Inside the new PowerShell 2.0 commands for Active Directory

Windows Server 2008 R2 comes with a bevy of new PowerShell cmdlets for managing AD. Here is a rundown of the key commands, with details on how they work and when to use them.

We have spent the past few months learning about Windows PowerShell, but this month I decided to take a little...

break from the basics and start a multi-part series on managing Active Directory (AD) with PowerShell. In this two-part article we will look at the different vendors that provide AD cmdlets and how they work.

Microsoft Active Directory is one of those things that almost every admin has to work with to some degree, ranging from full AD management to simple consumption of Active Directory. Whatever your experience is with AD, there is a PowerShell cmdlet for you. These cmdlets are provided by two major vendors: Microsoft and Quest Software.

Before we start down the rabbit hole of Active Directory PowerShell cmdlets, it's important to understand the different scopes of management that admins often encounter when it comes to AD. These can be broken into two basic categories: object management and infrastructure (see the sidebar to the right for a detailed explanation of each).

With those fundamentals of AD management understood, we can take a detailed look at the Microsoft Active Directory cmdlets that ship with Windows 7 and Server 2008 R2, including what is required to run them, how they work, and some examples to get you on your way.

The different scopes of AD management

Object management

Objects are the foundation and purpose of Active Directory and are where AD stores the data you provide. There are different types of objects, but the three basic objects most admins deal with are:

• User - an object that stores information about a user
• Computer - an object that stores information about a computer
• Group - an object that stores a relationship between groups of objects

Some examples of object management include searching Active Directory for an object, adding users, setting passwords, deleting computers, and adding a member to a group.


Infrastructure refers to the things that make Active Directory work. Below is a list of some of the components of AD that comprise its infrastructure:

• Forest - A collection of trees (a group of one or more domains). These domains must maintain a single configuration and schema.
• Domain - A collection of objects that share a common namespace and authentication realm.
• Site - A collection of computers that share a common subnet defined by an Active Directory object.
• Domain controller (DC) - The principle authority for the domain, responsible for authentication and access to domain resources.
• Partitions - A logical segmentation of a group of objects. The three main partitions in Active Directory are domain, configuration and schema.

Some examples of Active Directory management include finding a DC, setting an operation master role, creating a site, forcing replication, and checking replication.

Before we dive directly into the cmdlets, it is important to know the initial requirements that must be met in order to manage Active Directory with Windows PowerShell. First, you need to have at least one domain controller with Active Directory Web Service (AD WS) or Active Directory Management Gateway Services (AD MGS). Both of these services do basically the same thing, with the only difference being that AD Web Services ships with Windows Server 2008 R2, while AD MGS is an update for Windows 2003 and 2008 domain controllers. This is very important because the Active Directory cmdlets use AD WS/AD MGS to communicate with the domain.

Second, you must have a Windows 7 or Windows Server 2008 R2 client because the DC Locator process was updated to discover AD Web Services and has not been back-ported to older clients.

Here is the process flow for Active Directory PowerShell cmdlet queries:

        [Client] cmdlet -> AD WS -> Query
        DC -> AD WS -> cmdlet.

The cmdlet/client sends the query to AD Web Services, which does a domain query using its own protocol. The DC formulates the response and sends it back to the "client" via AD Web Services and this is all wrapped up in a Web Services protocol.

While we don't have the time or space to cover all of the cmdlets offered by Microsoft (we are talking a small book's worth of material here), we can take a look at a few of the key ones for both Active Directory management categories.

Object management cmdlets for Active Directory

Get-ADUser - gets a specific user object or does a search for user objects that match the query

                 # Get the user account for a user with sAMAccountName of bsonposh
                 Get-ADUser bsonposh

                 # Get all the users that have the last name Shell using friendly filter
                 Get-ADUser -Filter "sn -eq 'shell'"

                 # Get all the users that have the last name Shell using LDAP filter
                 Get-ADUser -LDAPFilter "(sn=shell)"

        For more examples:
                 Get-help Get-ADUser –example

Get-ADComputer - gets a specific computer object or does a search for computer objects that match the query

                 # Get all the computers in a given OU
                 Get-ADComputer -SearchBase "OU=XenDesktop,DC=Dev,DC=Lab"
        -filter *

                 # Get all the computers without a given DNS suffix
                 Get-ADComputer -filter "dnsHostName -notlike

                 # Find computers logged in over the last 30 days
                 $lastLogon = (get-date).adddays(-30).ToFileTime()
        Get-ADComputer -filter {lastLogonTimestamp -gt

        For more examples:
                 Get-help Get-ADComputer -example

Get-ADGroup - gets a specific group object or does a search for group objects that match the query

                 # List all the Universal Groups
                 Get-ADGroup -Filter {GroupScope -eq 'Universal'}

                 # Get the group members
                 Get-ADGroup "domain Admins" -Properties member | select
        -ExpandProperty member

