Microsoft's PowerShell (PS) direction framework developed for systems direction and automating administrative tasks extends far beyond simply replacing the venerable command line shell. No, PS offers much more by integrating with services and applications to provide holistic management of clients and servers alike.

As the underlying framework is updated, new, more powerful functions will get available. PS is further enhanced by importing modules of support services, such as Active Directory (AD), which allows admins greater command over the devices and user accounts stored in AD, for example. This capability expands to all facets of maintaining the directory services, including controllers and domain services.

Before diving into the cmdlets, at that place are a few requirements that must be met to ensure that Ad cmdlets are available and fully supported:

  • Administrative PC with Windows Vista installed (or newer)
  • Remote Server Administration Tools installed on administrative PC
  • Server with Windows Server 2008 (or newer)
  • Active Directory Domain Services Role installed on server
  • Windows Management Framework 3.0 (or newer)
  • Switched network (Required for most cmdlets to function properly)
  • Broadband Internet Access (Optional, but recommended)
  • Domain Admin credentials

Meet: Windows administrator's PowerShell script kit (Tech Pro Enquiry)

Accessing Agile Directory cmdlets

Start by importing Module Active Directory.

Earlier existence able to run whatever of the cmdlets that permit for managing AD, the corresponding module must outset be imported to the current PS session. One time this has been done, AD cmdlets will now be loaded and within your control.

Note: y'all must perform this each time PS is run before Advertizing-specific cmdlets will become bachelor.

ane. Create computer object

To create a new reckoner object in a specified organizational unit (OU), enter the cmdlet:

New-ADComputer -Proper name "ComputerName" -SamAccountName "ComputerName" -Path "OU=Computers,DC=Domain,DC=com"

specifying the object'due south proper noun for both the -Name and -SamAccountName parameter. Practise non forget to include the distinguished proper name (DN) in quotes afterward the -Path parameter, which designates where the object is to exist created.

This is specially useful when managing multiple sites and/or domains, especially when scripting changes to AD such as with new account creations, which may be linked to new hires when on-boarded by human resources.

two. Create new security groups

Enter the cmdlet:

New-ADGroup -Name "Security Grouping Name" -SamAccountName "SecurityGroupName" -GroupCategory Security -GroupScope Global -DisplayName "Security Group Name" -Path "CN=Groups,DC=Domain,DC=com" -Description "Brief description of the what security group is used for"

This cmdlet aids in the creation of such groups, which ease authoritative overhead considerably. Managing accounts, and computers is made much easier when applying function-based direction settings to security groups versus making changes to each and every account and object singularly.

iii. Create a new user account

Enter the cmdlet:

New-ADUser -Name "User Business relationship Name" -SamAccountName "UserAccountName" -AccountPassword (ConvertTo-SecureString "password" -AsPlainText -Force) -DisplayName "User Proper noun" -Enabled $Truthful -GivenName "FirstName" -Path "CN=Users,,DC=Domain,DC=com" -Server "controller.domain.com" -Surname "LastName" -UserPrincipalName "username@domain.com"

Creating and managing user accounts go hand-in-hand when Advertizing serves as the backend to an organisation's centralized infrastructure. Generating new user accounts tin grow to exist a tedious task, given all the numerous parameters and text fields present. And while not all are required, many are certainly useful when populated, such equally email and title to name a few.

A whole host of these attributes can be configured past adding the -OtherAttributes parameter and pairing it with the attributes you wish to configure, such as the former: @{title="job_title";mail="username@domain.com"}, for example.

iv. Create a new OU

Enter the cmdlet:

New-ADOrganizationalUnit -Name "OU Name" -Path "DC=Domain,DC=com"

OUs are essential to managing user accounts and reckoner objects on the back-finish of the network. Put another mode, a properly set upwards Active Directory will include a well-designed ready of OUs with, which to compartmentalize all the objects that AD centrally manages, making for an orderly, structured directory and one that will seamlessly lend itself to hardening the network while keeping information technology piece of cake to manage.

