Pagine

Powershell - Manage AD through Command line

There are several powershell command line to manage or to get Ad information.

To use these feature you need to install some modules depending on your Operative system.




1) Windows 7 
These feature is enabled on RSAT module (download Link) and then you need to enable it as follow:

After that you need to launch this command (if you are using old powershell version

Import-Module ActiveDirectory

Precedent command need to be launched everytime. If you want to have it automatically installed you need to , for your account only, add the command Import-Module ActiveDirectory to %UserProfile%\My Documents\WindowsPowerShell\profile.ps1.
If you only want to import the module in the PowerShell console, you would add the above command to Microsoft.PowerShell_profile.ps1.

REMARKS PowerShell command will work only if execution policy is set to RemoteSigned or Unrestricted.

Here it is correct command line:

Set-ExecutionPolicy RemoteSigned




2) Windows 2008 R2 Rsat is already installed and you simple need to enable it like following screenshot.




Import-Module ServerManager
Add-WindowsFeature RSAT-AD-PowerShell
Import-Module ActiveDirectory


Alternatively:



3) Windows 8/8.1 you need only to download RSAT @ 8.0 or RSA @8.1.
All options are enabled by default and nothing more is necessary.

4) Windows 2012 and 2012 R2

You can install from here 



or utilizing this command

Add-WindowsFeature RSAT-AD-PowerShell

You do not need to import module.

5) Windows 2016

Through Powershell you can launch these commands:

Get-WndowsFeature RSAT-AD-PowerShell to view if it is installed.

Install-WindowsFeature RSAT-AD-PowerShell

Then:


Import-module activedirectory

Get-Module

You will review in Administrative tools --> Active Directory Module for Active directory

6) Windows 10

you can use this script:

https://gallery.technet.microsoft.com/Install-the-Active-fd32e541

RSAT Windows 10


<---------->

You can launch this command line to verify installation went fine

Get-ADUser

You can review all powershell commands available here:

Just to take confidence about potentiality of this commands you can.

Finding Locked-Out Users

Search-ADAccount -LockedOut | where {$_.ObjectClass -eq 'user'} | FT Name,ObjectClass -A

Finding Users Whose Accounts Are About to Expire

The following example demonstrates how to find all the users whose accounts are about to expire in the next 90 days:

Search-ADAccount -AccountExpiring -TimeSpan 90.00:00:00 | where {$_.ObjectClass -eq 'user'} | FT Name,ObjectClass –A

 Get-ADUser, which enables you to query information about Active Directory user objects. 

To view number of failed logons since the last successful logon for a particular user.

Get-ADUser -Filter {Name -eq "Administrator"} -Properties * | Select-Object Name, msDS-FailedInteractiveLogonCountAtLastSuccessfulLogon

Here it is a Microsoft article that let review all commands that can be useful



Here it is an article that explain some advantages of powershell


More details here:



https://technet.microsoft.com/it-it/library/dd391936(v=ws.10).aspx


[Update 2020.04.29]

If you like to export all AD users you need to use Get-ADUser command using this syntax (it permit you export report in .CSV file)

Get-ADUser -filter * -Properties * | ft Name, saMAccountName, whencreated, LastLogondate, Enabled, Expirationdate, PassowrdExpired, PasswordLastSet, PasswordNeverExpires, Description | Export-CSV C:\TEMP\2020.04.29-ADUsers_1_00.csv -NoTypeInformation -Encoding UTF8

https://morgantechspace.com/2014/10/Powershel-Get-ADUser-Export-Select-Properties-Examples.html


============COMANDO 1 ========

Get-ADUser -filter * -Properties * | ft Name, saMAccountName, whencreated, LastLogondate, Enabled, accountexpirationdate, PasswordExpired, PasswordLastSet, PasswordNeverExpires, Description

============COMANDO 2  ========

Get-ADUser -filter * -Properties * | select Name, saMAccountName, whencreated, LastLogonDate, Enabled, accountexpirationdate, PasswordExpired, PasswordLastSet, PasswordNeverExpires, Description | Measure-Object 

============COMANDO 3 ========

Get-ADUser -filter * -Properties * | select Name, saMAccountName, whencreated, LastLogonDate, Enabled, accountexpirationdate, PasswordExpired, PasswordLastSet, PasswordNeverExpires, Description | Export-Csv C:\TEMP\ADUsers_1_01.csv -NoTypeInformation -Encoding UTF8