I got a hold of the PowerShell cmdlets for AD which Quest started releasing: PowerGUI Community: AD PowerShell CMDLETS
I think that the project is a great idea! It allows to script against AD without learning the schema and ADSI and gives a much nicer command-line environment. I found that although the current set of cmdlets was still somewhat limited I still could use them to work with users and groups, change properties, change group membership, provision new user accounts, etc. - so they already provide some value in doing day-to-day AD management tasks.
Just FYI here are a few blog posts that provide an overview of using the native ADSI capabilities of PowerShell to manage AD:
- AD Infrastructure management with PowerShell
- Benp’s Basic Guide to Managing Active Directory Objects with PowerShell (located via Evan)
- Or .NET like for example in this script by Adam.
To me something like this (taken from Ben’s post) looks more like an application code than like a command line (this code creates a user account):
$username = ‘benp’#Bind to OU$adminsOU = New-Object System.DirectoryServices.DirectoryEntry("LDAP://OU=admins,DC=umpadom,DC=com")#Create the user$user = $adminsOU.psbase.get_children().add(‘CN=’ + $username,'User')#Commit Changes$user.psbase.CommitChanges()#Set the SAMAccountName$user.psbase.invokeset(‘sAMAccountName’,$username)#Commit Changes$user.psbase.CommitChanges()
So I was eager to give what Quest produced in their beta 1 a try:
I installed the setup and got an “ActiveRoles Management Shell for Active Directory (beta)” shortcut added to my Start menu. This turned out to be a normal PowerShell console with the Quest.ActiveRoles.ADManagement PowerShell snapin already added.
Running “get-command *QAD*” gave me the list of commands available (QAD is the prefix which all the commands are using) so I tried a few of these.
I started with just getting a list of users in my lab:
PS C:\> Get-QADUserType LogonName DN---- --------- --user Administrator CN=Administrator,CN=Users,DC=e2007,DC=localuser Guest CN=Guest,CN=Users,DC=e2007,DC=localuser SUPPORT_388945a0 CN=SUPPORT_388945a0,CN=Users,DC=e2007,DC=localuser IUSR_E2K7 CN=IUSR_E2K7,CN=Users,DC=e2007,DC=localuser IWAM_E2K7 CN=IWAM_E2K7,CN=Users,DC=e2007,DC=localuser ASPNET CN=ASPNET,CN=Users,DC=e2007,DC=localuser krbtgt CN=krbtgt,CN=Users,DC=e2007,DC=localuser jlennon CN=John Lennon,CN=Users,DC=e2007,DC=localuser pmccartney CN=Paul McCartney,CN=Users,DC=e2007,DC=localuser rstarr CN=Ringo Starr,CN=Users,DC=e2007,DC=localuser gharrison CN=George Harrison,CN=Users,DC=e2007,DC=localuser Mbx1 CN=Mbx1,CN=Users,DC=e2007,DC=localuser Mbx2 CN=Mbx2,CN=Users,DC=e2007,DC=localuser Mbx3 CN=Mbx3,CN=Users,DC=e2007,DC=localuser Mbx4 CN=Mbx4,CN=Users,DC=e2007,DC=localuser helpdesk CN=helpdesk,CN=Users,DC=e2007,DC=local
Getting the list of computers (I only have one in the lab ;)):
PS C:\> Get-QADComputerType LogonName DN---- --------- --computer E2K7$ CN=E2K7,OU=Domain Controllers,DC=e2007,DC=local
Getting only the guys with a certain property set:
PS C:\> Get-QADUser -Company BeatlesType LogonName DN---- --------- --user jlennon CN=John Lennon,CN=Users,DC=e2007,DC=localuser pmccartney CN=Paul McCartney,CN=Users,DC=e2007,DC=localuser rstarr CN=Ringo Starr,CN=Users,DC=e2007,DC=localuser gharrison CN=George Harrison,CN=Users,DC=e2007,DC=local
Piping them into “Set” to change a property
PS C:\> Get-QADUser -Company Beatles | Set-QADUser -City LiverpoolPS C:\> Get-QADUser -Company Beatles | ft Name, CityName City---- ----John Lennon LiverpoolPaul McCartney LiverpoolRingo Starr LiverpoolGeorge Harrison Liverpool