Notation: Cmdlets start with "New" connotate the creation of that object. When the task requires removal of an object, utilise the "Remove" prefix in place of "New." Additionally, this works when yous demand to alter an object, instead using the "Set" prefix in place of "New." The syntax for these cmdlets follow a similar format to that of the New-prefixed cmdlets listed above.

v. Add/remove users or estimator objects to/from groups

Enter the cmdlet:

Add together-ADGroupMember SecurityGroupName -Members Username01 -Server "controller.domain.com" Remove-ADGroupMember SecurityGroupName -Members Username01 -Server "controller.domain.com"

Once user accounts and computer objects are created, admins tin choose to add them to existing security groups for added ease of management. Past executing this cmdlet, the -Members parameter listing the accounts to exist added will gain membership to the security group. When adding multiple accounts, these may be separated past a comma on a single line. Additionally, the -Server parameter though optional, will specify which domain controller to connect to for processing the changes. To remove members from a group, utilise the Remove-ADGroupMember cmdlet which follows a similar syntax.

6. Obtain the locally stored password from a computer object

Enter the cmdlet:

Get-AdmPwdPassword -ComputerName "computer.domain.net"

For organizations that take implemented Microsoft's excellent (and free) Local Administrator Password Solution (LAPS), there is a cmdlet that tin can grab the password stored in the computer object within AD and display it in one easy-to-retrieve pace versus scouring the database for each object to rails down the ms-mcs-AdmPwd attribute.

7. Joining a computer to a domain

Enter the cmdlet:

Add-Computer -DomainName "domain.com" -Credential Domain\Username -Restart -Forcefulness

Joining a computer to the domain is one of the most mutual tasks Information technology pros perform, tens of thousands of times in their career lifetime. And while the task only takes a few minutes per machine, it can be run from PS to streamline and with a few tweaks, the entire procedure may even be fully automated. Just remember that the cmdlet–as detailed above –will prompt the admin for their countersign to complete the domain bring together before rebooting the device.

8. Enable/Disable users, computers, or service accounts

Enter the cmdlet:

Enable-ADAccount -Identity "ComputerName"

Disable-ADAccount -Identity "Username"

It is adequately obvious what this cmdlet does. It enables (or disables) a user business relationship, computer object, or service account managed by AD to allow (or prevent) the user or computer account from being authenticated with or to on the network.

9. Unlock user accounts

Enter the cmdlet:

Unlock-ADAccount -Identity "Username"

It is often noted by statistical analysis that It spends in ordinate amount of time resolving help desk calls relating to unlocking user'southward accounts and resetting their passwords. The latter is covered in a higher place with the Set up-ADUser cmdlet, however, the former is this specific cmdlet. This basically applies to accounts in which users accept exceeded their password retry counters and have effectively locked their account from being used. Once unlocked, AD functionality (including authenticating the account) is made available once more.

10. Locate disabled calculator or user accounts

Enter the cmdlet:

Search-ADAccount -AccountDisabled | FT Proper noun,ObjectClass

The Search-ADAccount cmdlet can be used for more than just finding disabled accounts. There are many parameters that may be invoked to effectively search Advertising and report back matching results. However, to highlight its functionality, I decided to become with the disabled accounts since it is an important and useful cmdlet to know.

To limit searches to a particular OU, the -SearchBase parameter followed past the DN of the path will be necessary. Additionally, to focus these results on a particular controller, the -Server attribute followed past the Fully Qualified Domain Name (FQDN) should be appended as well.

11. Repair a broken trust between a customer and the domain

Enter the cmdlet:

Examination-ComputerSecureChannel -Server "controller.domain.com"

A broken channel, as PS refers to it, occurs when the client computer has a broken trust human relationship between the domain. Information technology will cease to authenticate domain logins since the client and domain no longer accept the channel setup, interim as a link between the two. The cmdlet in a higher place tests this relationship against the domain controller to verify that the link yet exists. If not, adding the -Repair parameter resets this link between the two, reestablishing the channel.

This is by no means intended to be an exhaustive list of all the cmdlets available to systems or domain administrator's, but rather a listing of cmdlets that are usually used daily to manage accounts, modify objects, and get relevant information used to resolve issues that bear upon productivity.