Basic PowerShell cmdlets for Active Directory

Basic PowerShell cmdlets for Active Directory

Note: These commands were made for Powershell V4, to check your version , type $PSVersionTable.PSVersion in your console.

Run Powershell as administrator.

The first cmdlet is used to verify if the the Active Directory module for Powershell is installed. The command bellow can be used

Get-Module -name ‘*active*‘ -ListAvailable

If it is available it should return the print-screen below.

Then a few commands can be used to get information about Active Directory objects.

Let´s imagine that you need to report all locked accounts every morning to check for any signs brute force login attempts.

Search-ADAccount -LockedOut

This command will show all the AD accounts currently locked out

Unlock-ADAccount “Username”

Replace Username with the SAMAccountName and the user will be unlocked

If a granular report regarding a group’s members then the command below is useful

Get-ADGroupMember -Identity “GroupName”| select Name,Samaccountname

Replace GroupName with the desired name and it will return the name and username

To know all the groups or access right for a user this command is used.

Get-ADPrincipalGroupMembership “SAMAccountName” | select name,samaccountname

Replace SAMAccountName with the username

To quickly enable or disable user, computers,etc..

Enable-ADAccount -Identity “SAMAccountName”

or

Disable-ADAccount -Identity “SAMAccountName”

Replace SAMAccountName with the username

If we need to find groups or users it also possible to have broader search results.

Get-ADUser -Filter {name -like “*Name*“}

Get-ADGroup -Filter {name -like “*Name*“}

Get-ADComputer -Filter {name -like “*Name*“}

Replace name with the string/name you are looking for

Get-ADUser -Filter {name -like “*Name*“}|select name

Get-ADGroup -Filter {name -like “*Name*“} |select name

Get-ADComputer -Filter {name -like “*Name*“} |select name

Replace name with the string/name you are looking for ( This will only display a list of names)