What are the required permissions to run PowerShell on your Active Directory?
Surprisingly, you can be a normal domain user to run most of them – not an admin at all. You got it right: not a domain admin, and you don’t need to install them on a DC – any workstation would do as long as you have PowerShell and AD cmdlets installed on the computer.
The cmdlets are just trying to execute your commands against AD and if your rights are sufficient – the command will get executed. If not – you’ll get an error.
This means that I won’t for example be able to go and change our Domain Admins group or our CEO’s account, but I can indeed perform any Get-* cmdlets: Get-QADUser, Get-QADGroup, Get-QADComputer, Get-QADGroupMembership
– they all just work!
What’s more I can even modify objects as long as I have AD permissions for them. For example, at Quest we are all supposed to be able to modify our personal details (phone number, etc.) and there even is an intranet page for that – but I could never remember the address. PowerShell solves the issue. Here’s me modifying my personal account and adding my blog address as a comment to be shown in Outlook:
PS C:\> set-qaduser dsotniko -Notes "Dmitry's PowerBlog: https://dmitrysotnikov.wordpress.com"
PS C:\> get-qaduser dsotniko | ft name, notes
Name Notes
---- -----
Dmitry Sotnikov Dmitry's PowerBlog: https://dmitrysotnikov.wordpress.com
Worked like a charm! Same thing with the groups I own. It turned out I can actually Add-QADGroupMember
for them.
Nice!
Bottom-line is: AD cmdlets and PowerShell are not just for admins. You can go ahead and start trying them to manage your account and your groups.
Tags: Quest Software, AD cmdlets, PowerShell, Active Directory, AD