Alternative PowerShell commands for Active Directory management

Leave a comment

July 31, 2011 by Rakesh Boraiah

The benefit to these other options is that there are no dependencies — well, other than the Active Directory cmdlets themselves. These cmdlets are provided by Quest Software and my own open source module, called BSonPosh.

Quest was really the first on the Active Directory scene, and it has also been around since the early days of Windows PowerShell (about four years), so the cmdlets are very mature. They have no dependencies on anything specific, and while the cmdelts work against all “Active Directories,” they can also target a Quest ActiveRoles Server, which provides a much higher degree of object management and security. Outside of that, they behave very much the same as the Microsoft cmdlets.

The one weakness of these Quest cmdlets is that they don’t venture into the realm of infrastructure management, which is why I wrote the BSonPosh module to fill the gap. To be clear, my module covers far more than just Active Directory, but the AD infrastructure management coverage is pretty good.

While we don’t have the time or space to cover the entire set of cmdlets offered by Quest and BSonPosh, we can take a look at a few of the more prominent ones in both management categories.

Note: You may notice the Quest cmdlets have a verb prefix of QAD. This allows
them to play nice with other Active Directory cmdlet providers.

Object management (Quest)

Get-QADUser — gets a specific user object or does a search for user objects that match the query

# Get the user account for a user with ambiguous name resolution (ANR)
of BSonPosh
Get-QADUser bsonposh

# Get all the users that have the BSonPosh as manager
Get-QADUser –Manager bsonposh

# Get all the users that have the last name “Shell” using LDAP filter
Get-QADUser -LDAPFilter "(sn=shell)"

For more examples:
Get-help Get-QADUser –example

Get-QADComputer — gets a specific computer object or does a search for computer objects that match the query

# Get all the computers in a given organization unit (OU)
Get-QADComputer -SearchRoot "OU=XenDesktop,DC=Dev,DC=Lab"

# Get all the computers with a given role (i.e. member, DC, undefined)
Get-QADComputer –ComputerRole DC

# Find all Windows 7 machines
Get-QADComputer –OSName "Windows 7*"

For more examples:
Get-help Get-QADComputer –example

Get-QADGroup — gets a specific group object or does a search for group objects that match the query

# List all the universal groups
Get-QADGroup -GroupScope 'Universal'

# Get the group members
Get-QADGroup "domain Admins" | select -ExpandProperty

# An easier way to get group members
Get-ADGroupMember "Domain Admins"

# Find empty groups
Get-QADGroup –empty $true

For more examples:

     Get-QADGroup –example

Infrastructure management (BSonPosh)

Get-Forest — returns the current forest

# Get the current forest

# Get the forest for a specific domain controller (DC)
Get-Forest –DomainController CoreDC

For more examples:
Get-help Get-Forest –example

Get-Domain — returns a domain object

# Gets the current domain

# Gets the domain of specified DC
Get-Domain -DomainController CoreDC

For more examples:
Get-help Get-Domain –example

Get-DomainController — returns a domain controller object that matches the parameters passed

# Gets the current domain controller for the user session

# Gets domain controllers with specific names (RegEx)
Get-DomainController -Filter "mydc(nyc|dr)\d">

# Returns all DCs in a given domain
Get-DomainController –Domain Dev.Lab

For more examples:
Get-help Get-DomainController-example

Get-FSMO — returns the operation masters for forest/domain

# Returns all the Flexible Single Master Operations (FSMO) for the forest
and domain

# Returns just the domain FSMO
Get-FSMO –Domain

# Returns the forest FSMO
Get-FSMO –Forest

For more examples:
Get-help Get-FSMO –example>

Here is a list of all the cmdlets provided with the Quest Active Directory module:

  • Add-QADGroupMember
  • Add-QADMemberOf
  • Add-QADPasswordSettingsObjectAppliesTo
  • Add-QADPermission
  • Approve-QARSApprovalTask
  • Connect-QADService
  • Convert-QADAttributeValue
  • Deprovision-QADUser
  • Disable-QADUser
  • Disconnect-QADService
  • Enable-QADUser
  • Get-QADComputer
  • Get-QADGroup
  • Get-QADGroupMember
  • Get-QADMemberOf
  • Get-QADObject
  • Get-QADObjectSecurity
  • Get-QADPasswordSettingsObject
  • Get-QADPasswordSettingsObjectAppliesTo
  • Get-QADPermission
  • Get-QADPSSnapinSettings
  • Get-QADRootDSE
  • Get-QADUser
  • Get-QARSAccessTemplate
  • Get-QARSAccessTemplateLink
  • Get-QARSApprovalTask
  • Get-QARSOperation
  • Move-QADObject
  • New-QADGroup
  • New-QADObject
  • New-QADPasswordSettingsObject
  • New-QADUser
  • New-QARSAccessTemplateLink
  • Reject-QARSApprovalTask
  • Remove-QADGroupMember
  • Remove-QADMemberOf
  • Remove-QADObject
  • Remove-QADPasswordSettingsObjectAppliesTo
  • Remove-QADPermission
  • Remove-QARSAccessTemplateLink
  • Rename-QADObject
  • Restore-QADDeletedObject
  • Set-QADGroup
  • Set-QADObject
  • Set-QADObjectSecurity
  • Set-QADPSSnapinSettings
  • Set-QADUser
  • Set-QARSAccessTemplateLink
  • Unlock-QADUser

And finally, here are all of the Active Directory cmdlets that can be found in the BSonPosh module:

  • ConvertTo-DistinguishedName
  • ConvertTo-DNSName
  • ConvertTo-Name
  • ConvertTo-NetbiosName
  • ConvertTo-Sid
  • ConvertTo-UACFLag
  • Get-ADACL
  • Get-DCConnectionObject
  • Get-Domain
  • Get-DomainController
  • Get-Forest
  • Get-FSMO
  • Get-Schema
  • Get-SchemaClass
  • Get-SchemaOID
  • Get-SchemaProperty
  • Get-SiteLink
  • Get-Site
  • New-ADACE
  • Set-ADACL

You can find more on using these PowerShell cmdlets for Active Directory object and infrastructure management via the online help for Quest cmdlets and the source code for BSonPosh.

Thank You….!!!


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: