Rights required to run AD cmdlets

What are the required permissions to run PowerShell on your Active Directory?

Surprisingly, you can be a normal domain user to run most of them – not an admin at all. You got it right: not a domain admin, and you don’t need to install them on a DC – any workstation would do as long as you have PowerShell and AD cmdlets installed on the computer.

The cmdlets are just trying to execute your commands against AD and if your rights are sufficient – the command will get executed. If not – you’ll get an error.

This means that I won’t for example be able to go and change our Domain Admins group or our CEO’s account, but I can indeed perform any Get-* cmdlets: Get-QADUser, Get-QADGroup, Get-QADComputer, Get-QADGroupMembership – they all just work!

What’s more I can even modify objects as long as I have AD permissions for them. For example, at Quest we are all supposed to be able to modify our personal details (phone number, etc.) and there even is an intranet page for that – but I could never remember the address. PowerShell solves the issue. Here’s me modifying my personal account and adding my blog address as a comment to be shown in Outlook:

PS C:\> set-qaduser dsotniko -Notes "Dmitry's PowerBlog: https://dmitrysotnikov.wordpress.com"

PS C:\> get-qaduser dsotniko | ft name, notes

Name                    Notes
----                    -----
Dmitry Sotnikov         Dmitry's PowerBlog: https://dmitrysotnikov.wordpress.com

Worked like a charm! Same thing with the groups I own. It turned out I can actually Add-QADGroupMember for them.

Nice!

Bottom-line is: AD cmdlets and PowerShell are not just for admins. You can go ahead and start trying them to manage your account and your groups.

Tags: , , , ,

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s




My Recent Tweets

Legal

The posts on this blog are provided “as is” with no warranties and confer no rights. The opinions expressed on this site are mine and mine alone, and do not necessarily represent those of my employer - WSO2 or anyone else for that matter. All trademarks acknowledged.

© 2007-2014 Dmitry Sotnikov

May 2007
M T W T F S S
« Apr   Jun »
 123456
78910111213
14151617181920
21222324252627
28293031  

%d bloggers like this: