Our next little jaunt in PowerShell will be to learn how to use it to configure Active Directory accounts. For example, you may have a need to change a particular property of a group of Active Directory users, such as the logon script or profile path, when you need to stage a rollout of a new script or profile. Again, this is something I have done a lot of work with in the past using VBScript, but of course I want to extend my knowledge in PowerShell to achieve the same thing.
Over here we have a list of Active Directory cmdlets:
Well, that is quite a list (see below) and I suspect with my growing knowledge of general capabilities of PowerShell that it won't take long for me to figure out how to process a group of accounts all at once in a script. It looks like the sort of kludges or difficult procedures that have required fairly complex code that didn't always work as expected in VBScript could be a thing of the past.
Essentially it looks like I would be using Get-ADUser to retrieve a group of users and then iterating through them calling Set-ADObject each time in order to change the desired property of each user object.
Generally, we would run this script on a domain controller. However, we can run it on a desktop or some other computer provided it has the RSAT installed, as described in this blog article:
| Cmdlet | Description |
|---|---|
Adds one or more service accounts to an Active Directory computer.
| |
Adds users, computers, and groups to the Allowed List or the Denied List of the read-only domain controller (RODC) Password Replication Policy (PRP).
| |
Applies a fine-grained password policy to one more users and groups.
| |
Adds one or more members to an Active Directory group.
| |
Adds a member to one or more Active Directory groups.
| |
Clears the expiration date for an Active Directory account.
| |
Disables an Active Directory account.
| |
Disables an Active Directory optional feature.
| |
Enables an Active Directory account.
| |
Enables an Active Directory optional feature.
| |
Gets the Active Directory security groups that contain an account.
| |
Gets the resultant password replication policy for an Active Directory account.
| |
Gets one or more Active Directory computers.
| |
Gets the service accounts that are hosted by an Active Directory computer.
| |
Gets the default password policy for an Active Directory domain.
| |
Gets an Active Directory domain.
| |
Gets one or more Active Directory domain controllers, based on discoverable services criteria, search parameters, or by providing a domain controller identifier, such as the NetBIOS name.
| |
Gets the members of the Allowed List or the Denied List of the RODC PRP.
| |
Gets the resultant password policy of the specified ADAccount on the specified RODC.
| |
Gets one or more Active Directory fine-grained password policies.
| |
Gets the users and groups to which a fine-grained password policy is applied.
| |
Gets an Active Directory forest.
| |
Gets one or more Active Directory groups.
| |
Gets the members of an Active Directory group.
| |
Gets one or more Active Directory objects.
| |
Gets one or more Active Directory optional features.
| |
Gets one or more Active Directory OUs.
| |
Gets the Active Directory groups that have a specified user, computer, or group.
| |
Gets the root of a domain controller information tree.
| |
Gets one or more Active Directory service accounts.
| |
Gets one or more Active Directory users.
| |
Gets the resultant password policy for a user.
| |
Installs an Active Directory service account on a computer.
| |
Moves a domain controller in AD DS to a new site.
| |
Moves operation master (also known as flexible single master operations or FSMO) roles to an Active Directory domain controller.
| |
Moves an Active Directory object or a container of objects to a different container or domain.
| |
Creates a new Active Directory computer.
| |
Creates a new Active Directory fine-grained password policy.
| |
Creates an Active Directory group.
| |
Creates an Active Directory object.
| |
Creates a new Active Directory OU.
| |
Creates a new Active Directory service account.
| |
Creates a new Active Directory user.
| |
Removes an Active Directory computer.
| |
Removes one or more service accounts from a computer.
| |
Removes users, computers, and groups from the Allowed List or the Denied List of the RODC PRP.
| |
Removes an Active Directory fine-grained password policy.
| |
Removes one or more users from a fine-grained password policy.
| |
Removes an Active Directory group.
| |
Removes one or more members from an Active Directory group.
| |
Removes an Active Directory object.
| |
Removes an Active Directory OU.
| |
Removes a member from one or more Active Directory groups.
| |
Removes an Active Directory service account.
| |
Removes an Active Directory user.
| |
Changes the name of an Active Directory object.
| |
Resets the service account password for a computer.
| |
Restores an Active Directory object.
| |
Gets Active Directory user, computer, and service accounts.
| |
Modifies user account control (UAC) values for an Active Directory account.
| |
Sets the expiration date for an Active Directory account.
| |
Modifies the password of an Active Directory account.
| |
Modifies an Active Directory computer.
| |
Modifies the default password policy for an Active Directory domain.
| |
Modifies an Active Directory domain.
| |
Sets the domain functional level for an Active Directory domain.
| |
Modifies an Active Directory fine-grained password policy.
| |
Modifies an Active Directory forest.
| |
Sets the forest mode for an Active Directory forest.
| |
Modifies an Active Directory group.
| |
Modifies an Active Directory object.
| |
Modifies an Active Directory OU.
| |
Modifies an Active Directory service account.
| |
Modifies an Active Directory user.
| |
Uninstalls an Active Directory service account from a computer.
| |
Unlocks an Active Directory account.
|
