PowerShell cmdlets for AD

I got a hold of the PowerShell cmdlets for AD which Quest started releasing: PowerGUI Community: AD PowerShell CMDLETS

I think that the project is a great idea! It allows to script against AD without learning the schema and ADSI and gives a much nicer command-line environment. I found that although the current set of cmdlets was still somewhat limited I still could use them to work with users and groups, change properties, change group membership, provision new user accounts, etc. – so they already provide some value in doing day-to-day AD management tasks.

Just FYI here are a few blog posts that provide an overview of using the native ADSI capabilities of PowerShell to manage AD:

To me something like this (taken from Ben’s post) looks more like an application code than like a command line (this code creates a user account):

$username = ‘benp’
#Bind to OU
$adminsOU = New-Object System.DirectoryServices.DirectoryEntry("LDAP://OU=admins,DC=umpadom,DC=com")
#Create the user
$user = $adminsOU.psbase.get_children().add(‘CN=’ + $username,'User')
#Commit Changes
#Set the SAMAccountName
#Commit Changes

So I was eager to give what Quest produced in their beta 1 a try:

I installed the setup and got an “ActiveRoles Management Shell for Active Directory (beta)” shortcut added to my Start menu. This turned out to be a normal PowerShell console with the Quest.ActiveRoles.ADManagement PowerShell snapin already added.

Running “get-command *QAD*” gave me the list of commands available (QAD is the prefix which all the commands are using) so I tried a few of these.

I started with just getting a list of users in my lab:

PS C:\> Get-QADUser

Type         LogonName        DN
----         ---------        --
user         Administrator    CN=Administrator,CN=Users,DC=e2007,DC=local
user         Guest            CN=Guest,CN=Users,DC=e2007,DC=local
user         SUPPORT_388945a0 CN=SUPPORT_388945a0,CN=Users,DC=e2007,DC=local
user         IUSR_E2K7        CN=IUSR_E2K7,CN=Users,DC=e2007,DC=local
user         IWAM_E2K7        CN=IWAM_E2K7,CN=Users,DC=e2007,DC=local
user         ASPNET           CN=ASPNET,CN=Users,DC=e2007,DC=local
user         krbtgt           CN=krbtgt,CN=Users,DC=e2007,DC=local
user         jlennon          CN=John Lennon,CN=Users,DC=e2007,DC=local
user         pmccartney       CN=Paul McCartney,CN=Users,DC=e2007,DC=local
user         rstarr           CN=Ringo Starr,CN=Users,DC=e2007,DC=local
user         gharrison        CN=George Harrison,CN=Users,DC=e2007,DC=local
user         Mbx1             CN=Mbx1,CN=Users,DC=e2007,DC=local
user         Mbx2             CN=Mbx2,CN=Users,DC=e2007,DC=local
user         Mbx3             CN=Mbx3,CN=Users,DC=e2007,DC=local
user         Mbx4             CN=Mbx4,CN=Users,DC=e2007,DC=local
user         helpdesk         CN=helpdesk,CN=Users,DC=e2007,DC=local

Getting the list of computers (I only have one in the lab ;)):

PS C:\> Get-QADComputer

Type             LogonName            DN
----             ---------            --
computer     E2K7$                    CN=E2K7,OU=Domain Controllers,DC=e2007,DC=local

Getting only the guys with a certain property set:

PS C:\> Get-QADUser -Company Beatles

Type         LogonName              DN
----         ---------              --
user         jlennon                CN=John Lennon,CN=Users,DC=e2007,DC=local
user         pmccartney             CN=Paul McCartney,CN=Users,DC=e2007,DC=local
user         rstarr                 CN=Ringo Starr,CN=Users,DC=e2007,DC=local
user         gharrison              CN=George Harrison,CN=Users,DC=e2007,DC=local

Piping them into “Set” to change a property

PS C:\> Get-QADUser -Company Beatles | Set-QADUser -City Liverpool
PS C:\> Get-QADUser -Company Beatles | ft Name, City

Name            City
----            ----
John Lennon     Liverpool
Paul McCartney  Liverpool
Ringo Starr     Liverpool
George Harrison Liverpool

Bulk-provisioning with a one-liner using a csv file:

PS C:\> import-csv 'C:\ARPS4AD.csv' | %{new-qadUser -organizationalUnit 'e2007.local/Demo' -name ($_.'First Name' + ' ' + $_.'Last Name') -samAccountName $_.'Logon name' -city $_.city -title $_.'Job title' -department $_.department}

PS C:\> Get-QADUser -OrganizationalUnit e2007.local/demo | ft Name, City, Department, Title

