2,187
edits
Difference between revisions of "Active Directory (PowerShell)"
Jump to navigation
Jump to search
m
Active Directory (PowerShell) (view source)
Revision as of 15:24, 28 August 2013
, 15:24, 28 August 2013→Computers: Added "Remove-ADComputer"
m (→Groups: Added another Get-ADGroups examples) |
m (→Computers: Added "Remove-ADComputer") |
||
| (3 intermediate revisions by the same user not shown) | |||
| Line 83: | Line 83: | ||
</source> | </source> | ||
* '''LastLogonDate''' - Be aware that the last logon date field typically has an accuracy/tolerance of 14 days, AD intentionally doesn't update the field at every logon from the user/device object so as to reduce the amount of data replication between domain controllers | * '''LastLogonDate''' - Be aware that the last logon date field typically has an accuracy/tolerance of 14 days, AD intentionally doesn't update the field at every logon from the user/device object so as to reduce the amount of data replication between domain controllers | ||
==== Distinguished Name ==== | |||
You can't filter using wildcards for the Distinguished Name filed (see http://social.technet.microsoft.com/Forums/en-US/ITCG/thread/e6f5a98d-62d1-4659-b328-ebab6f546cc4). | |||
As a workaround, do a generic export from AD and pipe it through a <code>Where-Object</code> CmdLet (not that if you have a large number of users in AD this isn't particularly efficient). | |||
<source lang="powershell"> | |||
$users = Get-ADUser -Filter * | Where-Object {$_.DistinguishedName -like "*,CN=OuFolder,*"} | |||
</source> | |||
=== <code>New-ADUser</code> examples === | === <code>New-ADUser</code> examples === | ||
| Line 97: | Line 106: | ||
# Make user account active | # Make user account active | ||
Set-ADUser $Usr -ChangePasswordAtLogon $true -Enabled $true | Set-ADUser $Usr -ChangePasswordAtLogon $true -Enabled $true | ||
</source> | |||
=== <code>Remove-ADUser</code> examples === | |||
It would normally be quite foolhardy to delete a user account that wasn't already disabled. Deletion removes group memberships, file-permissions etc etc. Whilst you can create a new account with the same name, it won't have the same [[Acronyms#S|SID]] so '''it's not the same account'''. | |||
<source lang="powershell"> | |||
Remove-ADUser -Identity $user -Confirm:$false # $user retrieved from Get-ADUser, -Confirm:$false prevents confirmation prompt | |||
</source> | </source> | ||
| Line 134: | Line 149: | ||
== Computers == | == Computers == | ||
To disable a computer account, use <code>Disable-ADAccoun</code> | |||
=== <code>Get-ADComputer</code> examples === | === <code>Get-ADComputer</code> examples === | ||
<source lang="powershell"> | <source lang="powershell"> | ||
| Line 139: | Line 155: | ||
</source> | </source> | ||
* '''LastLogonDate''' - Be aware that the last logon date field typically has an accuracy/tolerance of 14 days, AD intentionally doesn't update the field at every logon from the user/device object so as to reduce the amount of data replication between domain controllers | * '''LastLogonDate''' - Be aware that the last logon date field typically has an accuracy/tolerance of 14 days, AD intentionally doesn't update the field at every logon from the user/device object so as to reduce the amount of data replication between domain controllers | ||
=== <code>Remove-ADComputer</code> examples === | |||
<source lang="powershell"> | |||
Remove-ADComputer -Identity $computer -Confirm:$false | |||
</source> | |||
== Organisation Unit == | == Organisation Unit == | ||