= PowerShell AD Management =

**Summary**: How to manage ActiveDirectory with powershell. \\
**Date**: Around 2011 \\
**Refactor**: 22 March 2025: Checked links and formatting. \\
{{tag>powershell ad}}

= Import ActiveDirectory Module =

To import the AD module for powershell issue this command:
<code powershell>
import-module activedirectory
</code>

> Note: [[http://technet.microsoft.com/en-us/library/dd378937%28WS.10%29.aspx|You need to be on Windows Server 2008 R2 for this]]

== Get User Data ==

To see the full info for an AD account issue this command:
<code powershell>
Get-ADUser <accountname> -properties *
</code>

= Quest AD Management CMDLETs =

Quest (part of Dell by the way) also provides some seriously well created commandlets, which can be downloaded [[http://www.quest.com/powershell/activeroles-server.aspx|here]]. Just download the "Quest One ActiveRoles Management Shell for Active Directory 32-bit - Zip" file (version 1.6.0) and install (as an administrator).

After installation you can start the shell and use the commandlets.

== Connect to Different Domain ==

By default the domain you authenticate or are installed on will be used. If you want another domain use the service parameter:
<code powershell>
get-qadgroup groupname -service dc.domain.local:389
</code>

== Examples ==

These are some examples I used in an AD migration project:

Script example:
<code powershell>
# Author: Sjoerd Hooft
# Purpose script: This script collects all groups in the new domain that have a groupmember in the old domain

$timestamp = Get-Date -format "yyyyMMdd-HH.mm"
$csvfile = "F:\qadgroups-$timestamp.csv"
$myCol = @()

ForEach ($adgroup in (Get-QADgroup -SizeLimit 0)){

$name = $adgroup.Name
Write-Host "Now processing $name"

ForEach ($member in (Get-QADGroupMember $adgroup -SizeLimit 0 | where {$_.Type -eq "group"} | where {$_.DN -match "olddomain"})){

$groupinfo = "" | Select ParentName,ParentDN,MemberName,MemberDN

$groupinfo.ParentName = $adgroup.Name
$groupinfo.ParentDN = $adgroup.DN
$groupinfo.MemberName = $member.Name
$groupinfo.MemberDN =$member.DN

$myCol += $groupinfo
}}

$mycol | export-csv -notypeinformation $csvfile
</code>

These onliners collect all groups based on grouptype:
<code powershell>
get-qadgroup -SizeLimit 0 -Service 'dc.olddomain:389' | where {$_.ParentcontainerDN -ne "CN=Builtin,DC=olddomain"} | where {$_.ParentcontainerDN -ne "CN=Users,DC=olddomain"}| where {$_.ParentcontainerDN -ne "OU=SMS,DC=olddomain"}| where {$_.groupscope -eq "DomainLocal"} | select Name | sort Name | Export-Csv -notypeinformation "F:\ad-groups-olddomain-domainlocal.csv"

get-qadgroup -SizeLimit 0 -Service 'dc.olddomain:389' | where {$_.ParentcontainerDN -ne "CN=Builtin,DC=olddomain"} | where {$_.ParentcontainerDN -ne "CN=Users,DC=olddomain"}| where {$_.ParentcontainerDN -ne "OU=SMS,DC=olddomain"}| where {$_.groupscope -eq "global"} | select Name | sort Name | Export-Csv -notypeinformation "F:\ad-groups-olddomain-global.csv"

get-qadgroup -SizeLimit 0 -Service 'dc.olddomain:389' | where {$_.ParentcontainerDN -ne "CN=Builtin,DC=olddomain"} | where {$_.ParentcontainerDN -ne "CN=Users,DC=olddomain"}| where {$_.ParentcontainerDN -ne "OU=SMS,DC=olddomain"}| where {$_.groupscope -eq "universal"} | select Name | sort Name | Export-Csv -notypeinformation "F:\ad-groups-olddomain-universal.csv"

get-qadgroup -SizeLimit 0 | where {$_.ParentcontainerDN -ne "CN=Builtin,DC=newdomain"} | where {$_.ParentcontainerDN -ne "CN=Users,DC=newdomain"}| where {$_.ParentcontainerDN -ne "OU=SMS,DC=newdomain"}| where {$_.groupscope -eq "universal"} | select Name | sort Name | Export-Csv -notypeinformation "F:\ad-groups-newdomain-universal.csv"
</code>