Bulk-provisioning with a one-liner using a csv file:
PS C:\> import-csv 'C:\ARPS4AD.csv' | %{new-qadUser -organizationalUnit 'e2007.local/Demo' -name ($_.'First Name' + ' ' + $_.'Last Name') -samAccountName $_.'Logon name' -city $_.city -title $_.'Job title' -department $_.department}PS C:\> Get-QADUser -OrganizationalUnit e2007.local/demo | ft Name, City, Department, TitleName City Department Title---- ---- ---------- -----Ryuichi Sakamoto Tokyo Marketing ManagerAdrie Fortuyn Amsterdam Sales Senior ExecutiveLelani Asad New York Marketing ManagerShunji Iwai Tokyo Sales Senior ExecutiveHaruki Murakami Tokyo Accounting ManagerOlivia Barcelonas Nw York Accounting ManagerAlva Sheldon Amsterdam Accounting ManagerNyoko Takuya Tokyo Sales Deputy HeadJannetje Dirksdr Amsterdam Sales Senior ExecutiveAnke Brittany Amsterdam Marketing ManagerJeroen Herijgers Amsterdam Marketing Senior ExecutiveDai San Tokyo Sales Senior ExecutiveRonald Boyraz Amsterdam Marketing ManagerHisa Hiko Tokyo Sales ManagerBelinda Brestner New York Sales Senior ExecutiveHaruko Chan Tokyo Sales ManagerHoshi Kimura Tokyo Marketing Senior ExecutiveLotta Buhler New York Marketing Senior ExecutiveOktay Haasjes Amsterdam Sales Senior ExecutiveHoshiko Kanji Tokyo Sales ManagerJun'ko Katakana Tokyo Accounting Manager
Creating a new group:
PS C:\> New-QADGroup -Name Tokyo -SamAccountName Tokyo -OrganizationalUnit e2007.local/demo -Type Security -Scope GlobalType LogonName DN---- --------- --group Tokyo CN=Tokyo,OU=Demo,DC=e2007,DC=local
Adding users based on their location:
PS C:\> Add-QADGroupMember e2007.local/Demo/Tokyo -Member (Get-QADUser -City Tokyo)
I liked the progress the team is making. I was involved in some of the discussions around the project and it s nice to start seeing the outcome!
Now I need to try to get them show up in PowerGUI… I’ll let you knowhow it goes…
Subscribe by email
Dmitry, these QAD cmdlets look amazing. Are they only with ActiveRoles Server or will they be standalone as well? how can I get in on the beta? I’m currently a heavy user of Quest products. I also gave Microsoft feedback during the Monad Beta’s about there lack of ADSI/AD support and poor Remoting capabilities. By the way, a mutual friend (R. Sandri) turned me onto your site.
Bill,
The cmdlets don’t require ActiveRoles and are available for free. The work directly against AD. Everything in the example above can be done with no ActiveRoles installed at all.
However, if you do have ActiveRoles Server installed these two can integrate really nicely. Effectively you can make the cmdlets go through ActiveRoles proxy rather than directly to AD. This lets you make sure that all policies are applied for the scripts and commands you execute. I need to blog about that because this is actually pretty cool. (But, yes, requiring that you purchase the commercial application if you don’t yet have ActiveRoles deployed.)
Bottom line is that if you don’t need policy enforcement, delegation, approvals, etc. you should be perfectly good with just the free cmdlets you can download from Quest.
Dmitry
P.S. Give my regards to Robert. He has been one of the best SCs I ever worked with - so if he likes what we are doing - that means we are on the right path!
The following command does not work because Email, although available via Get-QADUser | Get-Member is not allowed by Set-QADUser. Is there an easy way to set the Email address for a user with this tool?
Get-QADUser -SamAccountName abcxyz123 | Set-QADUser -Email fristname.lastname@somecompany.com
Fred, just use -ObjectAttributes key:
Set-QADUser abcxyz123 -ObjectAttributes @{”mail”=”fristname.lastname@somecompany.com”}