Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Introduction
PowerShell is very useful for automating Active Directory. It allows to quickly and relatively easy automate mundane actions or perform same operations with many objects.
PowerShell provides very broad set of methods to work with Active Directory. There is some of them:
- Microsoft Active Directory Module for Windows PowerShell
- ADSI adapter
- .Net Classes
- Non Microsoft free extensions, such as Quest Active Directory Cmdlets or AD provider from PowerShell Community Extensions.
In this article provided examples of using ADSI adapter and .NET classes. This is not an easiest method, but sometimes you just need it. For example if you working in organization that uses old operating system for domain controllers (not 2008R2+), and you cannot install any additional software on controllers or servers, but need to work with Active Directory in your script.
Receiving an object representation of Active Directory object.
This method requires knowledge of object's [[LDAP Path Active Directory Distinguished and Relative Distinguished Names|LDAP path]].
| 001 | $Object = [adsi]'LDAP://CN=Notebook1,OU=Computers,DC=consoso,DC=com' |
Searching for an object in Active Directory.
| 001
002 003 004 |
$Searcher = New-Object DirectoryServices.DirectorySearcher
$Searcher.Filter = '(&(objectCategory=person)(anr=gusev))' $Searcher.SearchRoot = 'LDAP://OU=Laptops,OU=Computers,DC=contoso,DC=com' $Searcher.FindAll() |
Filter property of the Searcher object uses standard LDAP query syntax. You can also use FindOne() method to receive just first found object.
Setting "Password never expire" attribute on user object
This property unlike many other properties of AD object are contained in bitmask attribute UserAccountControl (not related in any way with [[User Account Control]] feature of Windows). To set it you need to retrieve current value of this attribute and use binary OR operation (-bor) to calculate new value.
| 001
002 003 004 |
$User = [ADSI]"LDAP://cn=Gusev,ou=Users,ou=Lab,dc=contoso,dc=com"
$UAC = $User.UserAccountControl[0] -bor 65536 $User.Put("userAccountControl",$UAC) $User.SetInfo() |
Get direct AD group membership information
Members of the group are contained as Distinguished Names in Member array property of a group. To get objects representing the members one need to get contents of this property and create ADSI objects from them.
| 001
002 |
$Group = [ADSI]"LDAP://cn=Domain Admins,cn=Users,dc=Contoso,dc=Com"
$Members = $Group.Member | ForEach-Object {[ADSI]"LDAP://$_"} |
Same way, groups in which AD object is directly included are contained in its MemberOf property.
| 001
002 |
$User = [ADSI]"LDAP://cn=Administrator,cn=Users,dc=Contoso,dc=Com"
$Groups = $User.MemberOf | ForEach-Object {[ADSI]"LDAP://$_"} |
Get AD object class name
Primary class of AD object are contained in Class property, but there is also ObjectClass property that contains all classes to which object is belong.
PS C:\> $Object = [ADSI]"LDAP://cn=Administrator,cn=Users,dc=Contoso,dc=Com"
PS C:\> $Object.class
user
PS C:\> $Object.objectclass
top
person
organizationalPerson
user