AD Cmdlets 1.3 RTMed

Late last week we released to the web the latest version (1.3) of our free Active Directory cmdlets (also known as QAD-cmdlets, widely used by tens of thousands admins and compatible with more or less any version of Active Directory or ADAM/ADLDS).

You can read more about the cmdlets in this PDF guide, or online reference.

This is a significant update with some 14 new cmdlets, 24 new parameters, 43 enhanced ones, and a few bugs fixed (not that we had any really )

Detailed What’s New information can be found on page 19 of the PDF guide and in my upcoming blog posts. Download the new AD cmdlets now and let us know what you think by posting to the AD PowerShell discussion forum!

Recorded PowerShell Introductory Session from Quest Connect

“What’s All This Talk about PowerShell Anyway?” which Kirk and I presented at the virtual tradeshow last week was recorded and is available here till January 22, 2010.

So, if you missed the session last week, check it out now (or send the link to anyone you wanted to get introduced to PowerShell.)

What’s All This Talk about PowerShell Anyway?

Tomorrow (Oct 21) morning Kirk and I will be doing a webcast on PowerShell within the Quest Connect virtual tradeshow:

What’s All This Talk about PowerShell Anyway?

10:00 am BST/5:00 am EDT/2:00 am PDT
Add this Webcast to my Calendar

Dmitry Sotnikov, PowerShell MVP and Kirk Munro, PowerShell MVP – Quest Software

So what exactly is PowerShell? How does it make life as an Admin easier? Join this session conducted by Quest’s PowerShell MVPs, Dmitry Sotnikov and Kirk Munro, to learn more about PowerShell and see some real life examples of how PowerShell and Quest PowerGUI make managing your Microsoft infrastructure (Active Directory, Exchange, Hyper-V and more) easier!

We will really start with basic overview of what PowerShell is, then compare it to other alternatives such as VBScript, then Kirk will dive into a step-by-step example of automating tasks such as provisioning in Active Directory, and then will answer any questions you might have.

Besides this session the agenda is packed with a lot of useful material on Windows Server 2008 R2, AD, Identity Management, Exchange 2010, Virtualization, Cloud Computing, SharePoint, SQL, Oracle – see full agenda here.

This online show is a great learning alternative if you cannot make it to TechEd Europe this year. It is co-sponsored by Quest, Microsoft, Dell, NetApp, Vizioncore, Scriptlogic, Techrepublic, Oracle Magazine, Redmond Magazine, and The Code Project. The speaker line up is also pretty good. The show last year was a success – see some feedback here – so hopefully this year it will be even better.

Register for the event here and don’t forget to attend our PowerShell session! Virtually see you tomorrow!

Find users in too many groups

Large Kerberos tokens (caused by too many groups listed in them) can be an issue in some environments (I’ve just had a similar trouble myself in an ADFS deployment). Luckily PowerShell is here to help. This quick script will list all users who are members of more than 75 groups:

$limit = 75
Get-QADUser -SizeLimit 0 -DontUseDefaultIncludedProperties |
  ForEach-Object {
    $groups = Get-QADGroup -ContainsIndirectMember $_.DN -SizeLimit $limit `
      -DontUseDefaultIncludedProperties -WarningAction SilentlyContinue
    if ($groups.Count -ge $limit) { $_ }
  }

Here’s a quick overview of what the script is doing:

1. I assign the limit (75) to a variable. This is just for my convenience of reuse. E.g. I could turn this line into param($limit = 75) – and save this as a parameterized script or turn it into a function.
2. I user Get-QADUser to retrieve all (-SizeLimit 0) user accounts from my current domain and I make sure to not retrieve any attributes along – so I save memory and improve performance (-DontUseDefaultIncludedProperties)
3. For each user in my domain, I retrieve the first 75 (-SizeLimit $limit) groups to which the user belongs directly or through nesting (-ContainsIndirectMember $_.DN). There’s obviously no need to retrieve all groups – we just need to know if the user reached the limit. Again, we do not need any attributes (-DontUseDefaultIncludedProperties). I also tell PowerShell to not warn me if there are more groups than the size limit I specified (-WarningAction SilentlyContinue).
4. Finally, if indeed we reached the limit, I output that user object.

You can obviously then just see the list on the screen or output it to CSV or HTML report.

Tags: AD, AD cmdlets, Active Directory, Examples, PowerShell, cmdlets, one-liner, oneliner
Add to: | Technorati | Digg | del.icio.us | Yahoo | BlinkList | Spurl | reddit | Furl |

Get a list of users’ email addresses

Here’s a one-liner to turn members of a group into a list of email addresses, separated by semicolon. I am using it every now and then when someone from our partners (which obviously do not have access to our address book) ask me for a list of folks to include in some discussions, or grant access to some resources, and so on.

Here’s the oneliner (for PowerShell v2):

(Get-QADGroupMember MyGroupName -Type user -Indirect |
    Select -expand Email) -join ';'

PowerShell v1 version has a slightly different syntax for join:

[string]::join(';',
  (Get-QADGroupMember MyGroupName -Type user -Indirect |
    Select -expand Email))

And here’s a quick explanation of what it does:

• I use Get-QADGroupMember to retrieve all members of the group. Note that -Indirect parameter gives me all members of nested groups, and -Type user makes sure that nested groups themselves get excluded.
• Then I am taking the collection of user objects and turn that into a collection of just one property of the objects (Email) using  Select -expand.
• Finally I am using join to turn that collection into a string and using semicolon as separator.

Hope this is useful.

