroupMember -Identity ‘TestADGroup’ -members $ _. Users)
To get all the members of one group (groupA) and add them to another group (groupB), use this command:
Get-ADGroupMember “GroupA” | Get-ADUser | ForEach-Object (Add-ADGroupMember -Identity “Group-B” -Members $ _)
In the event that you need to copy the members of all nested groups to a new group (recursively), you need to use the following command:
Get-ADGroupMember -Identity “GroupA” -Recursive | Get-ADUser | ForEach-Object (Add-ADGroupMember -Identity “GroupB” -Members $ _)
Remove-ADGroupMember - remove users from a group
To remove users from an AD group, use the Remove-ADGroupMember command. Let's remove two users from the group:
Remove-ADGroupMember -Identity TestADGroup -Members user1, user2
Confirm removal of users from the group:
If you need to remove users from a group according to the list from a CSV file, use the following command:
Import-CSV. \ Users.csv -Header users | ForEach-Object (Remove-ADGroupMember -Identity ‘TestADGroup’ -members $ _. Users)
Get-ADGroup - get information about an AD group
The cmdlet will help you get information about the group. Get-ADGroup:
Get-ADGroup "TestADGroup"
This command displays information about the main attributes of the group (DN, group type, name, SID). To display the value of all the attributes of an AD domain group, run the following command:
Get-ADGroup "TestADGroup" -properties *
As you can see, now attributes such as group creation and modification time, description, etc. are now displayed.
Using the Get-ADGroup cmdlet, you can find all the groups you are interested in by a specific pattern. For example, you need to find all AD groups that contain the phrase admins :
Get-ADGroup -LDAPFilter “(name = * admins *)” | Format-Table
Get-ADGroupMember - List the users of an AD group
Display a list of users in a group:
Get-ADGroupMember "TestADGroup"
To leave only usernames in the results, run:
Get-ADGroupMember "TestADGroup" | ft name
If this group includes other groups in the domain, to display a complete list of members, including all nested groups, use the parameter Recursive.
Get-ADGroupMember 'server-admins "-recursive | ft name
To export the list of accounts belonging to a specific group to a CSV file (for further use in Excel), run the following command:
Get-ADGroupMember 'server-admins "-recursive | ft samaccountname | Out-File c: \ ps \ admins.csv
We'll use the cmdlet to add AD user account information to a text file. For example, in addition to the account, you need to display the position and phone number of the group user:
Get-ADGroupMember -Identity ’server-admins’ -recursive | foreach (Get-ADUser $ _ -properties title, OfficePhone | Select-Object title, OfficePhone)
(Get-ADGroupMember -Identity "domain admins"). Count
It turned out that we have 7 administrator accounts in the "domain admins" group.
To find a list of empty groups in a specific OU, use this command:
Get-ADGroup -Filter * -Properties Members -searchbase “OU = Moscow, DC = corp, dc = winitpro, DC = ru” | where (-not $ _. members) | select Name