                 # This is even easier if you use Get-ADGroupMember
                 Get-ADGroupMember "Domain Admins"

                 # Find empty groups
                 Get-ADGroup -Filter {Member -notlike '*'}

        For more examples:
                 Get-help Get-ADGroup -example

Infrastructure cmdlets for Active Directory

Get-ADForest - returns the current forest

                 # Get the current forest

                 # Get the forest for the current user
                 Get-ADForest -Current LoggedOnUser

                 # Get the forest for the current computer
                 Get-ADForest -Current LocalComputer

        For more examples:
                 Get-help Get-ADForest -example

Get-ADDomain - returns the current domain

                 # Get the current domain

                 # Get a specific domain
                 Get-ADDomain dev.lab

                 # Get the user domain
                 Get-ADDomain –Current LoggedOnUser

        For more examples:
                 Get-help Get-ADDomain -example

Get-ADDomainController - returns a domain controller object that matches the parameters passed

                 # Get the current domain controller for the user session

                 # Get the read-only domain controllers
                 Get-ADDomainController -Filter {isReadOnly -eq $true}

                 # Find DCs hosting Active Directory Web Services
                 Get-ADDomainController -Service ADWS –Discover

                 Note: The following parameters require the –discover parameter as
                   well: Service, SiteName, DomainName, NextClosestSite, AvoidSelf,
                   and ForceDiscover

        For more examples:
                 Get-help Get-ADDomainController-example

Get-ADRootDSE - This returns the RootDSE by discovery or by defined server. You can think of the RootDSE as an entry point into the directory that provides cursory information regarding the directory that resides on the target or discovered server.

                 # Discover the RootDSE

                 # Get the RootDSE on a specific Server (DC)
                 Get-ADRootDSE –server Core.Dev.Lab

        For more examples:
                 Get-help Get-ADRootDSE -example

Here is a list of all the PowerShell cmdlets provided with the Active Directory module:

  • Add-ADComputerServiceAccount
  • Add-ADDomainControllerPasswordReplicationPolicy
  • Add-ADFineGrainedPasswordPolicySubject
  • Add-ADGroupMember
  • Add-ADPrincipalGroupMembership
  • Clear-ADAccountExpiration
  • Disable-ADAccount
  • Disable-ADOptionalFeature
  • Enable-ADAccount
  • Enable-ADOptionalFeature
  • Get-ADAccountAuthorizationGroup
  • Get-ADAccountResultantPasswordReplicationPolicy
  • Get-ADComputer
  • Get-ADComputerServiceAccount
  • Get-ADDefaultDomainPasswordPolicy
  • Get-ADDomain
  • Get-ADDomainController
  • Get-ADDomainControllerPasswordReplicationPolicy
  • Get-ADDomainControllerPasswordReplicationPolicyUsage
  • Get-ADFineGrainedPasswordPolicy
  • Get-ADFineGrainedPasswordPolicySubject
  • Get-ADForest
  • Get-ADGroup
  • Get-ADGroupMember
  • Get-ADObject
  • Get-ADOptionalFeature
  • Get-ADOrganizationalUnit
  • Get-ADPrincipalGroupMembership
  • Get-ADRootDSE
  • Get-ADServiceAccount
  • Get-ADUser
  • Get-ADUserResultantPasswordPolicy
  • Install-ADServiceAccount
  • Move-ADDirectoryServer
  • Move-ADDirectoryServerOperationMasterRole
  • Move-ADObject
  • New-ADComputer
  • New-ADFineGrainedPasswordPolicy
  • New-ADGroup
  • New-ADObject
  • New-ADOrganizationalUnit
  • New-ADServiceAccount
  • New-ADUser
  • Remove-ADComputer
  • Remove-ADComputerServiceAccount
  • Remove-ADDomainControllerPasswordReplicationPolicy
  • Remove-ADFineGrainedPasswordPolicy
  • Remove-ADFineGrainedPasswordPolicySubject
  • Remove-ADGroup
  • Remove-ADGroupMember
  • Remove-ADObject
  • Remove-ADOrganizationalUnit
  • Remove-ADPrincipalGroupMembership
  • Remove-ADServiceAccount
  • Remove-ADUser
  • Rename-ADObject
  • Reset-ADServiceAccountPassword
  • Restore-ADObject
  • Search-ADAccount
  • Set-ADAccountControl
  • Set-ADAccountExpiration
  • Set-ADAccountPassword
  • Set-ADComputer
  • Set-ADDefaultDomainPasswordPolicy
  • Set-ADDomain
  • Set-ADDomainMode
  • Set-ADFineGrainedPasswordPolicy
  • Set-ADForest
  • Set-ADForestMode
  • Set-ADGroup
  • Set-ADObject
  • Set-ADOrganizationalUnit
  • Set-ADServiceAccount
  • Set-ADUser
  • Uninstall-ADServiceAccount
  • Unlock-ADAccount

You can find even more information on AD cmdlets by checking out the Active Directory PowerShell Team Blog. An upcoming article will move forward by focusing on the free Quest Active Directory cmdlets that are available. Once again I will discuss what is required to run them and how they work, and then provide some examples to help you get started with Quest AD cmdlets.

Missed a column? Check out our Scripting School archive.

Brandon Shell has been in the IT industry since 1994. He started out as a PC tech and general fix-it guy for numerous companies. In 2007, he joined the PowerShell MVP ranks, and Shell has spent the past several years building his PowerShell knowledge and helping others build theirs.

Dig Deeper on Windows systems and network management