List all empty OUs

Here’s a one-liner you can use to quickly find empty organizational units in your Active Directory:

Get-QADObject -Type organizationalUnit -DontUseDefaultIncludedProperties |
  where {
    -not ( Get-QADObject -SearchRoot $_.DN -DontUseDefaultIncludedProperties `
    -SearchScope OneLevel -SizeLimit 1 -WarningAction SilentlyContinue )
  }

A quick explanation of what I am doing here:

1. I am retrieving all organizationalUnit objects from my domain (and use the -DontUseDefaultIncludedProperties switch to save a few milliseconds )
2. Then for each of the OUs I am retrieving all AD objects that are in that OU by doing a Get-QADObject and limiting the search scope to the DN of the current OU.
3. Note that (like we did when looking for large groups) I am using the -SizeLimit parameter to see if I can get 1 item in the call (all I need is to learn whether there is anything in the OU – I don’t need the whole list) – which obviously makes the whole script magnitudes of time faster. I use -SearchScope
4. Based on Kirk’s recommendation I am using -SearchScope OneLevel to exclude the OU itself.
5. I am using -not operator so I get only the OUs for which this Get-QADObject evaluates to $null (nothing found) and thus -not $null evaluates to $true.

P.S. This is the code I was using initially, which I then corrected based on Kirk’s comments below:

$emptyOUs = Get-QADObject -Type organizationalUnit -DontUseDefaultIncludedProperties | where {(Get-QADObject -SearchRoot $_.DN -SizeLimit 2 -DontUseDefaultIncludedProperties).Count -lt 2}

Tags: AD, AD cmdlets, Active Directory, Examples, PowerShell, cmdlets, one-liner
Add to: | Technorati | Digg | del.icio.us | Yahoo | BlinkList | Spurl | reddit | Furl |

More on AD Recycle Bin

I’ve blogged about object recovery functionality in new Active Directory 2008 R2, and previous versions (free and commercial).

However, Jonathan took the discussion to the whole new level with his incredibly detailed Simple-Talk post: The Active Directory Recycle Bin in Windows Server 2008 R2.

Definitely worth checking out and bookmarking for future use!

Skype for administrators

Call any user in Active Directory or Exchange right from your administrative console, with a single click dial into any conference call (with participant passcode dialed for you ) – all of that is possible with the latest extension for PowerGUI.

PowerGUI Skype PowerPack adds Call buttons for all user accounts and mailboxes, as well as people in your corporate organizational chart. In addition to this you can obviously call any of your Skype contacts or any conference call appointments listed in your Outlook.

Check out this 7-minute demo here (highly recommended to watch in HD and full screen):

As always, all the code behind any nodes and actions can be found in their properties, so you can learn how this actually works, modify the pack to suite your needs or extend it to add calling capabilities to whichever other systems you are managing!

This blog post by Shafqat Ahmed helped me a lot when I started working on the PowerPack. My scripts in the pack are basically enhancements built on top of his excellent post.

Download Skype PowerPack here and let us know what you think.

Tags: AD, Active Directory, Demo, Exchange, PowerGUI, PowerPack, PowerShell, Skype
Add to: | Technorati | Digg | del.icio.us | Yahoo | BlinkList | Spurl | reddit | Furl |

Microsoft’s AD cmdlets available for Win 2003 and later

Microsoft has just released to the web final bits of their Active Directory Web Services. This is the service you need to install on your domain controller or ADAM/AD LDS server to make them accessible for Microsoft’s AD cmdlets.

As you can see from the diagram above, unlike Quest AD cmdlets, Microsoft’s ones require Active Directory Web Services (ADWS) on the server/DC you manage. These web services ship with Windows Server 2008 R2. Now they are also available as a free download for Windows Server 2003 SP2 and later.

This means that as long as you are ready to install this additional software on your DCs, you can start using these new cmdlets from Microsoft. There is no need to upgrade DCs to 2008 R2 or change the forest functional level.

More choices for PowerShell management of AD – better for everyone.

Tags: AD cmdlets, Active Directory, PowerShell
Add to: | Technorati | Digg | del.icio.us | Yahoo | BlinkList | Spurl | reddit | Furl |

Adding Direct Reports action

Here’s my quick addition to Kamran’s “How to export data from Active Directory using the free PowerGUI tool“:

If you might need to find users managed by someone more than once, there are a couple of ways you can make this simpler for your self:

A. Download and install free Org Chart powerpack, or

B. Follow these instructions to add a Direct Reports button to PowerGUI admin console:

1. Start PowerGUI admin console and browse to Active Directory / Users.

2. In the right-hand pane, right-click the category to which you want to add the action and pick New / Script Action from the shortcut menu.

3. In the New Action dialog box, type in the action name (e.g. Direct Reports), and script:

$input | ForEach-Object {
    Get-QADUser -Manager $_
}

(The script is quite trivial: for each user account currently selected in the PowerGUI grid, we get the list of AD users which have this object specified as Manager).

3. On that same dialog box, click the Display Configuration button, and then in the Display results group, select the Display the results in a nested view option.

This tells PowerGUI that your action outputs objects to the grid (which it does – we need to see the reports selected user has!)

4. That’s it! Click OK on both dialog boxes, select the user account whose reports you need to see, and click your newly added Direct Reports action.

Big thanks to Kamran for posting his original tip and video.

Tags: AD, AD cmdlets, Active Directory, Blogosphere, PowerGUI, PowerShell, cmdlets
Add to: | Technorati | Digg | del.icio.us | Yahoo | BlinkList | Spurl | reddit | Furl |