Active Directory PowerShell Quick Reference Active Directory PowerShell Quick Reference

Getting Started
Other Cmdlets Recycle Bin User Account Tasks

Add-ADComputerServiceAccount Get- To enable the ‘AD Recycle Bin’ feature:

ADComputerServiceAccount Remove- To add the Active Directory module:
ADComputerServiceAccount Remove- Enable-ADOptionalFeature 'Recycle To see user account details:
ADServiceAccount Forests and Domains
Import-Module activedirectory
Set-ADServiceAccount Bin Feature' -Scope Get-ADUser -Identity 'Joe Bloggs'
Service Accounts
ForestOrConfigurationSet -Target Get a list of AD Commands:
Add- 'test.local' To search for a user:
ADDomainControllerPasswordReplicationPolicy Get-Command -Module
Get- Get-ADUser -Filter 'Name -like
To restore an AD Account from the Recycle Bin activedirectory
ADAccountResultantPasswordReplicationPolicy
Get- "Joe Bloggs"'
ADDomainControllerPasswordReplicationPolicy Get-ADObject -Filter For help with a cmdlet, type:
Get- 'samaccountname -eq "JoeBloggs"' Or search for users in a particular OU:
ADDomainControllerPasswordReplicationPolicyUsage -IncludeDeletedObjects | Restore- Get-Help Get-ADUser -Full
Remove- ADObject Get-ADUser -Filter * -SearchBase
ADDomainControllerPasswordReplicationPolicy "OU=Sales,OU=Users,DC=test,DC=loc
To see AD Service Accounts: To see Forest details:
al"
Remove-ADFineGrainedPasswordPolicy
Remove-ADFineGrainedPasswordPolicySubject
To see additional properties, not just the default set:
Set-ADFineGrainedPasswordPolicy Get-ADServiceAccount -Filter * Get-ADForest test.local
Add-ADPrincipalGroupMembership Get- Get-ADUser -Identity 'JoeBlogs' -
To create a new AD Service Account: To see Domain details:
ADPrincipalGroupMembership Remove- Properties Description,Office
ADPrincipalGroupMembership Get-ADDomain test.local
New-ADServiceAccount -Name To see all the user properties, not just default set:
Disable-ADOptionalFeature "Service1" -SamAccountName
To raise the Forest functional level:
Get-ADOptionalFeature "Service1" -DisplayName Get-ADUser -Identity 'JoeBloggs'
"Service1" -AccountPassword Set-ADForestMode -Identity -Properties *
Get-ADObject Move-
ADObject New- (Read-Host -AsSecureString test.local -ForestMode
ADObject Remove- "AccountPassword") -Enabled $true To create a new user:
Windows2008R2Forest
ADObject Rename-
ADObject Set- Install an existing AD service account on the local To raise the Domain functional level:
New-ADUser -Name "Joe Bloggs" -
ADObject computer and make the required changes so that the SamAccountName "JoeBloggs" -
password can be periodically reset by the computer: Set-ADDomainMode -Identity GivenName "Joe" -Surname "Bloggs"
Set-ADOrganizationalUnit
Remove-ADOrganizationalUnit test.local -DomainMode -DisplayName "Joe Bloggs" -Path
Install-ADServiceAccount - 'OU=Users,OU=Sales,DC=test,DC=loc
Windows2008R2Domain
Get-ADUserResultantPasswordPolicy Identity 'Service1' al' -OtherAttributes
Remove-ADUser Get the rootDSE from the default domain controller: @{'Title'="Sales Manager"} -
Uninstall an existing AD service account on the local
computer: AccountPassword (Read-Host -
Get-ADAccountAuthorizationGroup Get-ADRootDSE
Get-ADDomainController AsSecureString "AccountPassword")
Uninstall-ADServiceAccount - Move FSMO roles: -Enabled $true
Move-ADDirectoryServer Identity 'Service1'
Move- To change the properties of a user:
Remove-ADGroupMember
To reset the AD Service Account password on the ADDirectoryServerOperationMasterRole -
local computer: Identity "TESTDC" - Set-ADUser Joe Bloggs -City
Search-ADAccount
OperationMasterRole London -Remove
Set-ADAccountControl Reset-ADServiceAccountPassword - PDCEmulator,SchemaMaster @{otherMailbox="Joe.Bloggs"} -Add
Set-ADComputer Identity 'Service1' @{url="test.local"} -Replace
Set-ADDomain @{title="manager"} -Clear
Set-ADForest description
 Active Directory PowerShell Quick Reference Active Directory PowerShell Quick Reference

Password Policies Group Tasks User Account Security Computer Account Tasks
To see the Default Domain Password Policy: To see group details:
To disable a user account:
To see computer account details:
Get-ADDefaultDomainPasswordPolicy Get-ADGroup -Identity 'Sales Disable-ADAccount -Identity
-Identity test.local Users' JoeBloggs Get-ADComputer -Filter 'Name -
like "Server01"'
To change the properties of the Default Domain To create a new group:
Password Policy: To enable a user account:
To create a new computer account:
New-ADGroup -Name "Sales Users" Enable-ADAccount -Identity
Set-ADDefaultDomainPasswordPolicy New-ADComputer -Name "Server01" -
- SamAccountName SalesUsers - JoeBloggs
-Identity test.local - LockoutDuration GroupCategory Security - SamAccountName "Server01" -Path
00:40:00 - GroupScope Global -DisplayName "OU=Computers,OU=Resources,DC=tes
To set the expiration date for a user account:
LockoutObservationWindow 00:20:00 ‘Sales Users’ -Path t,DC=local" -Enabled $true -
-MaxPasswordAge 10.00:00:00 - "OU=Groups,OU=Resources,DC=test, Location "London"
Set-ADAccountExpiration -Identity
MinPasswordLength 8 D C=local" -Description "All JoeBloggs -DateTime "10/18/2008"
Sales Users" To remove a computer account:
To create a new Fine-Grained Password Policy:
To clear the expiration date for a user account: Remove-ADComputer -Identity
New-ADFineGrainedPasswordPolicy - Name To change the properties of a group:
Clear-ADAccountExpiration - "Server01" -Confirm:$false
"Standard Users PSO" - Precedence 500 -
Set-ADGroup -Identity Identity JoeBloggs
ComplexityEnabled
$true -Description "Standard Users 'SalesUsers' -GroupCategory
To change the password for a user account: Organisational Unit Tasks
Password Policy" - DisplayName Distribution -GroupScope
"Standard Users PSO" Universal -ManagedBy To see OU details:
'JoeBloggs' Set-ADAccountPassword -
-LockoutDuration "0.12:00:00" - Identity JoeBloggs -Reset -
LockoutObservationWindow "0.00:15:00" - -Clear Description Get-ADOrganizationalUnit -
NewPassword (ConvertTo- Identity
LockoutThreshold 10 SecureString - AsPlainText
To remove a group: 'OU=Users,OU=Sales,DC=test,DC=loc
"p@ssw0rd" -Force) al'
To see all Fine-Grained Password Policies:
Remove-ADGroup -Identity
To unlock a user account:
Get-ADFineGrainedPasswordPolicy - Filter 'SalesUsers' -Confirm:$false To create a new OU:
{name -like "*"} Unlock-ADAccount -Identity
To see group members: New-ADOrganizationalUnit -Name
JoeBloggs Users -Path
To apply a Fine-Grained Password Policy to a group of
users: Get-ADGroupMember -Identity 'OU=Marketing,DC=test,DC=local'
'SalesUsers' -Recursive
Add-ADFineGrainedPasswordPolicySubject
'Standard Users PSO' -Subjects To add group members:
'Standard Users'
Add-ADGroupMember -Identity
To see which users have been applied to a Fine- 'SalesUsers' -Members
Grained Password Policy: JoeBloggs,SarahJane
Get-ADFineGrainedPasswordPolicySubject
To remove group members:
-Identity 'Standard Users PSO'
Remove-ADGroupMember -Identity
'SalesUsers' -Members
JoeBloggs,SarahJane