Name              City      Department  Title
----              ----      ---------- -----
Ryuichi Sakamoto  Tokyo     Marketing  Manager
Adrie Fortuyn     Amsterdam Sales      Senior Executive
Lelani Asad       New York  Marketing  Manager
Shunji Iwai       Tokyo     Sales      Senior Executive
Haruki Murakami   Tokyo     Accounting Manager
Olivia Barcelonas Nw York   Accounting Manager
Alva Sheldon      Amsterdam Accounting Manager
Nyoko Takuya      Tokyo     Sales      Deputy Head
Jannetje Dirksdr  Amsterdam Sales      Senior Executive
Anke Brittany     Amsterdam Marketing  Manager
Jeroen Herijgers  Amsterdam Marketing  Senior Executive
Dai San           Tokyo     Sales      Senior Executive
Ronald Boyraz     Amsterdam Marketing  Manager
Hisa Hiko         Tokyo     Sales      Manager
Belinda Brestner  New York  Sales      Senior Executive
Haruko Chan       Tokyo     Sales      Manager
Hoshi Kimura      Tokyo     Marketing  Senior Executive
Lotta Buhler      New York  Marketing  Senior Executive
Oktay Haasjes     Amsterdam Sales      Senior Executive
Hoshiko Kanji     Tokyo     Sales      Manager
Jun'ko Katakana   Tokyo     Accounting Manager

Creating a new group:

PS C:\> New-QADGroup -Name Tokyo -SamAccountName Tokyo -OrganizationalUnit e2007.local/demo -Type Security -Scope Global

Type  LogonName DN
----  --------- --
group Tokyo     CN=Tokyo,OU=Demo,DC=e2007,DC=local

Adding users based on their location:

PS C:\> Add-QADGroupMember e2007.local/Demo/Tokyo -Member (Get-QADUser -City Tokyo)

I liked the progress the team is making. I was involved in some of the discussions around the project and it s nice to start seeing the outcome!

Now I need to try to get them show up in PowerGUI… I’ll let you knowhow it goes…


6 Responses to “PowerShell cmdlets for AD”

  1. 1 Bill Walker March 23, 2007 at 3:34 am

    Dmitry, these QAD cmdlets look amazing. Are they only with ActiveRoles Server or will they be standalone as well? how can I get in on the beta? I’m currently a heavy user of Quest products. I also gave Microsoft feedback during the Monad Beta’s about there lack of ADSI/AD support and poor Remoting capabilities. By the way, a mutual friend (R. Sandri) turned me onto your site. 🙂

  2. 2 dmitrysotnikov March 23, 2007 at 10:56 pm


    The cmdlets don’t require ActiveRoles and are available for free. The work directly against AD. Everything in the example above can be done with no ActiveRoles installed at all.

    However, if you do have ActiveRoles Server installed these two can integrate really nicely. Effectively you can make the cmdlets go through ActiveRoles proxy rather than directly to AD. This lets you make sure that all policies are applied for the scripts and commands you execute. I need to blog about that because this is actually pretty cool. (But, yes, requiring that you purchase the commercial application if you don’t yet have ActiveRoles deployed.)

    Bottom line is that if you don’t need policy enforcement, delegation, approvals, etc. you should be perfectly good with just the free cmdlets you can download from Quest.


    P.S. Give my regards to Robert. He has been one of the best SCs I ever worked with – so if he likes what we are doing – that means we are on the right path!

  3. 3 Fred Morrison January 10, 2008 at 2:23 pm

    The following command does not work because Email, although available via Get-QADUser | Get-Member is not allowed by Set-QADUser. Is there an easy way to set the Email address for a user with this tool?

    Get-QADUser -SamAccountName abcxyz123 | Set-QADUser -Email fristname.lastname@somecompany.com

  4. 4 dmitrysotnikov January 10, 2008 at 2:49 pm

    Fred, just use -ObjectAttributes key:

    Set-QADUser abcxyz123 -ObjectAttributes @{“mail”=”fristname.lastname@somecompany.com”}

  1. 1 AD Cmdlets RTM « Dmitry’s PowerBlog: PowerShell and beyond Trackback on December 20, 2007 at 12:41 pm
  2. 2 Favorite Blog for Powershell stuff | Live@EDU Pearls Trackback on April 22, 2011 at 3:12 pm

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

My Recent Tweets


The posts on this blog are provided “as is” with no warranties and confer no rights. The opinions expressed on this site are mine and mine alone, and do not necessarily represent those of my employer - WSO2 or anyone else for that matter. All trademarks acknowledged.

© 2007-2014 Dmitry Sotnikov

March 2007
    Apr »

%d bloggers like this: