2,187
edits
Difference between revisions of "Active Directory (PowerShell)"
Jump to navigation
Jump to search
m
Active Directory (PowerShell) (view source)
Revision as of 15:24, 28 August 2013
, 15:24, 28 August 2013→Computers: Added "Remove-ADComputer"
(→Getting Started: Added Credentials) |
m (→Computers: Added "Remove-ADComputer") |
||
| (5 intermediate revisions by the same user not shown) | |||
| Line 83: | Line 83: | ||
</source> | </source> | ||
* '''LastLogonDate''' - Be aware that the last logon date field typically has an accuracy/tolerance of 14 days, AD intentionally doesn't update the field at every logon from the user/device object so as to reduce the amount of data replication between domain controllers | * '''LastLogonDate''' - Be aware that the last logon date field typically has an accuracy/tolerance of 14 days, AD intentionally doesn't update the field at every logon from the user/device object so as to reduce the amount of data replication between domain controllers | ||
==== Distinguished Name ==== | |||
You can't filter using wildcards for the Distinguished Name filed (see http://social.technet.microsoft.com/Forums/en-US/ITCG/thread/e6f5a98d-62d1-4659-b328-ebab6f546cc4). | |||
As a workaround, do a generic export from AD and pipe it through a <code>Where-Object</code> CmdLet (not that if you have a large number of users in AD this isn't particularly efficient). | |||
<source lang="powershell"> | |||
$users = Get-ADUser -Filter * | Where-Object {$_.DistinguishedName -like "*,CN=OuFolder,*"} | |||
</source> | |||
=== <code>New-ADUser</code> examples === | === <code>New-ADUser</code> examples === | ||
| Line 97: | Line 106: | ||
# Make user account active | # Make user account active | ||
Set-ADUser $Usr -ChangePasswordAtLogon $true -Enabled $true | Set-ADUser $Usr -ChangePasswordAtLogon $true -Enabled $true | ||
</source> | |||
=== <code>Remove-ADUser</code> examples === | |||
It would normally be quite foolhardy to delete a user account that wasn't already disabled. Deletion removes group memberships, file-permissions etc etc. Whilst you can create a new account with the same name, it won't have the same [[Acronyms#S|SID]] so '''it's not the same account'''. | |||
<source lang="powershell"> | |||
Remove-ADUser -Identity $user -Confirm:$false # $user retrieved from Get-ADUser, -Confirm:$false prevents confirmation prompt | |||
</source> | </source> | ||
| Line 103: | Line 118: | ||
<source lang="powershell"> | <source lang="powershell"> | ||
$group = Get-ADGroup "Operations Supervisors" # Get the "Operations Supervisors" group | $group = Get-ADGroup "Operations Supervisors" # Get the "Operations Supervisors" group | ||
$groups = Get-ADGroup -Filter 'GroupCategory -eq "Security"' -SearchBase "OU=Groups,DC=DOMAIN,DC=COM" | $groups = Get-ADGroup -Filter 'Name -like "*Operations*"' # Get all security groups with Operations in the title | ||
$groups = Get-ADGroup -Filter 'GroupCategory -eq "Security"' -SearchBase "OU=Groups,DC=DOMAIN,DC=COM" # Get all security groups in the Groups OU | |||
</source> | |||
=== Copy Users From Existing Group === | |||
The script below copies users from an existing group and adds them to another group (existing users in the group are unaffected). | |||
<source lang="powershell"> | |||
$Src_Group = "Source Group Name" | |||
$Dst_Group = "Destination Group Name" | |||
$Users = Get-ADGroupMember $Src_Group | |||
Add-ADGroupMember -Identity $Dst_Group -Members $Users -Credential (Get-Credential) | |||
</source> | </source> | ||
| Line 124: | Line 149: | ||
== Computers == | == Computers == | ||
To disable a computer account, use <code>Disable-ADAccoun</code> | |||
=== <code>Get-ADComputer</code> examples === | === <code>Get-ADComputer</code> examples === | ||
<source lang="powershell"> | <source lang="powershell"> | ||
| Line 129: | Line 155: | ||
</source> | </source> | ||
* '''LastLogonDate''' - Be aware that the last logon date field typically has an accuracy/tolerance of 14 days, AD intentionally doesn't update the field at every logon from the user/device object so as to reduce the amount of data replication between domain controllers | * '''LastLogonDate''' - Be aware that the last logon date field typically has an accuracy/tolerance of 14 days, AD intentionally doesn't update the field at every logon from the user/device object so as to reduce the amount of data replication between domain controllers | ||
=== <code>Remove-ADComputer</code> examples === | |||
<source lang="powershell"> | |||
Remove-ADComputer -Identity $computer -Confirm:$false | |||
</source> | |||
== Organisation Unit == | == Organisation Unit == | ||