Adam's AD Admin

AD Cmdlet Reference Link Use this quick link to list all my current and any future posts of the AD Cmdlet Reference series. Cheers!

Get-ADGroup A simple cmdlet for powershell 2 AD management pack to get group information in one line. Example usage get-adgroup -identity "domain admins" get-adgroup -filter 'GroupScope -eq "Universal"' Define the parameters Identity takes a range of identifiers for the object. These include "Distinguished Name", "GUID", "SID", and "samaccountname". As all the cmdlets have been designed for interoperability, I find it best to use output from other commands like get-aduser. Full help file here . In a script This script gets detailed information about all the groups that user1 is a direct member of. get-aduser user1 -Properties memberof | select -expandproperty memberof | foreach {get-adgroup $_} Powershell without the Management pack To emulate the second example above, get all universal groups, I have chosen my GC search script  to return the information.  Note, all group type values have been list...

Select-Object -expandproperty ... a time saver!!!! Have you ever run a powershell command and used select-object to filter the returned object?  If you have you will know that even if you only have one value in the select, you still have to refer to the property name to return the values.  Example : I want a list of all my enabled DC's PS C:\temp> $dcs = get-ADDomainController -filter {enabled -eq $True} | select HostName PS C:\temp> $dcs HostName -------- DC01.DOMAIN.COM DC02.DOMAIN.COM DC03.DOMAIN.COM DC04.DOMAIN.COM But to get to the first hostname I have to write this : $dcs[0].hostname If I were to use -expandproperty as below : PS C:\temp> $dcs = get-ADDomainController -filter {enabled -eq $True} | Select-Object -ExpandProperty hostname PS C:\temp> $dcs DC01.DOMAIN.COM DC02.DOMAIN.COM DC03.DOMAIN.COM DC04.DOMAIN.COM I now have an array of server names that I can simply push through a foreach, without the '.hostnam...

Enabling Powershell Remoting and Remote Administration - Windows 2008 R2 Server Core Following on from my post Enable WinRM via Group Policy , there as some follow on tasks to ensure server core is manageable via powershell and server manager. Add Firewall Rule To start with, to allow GUI remote management of the event viewer, another firewall rule needs to be added : Computer Configuration / Policies / Windows Settings / Security Settings / Windows Firewall with Advanced Security Create an Inbound Rule allowing the predefined group 'Remote Event Log Management' Install powershell and packs Next, as server core is the only version of Windows Server 2008 R2 that does not install Powershell V2 by default, we need to install powershell and which ever cmdlet management pack we need. In this case I am only going to install the server manager and AD cmdlets. Winrs -r:$dc.name Ocsetup MicrosoftWindowsPowerShell Winrs -r:$dc.name Ocsetup ServerManager-PSH-Cmdlets Winrs -...

Trigger KCC on all Domain Controllers If you need to ensure all DC's have built the latest topology, a quick powershell one-liner (that's powershell v1 and v2).  foreach ($dc in [System.DirectoryServices.ActiveDirectory.domain]::getcurrentdomain().FindAllDomainControllers()){$dc.CheckReplicationConsistency()} Check out all the DC Methods that can be run in this way.

Add-ADDomainControllerPasswordReplicationPolicy This cmdlet is there to manage the Password Replication Policy for RODC's.  A handy tool as without the AD management pack, you can only do this at the command line with repadmin! Example usage Add-ADDomainControllerPasswordReplicationPolicy -identity $RODC -AllowedList $group Define the parameters Both identity and AllowedList (also, DeniedList) take a range of identifiers for the object. These include "Distinguished Name", "GUID", "SID", and "samaccountname". As all the cmdlets have been designed for interoperability, I find it best to use output from other commands like get-aduser or in the case below, Get-ADDomainController. In a script In this script, I get every RODC, and firestly build a list of group names from the first 6 characters of the RODC name.  I then get the allowed list from the RODC and check my built list against the PRP entries.  For any that are not already memb...

Get-ADDomainController Get-ADDomainController is useful to easily return all, or a subset of your domain controllers.  This can be easily filtered by type, OS, AD Site, or a number of other values. Example usage #get all read only DC's Get-ADDomainController -filter {isreadonly -eq $true} # get the domain controller DC1 Get-ADDomainController -identity "DC1" # get the PDCE for the domain Get-ADDomainController -Discover -Service "PrimaryDC"} # get a GC but force it to rediscover (clear any cached DC) Get-ADDomainController -Discover -Service "GlobalCatalog" -ForceDiscover Define the parameters Identity takes a range of identifiers for the object. These include "Distinguished Name", "GUID", "SID", and "samaccountname". Service takes the following : PrimaryDC or 1 GlobalCatalog or 2 KDC or 3 TimeService or 4 ReliableTimeService or 5 ADWS or 6 Filter uses the format {isreadonly -eq $true...

Add-ADGroupMember Quite an easy one to start with, but quite handy too. Saves a few lines of code from ps1. Example usage Add-ADGroupMember -identity "Group name" -members "new group member" Add-ADGroupMember "Group name" "list of new group member" Define the parameters Both identity and members take a range of identifiers for the object. These include "Distinguished Name", "GUID", "SID", and "samaccountname". As all the cmdlets have been designed for interoperability, I find it best to use output from other commands like get-aduser. In a script #set the group name $Group = "All Managers" #get the objects that you want to add to the group (in this case, users with Manager in the description) $users = get-aduser -filter {description -like "*Manager*"} #Add the users to the group Add-ADGroupMember $Group $users Powershell without the Management pack How you gener...

AD Cmdlets reference Over the next few weeks, my aim is to add a reference to all the AD cmdlets that I am using and the equivilent Poswershell 1 code (or indeed powershell 2 without the AD management pack).  I am finding that I am doing a lot of conversion betweek the 2 versions at the moment and would find a quick reference handy, and if it is for anybody else, the great! First Cmdlet coming soon....any suggestions?

Searching AD using .net and a Global Catalog (GC) Server Although I have been recently been exploring the world of R2 and AD-cmdlts, I have re-visited .net to search a the whole forest in one quick step.  As A GC holds a subset of information on all objects in the forest, we can query any GC in the forest to return these values.  Here, I am doing a search for a specific UPN, but the filter can inculde any attribute stored on the GC. $upn= "first.last@domain.name" $Forest = [System.DirectoryServices.ActiveDirectory.forest]::getcurrentforest() $GC = $forest.FindGlobalCatalog() $searcher = $gc.GetDirectorySearcher() $searcher.filter = "(userprincipalname=$upn)" $Results = $Searcher.FindAll() The rest of the script is the same as how we ended up in my AD Searcher You might not want to find any GC in the forest, you might want to only choose one from a particular site. As $forest.FindGlobalCatalog() has an option for this,...

ADMGS - How to install on Server 2003 and Server 2008 From someone who has done a lot of AD related scripting in powershell v1, it has taken me a while to get to grips with using the new AD cmdlets in PowerShell v2.  Needless to say, I have started 'dipping my toe' into the vast 'sea of cmdlets' now available and am finding them quite useful.  So much so, that enabling the ability to use the cmdlets in my older domains has become essential.   I no longer want to have to write v1 and v2 scripts, or more specifically, ad cmdlet and non-ad-cmdlet enabled scripts.  Here enters the 'Active Directory Management Gateway Service'  .This provides the connectivity for the AD-cmdlets to communicate with a domain controller in your domain. Pre-requisites For a small installer, this guy need a fair few prerequisites - each OS version being slightly different. Windows 2008 (tested on 32bit) It is best that you have SP2 inst...