-
PowerShell Active Directory Cmdlets in Windows Server 2008 R2
Posted on April 16th, 2009 3 commentsA lot of the scripting I have done with PowerShell has been around manging Active Directory and up till now the majority of that work has been with the Quest AD cmdlets which are brilliant for this job. Of course not everyone is always able to install third-party cmdlets into their environment and for other reasons I have been as keen as anyone to see native cmdlets released for AD.
A month or so ago at a UK Technet event I saw James O’Neill carry out a demo of the AD cmdlets which will ship as part of Windows Server 2008 R2. They looked so good I had to check them out straight away and downloaded the beta of Server 2008 R2. I was so impressed I ended up changing what I was originally intending to present for March’s UK Powershell UserGroup so that I could share with people the good stuff that is coming. If you currently use Powershell to manage AD (or even if you are just using the curent GUI tools) you should definitely start checking these cmdlets out so are you a ready to take advantage of them as soon as possible. The best place to currently find out information about them is the Active Directory Powershell Blog – Pipelining AD One Object at a Time . There is some great info here on what is currently available and the direction it is headed.
I’ll give you a tip to help getting started with the cmdlets since some of the inline help is slightly behind the development of the cmdlets. There is a cmdlet for managing user accounts, Get-ADUser, which returns about 10 properties for a user account by default. (Note Quest regulars this is a fair bit less than what you have been used to). There is a parameter ‘-properties’ which you can use to specify particular attributes for a user account or all of them in one go. The inline help says you should use ‘-properties extended’ or’ -properties all’ to retrieve more than the default set. However, trying this out in the beta causes an error and fails to return anything for the user account.
Since the AD blog previously mentioned has a contact form I thought I would drop them a quick note about this and was pleased to receive a very prompt reponse from one of the developers that they had changed the format to be ‘-properties *’, but hadn’t updated the help in time for the beta release. So you would use something like this:
Get-ADUser username -Properties *
Easy when you know how
Finally for now, another way you can find out more information about the AD cmdlets is by listening to a recent episode of the PowerScripting podcast which featured PowerShell MVP Brandon Shell who is an expert at scripting around AD, has recently spent some time with the AD team and helped point them in the right direction for what we want to get out of these cmdlets.
3 responses to “PowerShell Active Directory Cmdlets in Windows Server 2008 R2”
-
Hi Jonathan,
I must have a look at Windows 2008 R2 once I get a VM up.
In the mean time do the new Cmdlets make it easier to manipulate a search than Quest?
For example:
$oUser = get-qaduser -name ‘Smith, John’
Now I may have zero, one or many John Smiths and using Quest it is not that easy to write a If…else statement based on Count.
Paul
-
Hey Paul,
The Get-ADUser cmdlet has an identity parameter however it requires a domain unique value to use, e.g. the samAccountname so something like:
Get-ADUser JSmith
would return one of the John Smith’s in your environment who had JSmith for the samAccountname, but wouldn’t return any other John Smith’s.
Get-ADUser ‘John Smith’
will fail to return any results (unless it matches a samAccountname value)
From the help these are the possible values for the Identity parameter:
-Identity []
Specifies an Active Directory user object by providing one of the following property values:
Distinguished Name
Example: CN=SaraDavis,OU=Europe,CN=Users,DC=corp,DC=contoso,DC=com
GUID (objectGUID)
Example: 599c3d2e-f72d-4d20-8a88-030d99495f20
Security Identifier (objectSid)
Example: S-1-5-21-3165297888-301567370-576410423-1103
SAM User Name (sAMUserName)
Example: saradavis
User Principal Name (userPrincipalName)
Example: SaraDavis@corp.contoso.com
Canonical Name (canonicalName)
Example: corp.contoso.com/Users/Europe/SaraDavisHowever, you can carry out searches like this:
PS C:\Users\Jonathan> Get-ADUser -Filter {Name -like “*John*”}
The results will obviously be dependent on your naming convention.
Surname : Smith
Name : John Smith
UserPrincipalName : user1@springfield.local
GivenName : John
SamAccountName : user1
ObjectClass : user
SID : S-1-5-21-2833069418-2003798848-2456702638-1104
ObjectGUID : b09a8b44-3239-4d86-ada0-3d85c3865190
DistinguishedName : CN=John Smith,OU=Users,OU=Resources,DC=springfield,DC=localSurname : Smith
Name : John D. Smith
UserPrincipalName : user2@springfield.local
GivenName : John
SamAccountName : user2
ObjectClass : user
SID : S-1-5-21-2833069418-2003798848-2456702638-1106
ObjectGUID : e2b810d7-b883-4a76-b7e9-433ad225addd
DistinguishedName : CN=John D. Smith,OU=Users,OU=Resources,DC=springfield,DC=localSurname : Smith
Name : John X. Smith
UserPrincipalName : user3@springfield.local
GivenName : John
SamAccountName : user3
ObjectClass : user
SID : S-1-5-21-2833069418-2003798848-2456702638-1107
ObjectGUID : af8ac639-3645-4f86-ab20-966d8a4f1ab6
DistinguishedName : CN=John X. Smith,OU=Users,OU=Resources,DC=springfield,DC=localHope that helps
-
I am not sure where you are getting your info, but good topic. I needs to spend some time learning much more or understanding more. Thanks for fantastic info I was looking for this info for my mission.
Leave a reply
-
 |
Automating vSphere Administration |
Amazon USA Amazon UK Sybex |
|
Subscribe in iTunes to the Get-Scripting Podcast
PowerShell 2.0 – One Cmdlet at a Time
AD PowerShell Quick Reference Guide
Paul Bendall April 18th, 2009 at 10:30