Andrei published on PowerGUI.org a bunch of how-to’s to Active Directory management with PowerShell:
- A quick intro to the Management Shell for AD from Quest Software
- AD Tricks: How many objects do you have in your AD, part 1
- AD Tricks: How many objects do you have in your AD, part 2
In these posts Andrei shares some of his tips and tricks for using free Active Directory cmdlets to manage your AD environment.
Among the scenarios he covers are:
- Enumerating users, groups and other objects
- List all users in my domain
- List all users in a specific OU
- Get help on Get-QADUser parameters
- Get specific user properties
- List first-level organizational units in your domain
- List all users in my domain with their display name and city
- Find all users in my domain that has City attribute starts with ‘ny’
- Updating user properties
- Set description for a specific user account:
- Set city to Liverpool for all user accounts in the Demo OU
- User creation
- Create user accounts
- Group operations
- Create a new group
- Add all users with a specific description to a group
- List group members, display names and descriptions
- Bulk creation
- Export useraccounts to a CSV file
- Import useraccounts from a CSV file
- Import useraccounts from CSV file and add them to a specific group
- Statistics:
- Count users, groups, OUs
- Count departments
- Get statistics for departments, locations, etc.
- Count mailboxes per each mailbox store (will work against Exchange 2000 and Exchange 2003)
Note that all of them are one-liners! Managing Active Directory from command line has never been so easy.
Technorati Tags: AD cmdlets, PowerShell, Reporting, Active Directory, AD
Subscribe by email
Just wondering if it is possible to pull from AD a list of all users and, by user, a list of what AD objects they have access to ?
As part of our PCI compliance audit I need to list these for the auditors.
Would PowerShell be able to do this ? What I need is something like;
user object rights
tsjbil \\server\common rwx
Jon
Jon,
This is a great question. Currently AD permissions are not a part of the AD cmdlets set, so you would need to use .NET for tasks like that (or use a commercial reporting tool such as Quest Reporter but my understanding is that you would like to solve the task with a script instead.)
We are considering adding this functionality in one of the future cmdlet releases but it is hard to provide any timeline at this point.
Dmitry
By the way, do you need direct rights only or the ones obtained through group membership as well?
Добрый день, Дмитрий. Подскажите, пожалуйста, как можно изменить свойство msExchHideFromAddressLists (поставить true or false)
P.S. Мы используем Exchange 2003.
Игорь, используйте ключ -ObjectAttributes. Например:
Set-QADUser dsotniko -oa @{’msExchHideFromAddressLists’=$true}
или
Get-QADUser a* | Set-QADUser -oa @{’msExchHideFromAddressLists’=$true}
Большое спасибо за помощь!
Привет,
спасибо за шикарный доклад на heroes2008 =) один из лучших, на мой взгляд.
Great Example and have proved most useful for quickly setting up test environments. I am however having a problem with bulk creating nested OU’s.
If I create an OU in the root of my domain using New-QADObject e.g
New-QADObject -ParentContainer ‘dc=datalex,dc=com’ -Type ‘organizationalUnit’ -NamingProperty ‘ou’ -name ‘South Africa’
then try and then immediately try and create a new OU within it e.g.
New-QADObject -ParentContainer ‘ou=South Africa,dc=datalex,dc=com’ -Type ‘organizationalUnit’ -NamingProperty ‘ou’ -name ‘Users’
I get an error
New-QADObject : Cannot resolve DN for the given identity: ‘ou=South Africa,dc=d
atalex,dc=com’
At line:1 char:14
+ New-QADObject <<<< -ParentContainer ‘ou=South Africa,dc=datalex,dc=com’ -Typ
e ‘organizationalUnit’ -NamingProperty ‘ou’ -name ‘Users’
However if i do a Get-QADObject -type ‘organizationalUnit’ -name ‘South Africa’ it return the object no problem.
If I wait a few seconds and try to create the sub OU again it works fine but I need to do this in a script to quickly create a bunch of nested OU’s.
Is this a bug in the New-QADObject? Are there any ways I can work around it ?
Thanks
Andrew Wood
OK Well I decided that the most efficent way to continue would be to just keep trying until it worked by trapping the error and looping until no error was raised.
New-QADObject -ParentContainer ‘dc=datalex,dc=com’ -Type ‘organizationalUnit’ -NamingProperty ‘ou’ -name ‘South Africa’
Do { sleep 1; New-QADObject -ParentContainer “ou=South Africa,dc=datalex,dc=com” -Type ‘organizationalUnit’ -NamingProperty ‘ou’ -name ‘Users’ -ErrorAction SilentlyContinue -ErrorVariable test ; trap {Continue} }
Until ($test.Count -lt 1)
You could make this more robust by only trapping the DN not found error in case there are other reasons an error is thrown. In fact if your going to do this in a production environment I’d say it was essential.
Andrew,
That’s interesting. Could you post questions like that to the forums at PowerGUI.org? A lot of really smart guys including the dev team are there to help.
Dmitry
Hi,
I want to do this script :
Search atttribu user departement to AD and :
if objUser.Get(”departement”
= “%variable%” then
add group “%variable%”
group=”cn=%variable%”
ouGroups=”ou=NoIAM,ou=%variable%,”
ouMoveUser=”ou=%variable%”
Have you an idea ?.
Thank.
Ben, this code of yours is definitely not PowerShell. Come join our side and we’ll be here to help.
PowerGUI.org has a pretty good AD Management forum (but again for PowerShell only)