Active Directory (AD) is a vital part of the Windows enterprise infrastructure.
Although Windows PowerShell scripting is available for Windows Server,
PowerShell doesn’t include AD cmdlets. To address this need, you can download
a free set of AD cmdlets (www.quest.com/
activeroles-server/arms.aspx)
that let you easily perform basic user account operations. These cmdlets hide
the complexities associated with using
Active Directory Service Interfaces (ADSI). You can use
the cmdlets with Active Directory Domain Services (AD
DS) or Active Directory Lightweight Domain Services
(AD LDS).
You can install the AD cmdlets on any computer
running PowerShell. They can be used remotely with
any AD domain controller (DC) in a network.
When you install the cmdlets, the ActiveRoles Management
Shell for Active Directory shortcut is added to your
Start menu. Clicking this shortcut starts a shell in which
you can run the AD cmdlets as well as PowerShell’s default
set of cmdlets. From this shell, you can easily perform such
tasks as finding a user account, finding and reporting on
groups of user accounts, modifying user properties, modifying
user accounts, and creating user accounts.
Finding a User Account
Finding a user account isn’t easy in VBScript code. When
you don’t know the user’s distinguished name (DN), you
need to construct an LDAP query, which can take many
lines of code. Not only are VBScript scripts for managing
AD long, they require knowledge of LDAP queries, AD
schema naming, and other technical details.
Finding a user is much easier with PowerShell.
If you
want to use a logon name to find a user account, all you
have to do is use the Get-QADUser cmdlet. For example,
if you want to find the user account associated with the
sAMAccountName dsotnikov, you’d type
Get-QADUser dsotnikov
Let’s look at what this cmdlet is doing. First, it establishes
a connection with the current AD domain using the account under which you started the shell.
If you want to connect to another domain,
you can use the Get-QADUser cmdlet's
-Service parameter or precede the statement
with the Connect-QADService cmdlet.
If you want to make the connection under
different credentials, you can use the Get-
QADUser cmdlet’s -Credential parameter or
its -ConnectionAccount and -Connection
Password parameters.
Because only the username is specified
(dsotnikov), the Get-QADUser cmdlet
assumes you want to use its default
-Identity parameter to locate the account.
(Specifying the name of the default parameter
is optional in the AD and Power-
Shell cmdlets.) The AD cmdlets provide
a variety of ways to identify objects.
Besides specifying a sAMAccountName
(or domain\sAMAccountName), you can
specify a display name, DN, user principal
name (UPN), SID, or globally unique identifier
(GUID), as in
Get-QADUser 'Dmitry Sotnikov'
Get-QADUser
'cn=dsotnikov,ou=users,dc=quest,
dc=com'Get-QADUser dsotnikov@quest.com
Get-QADUser S-123-4567…
Get-QADUser
ABCD-1234-5677-98FE-CD43
(Column widths force us to wrap code. So,
although the second command appears on
two lines here, you would enter it on one
line in the shell. The same holds true for the
other multiline commands in this article.)
Note that you need to enclose the parameter
in quotes if it contains spaces (like in the
display name example) or commas (like in
the DN example). This is done to help the
PowerShell parser understand that you’re
passing in a single string.
Finding and Reporting on Groups of
User Accounts
Systems administrators often need to find
and report on groups of user accounts. The
Get-QADUser cmdlet also handles this task.
For example, if you want to see all the users
in the accounting department, you’d use the
-Department parameter, as in
Get-QADUser -Department Accounting
If you want to see all the users in the London
office, you’d use the -City parameter,
like this
Get-QADUser -City London
As these examples show, you can use the
display names of the user attributes (e.g.,
Department, City), so knowing the attributes’
LDAP names is no longer required.
However, you can use the LDAP names if
you already know them. For example, if you
want to use the LDAP name for the City
attribute, you can run
Get-QADUser -L London
As Table 1 shows, Get-QADUser has many
attribute-specific parameters you can use
in searches. Plus, there are many other
available parameters, such as -Identity,
-Credential, -ConnectionAccount, and -ConnectionPassword. To get the full
parameter list, type
Get-Help Get-QADUser -Full
Getting the information retrieved by Get-
QADUser into a table, list, or .html file for
easy viewing is simple. All you need to do is
tell PowerShell how to format the results.
In both PowerShell and ActiveRoles
Management Shell for Active Directory, the
Get- cmdlets produce a collection of objects.
To change the way in which these objects
are presented, you need to direct, or pipe
(|), the collection to another cmdlet. For
example, if you want to present the information
about the London users in a table, you’d
pipe Get-QADUser’s results to PowerShell’s
Format-Table cmdlet. To specify what attributes
you want in the table and the order in
which they appear, you use Format-Table’s
-Property parameter. The -Property parameter
is the default parameter, so specifying it
in the command is optional. Thus, to present
the London data in a table that includes
the users’ names, departments, and titles,
you’d type
Get-QADUser -City London |
Format-Table Name,Department,Title
If you’d rather have the London data in a
list, you can use PowerShell’s Format-List
cmdlet, as in
Get-QADUser -City London |
Format-List Name,Department,Title
For more information about how to use the
Format-Table and Format-List cmdlets and
what the results look like, see “PowerShell
101, Lesson 2,” March 2008, InstantDoc ID
97959.
If you want to convert and save the
London data in an .html file, you can use
PowerShell’s ConvertTo-HTML and Out-
File cmdlets in the command
Get-QADUser -City London |
ConvertTo-HTML
-Property Name,Department,Title
-Title 'London Staff' |
Out-File C:\LondonUsers.html
Continue on Page 2
Previous
Register
