Archive for the 'ActiveRoles Server' Category

Audit PowerShell changes in AD

How do you capture and analyze what your (or other administrators’) PowerShell scripts are doing to your Active Directory?

This was the question I lately got from one of our customers so I thought I would also blog my answer for everyone’s benefit.

If this kind of auditing is something that you need – you can fairly easily achieve it by making AD cmdlets access Active Directory via Quest ActiveRoles Server.

Basically, AD cmdlets have a mode (which you can for example switch on in your PowerShell profile) to apply all changes to AD via ActiveRoles proxy, which would then apply all you policies, approvals, and auditing to all changes – no matter where they originate from: UI, command-line, or scripts:

AD cmdlets and Quest ActiveRoles Server

So for example, if I change phone number for all users from Portland:

Change phone number with PowerShell

ActiveRoles will start showing this change in the change history for each of these accounts (including old value, new value, date, time, who made the change and so on):

See AD object change history

The same information gets also output to Windows event log:

AD change events in eventlog

It also becomes available in SQL Reporting Services reports – so you can sort, filter, export to various formats and so on:

AD object change report

Note that unlike QAD cmdlets this is actually a commercial product so there is cost involved. You can get a trial license from the product page. If you are a Microsoft MVP you can also get a free NFR license by applying here.

Tags: , , , , , ,


Interview with AD cmdlets product manager

Guys from PowerScripting Podcast have just published the episode they did with Bob Bobel – Quest’s Product Manager for AD cmdlets, ActiveRoles Server and a few other products.

Bob managed to see the potential behind the idea of PowerShell-enabling his commercial products and releasing free AD cmdlets to the community back in 2006 (which seems a loooong time ago!) – so in a sense myself and others were having a lot of fun at his expense. šŸ˜‰

  • Does PowerShell make any money for Quest?
  • Will AD cmdlets go on once Microsoft ships their cmdlets in Windows Server 2008 R2?
  • How many developers are working on AD cmdlets?

Learn that and much more from this podcast.

Tags: , , , , , , , ,

AD cmdlets 1.2 available for download!

The latest version of Quest’s free AD cmdlets (aka QAD cmdlets) are finally available for download.

In addition to numerous bugfixes improvements based on community feedback, there are quite a few new features and cmdlets, including:

  • Get-QADMemberOf – Retrieve group memberships of a particular object in Active Directory. Supported are both Active Directory Domain Services (AD DS) and Active Directory Lightweight Directory Services (AD LDS).
  • Get-QADPasswordSettingsObjectAppliesTo – Retrieve Password Settings objects that match the specified conditions. Active Directory version of Windows Server 2008 or later is required.
  • -Tombstone parameter for Get-QAD* cmdlets to let you find deleted objects.
  • Restore-QADDeletedObject – Undelete objects in Active Directory by restoring tombstones back into normal objects. This cmdlet requires an Active Directory domain controller running Windows Server 2003 or later.
  • Get-QAD* cmdlets’ new parameters to filter objects by their modification or creation date.
  • New parameters for Get-QADGroupMember to search by type, name, display name, description (!), or any custom attributes.
  • New parameters for any Get-QAD* cmdlets to search by group membership.
  • Strongly typed parameters for Get-QADPasswordSettingObject.

For the happy users of our commercial ActiveRoles Server platform there are additional features providing for convenient work with AD change history and approvals:

  • Get-QARSOperation – Retrieve operation records from ActiveRoles Server. Each operation record represents a certain change request, whether pending or completed, in ActiveRoles Server.
  • Get-QARSApprovalTask – Retrieve approval task records from ActiveRoles Server. Each approval task record represents a task,whether pending or completed, to approve or reject a certain change request in ActiveRoles Server.
  • Approve-QARSApprovalTask – Apply the Approve resolution on approval tasks for which you are assigned to the Approver role in
    ActiveRoles Server.
  • Reject-QARSApprovalTask – Apply the Reject resolution on approval tasks for which you are assigned to the Approver role in ActiveRoles Server.

I will probably spend next couple of weeks going into these exciting new features in detail – but for now the administrator’s guide and get-help are your friends. šŸ˜‰

Download the new AD cmdlets and let us know what you think!

Tags: , , , , , , ,

What’s new in AD cmdlets 1.1.0?

Here’s a quick summary of the new and exciting features added in Quest’s free AD cmdlets 1.1.0 just published on the web (I plan to provide more details and examples next week):

1. Get-QADGroupMember -Indirect – this new parameter allows you to retrieve complete group membership for nested AD groups in one command!

2. Permission management cmdlets:

  • Get-QADPermission,
  • Add-QADPermission,
  • Remove-QADPermission,
  • Get-QADObjectSecurity,
  • Remove-QADObjectSecurity.

3. New parameters of Get-QADUser:

  • HomeDirectory (string)
  • HomeDrive (string)
  • ProfilePath (string)
  • LogonScript (string)
  • Email (string)
  • AccountExpiresBefore (DateTime)
  • AccountExpiresAfter (DateTime)
  • AccountNeverExpires (bool)
  • PasswordNeverExpires (bool)

4. New parameters of Set-QADUser

  • HomeDirectory (string)
  • HomeDrive (string)
  • ProfilePath (string)
  • LogonScript (string)
  • Email (string)
  • AccountExpires (DateTime, nullable)
  • PasswordNeverExpires (bool)
  • UserMustChangePassword (bool)
  • TsProfilePath (string)
  • TsHomeDirectory (string)
  • TsHomeDrive (string)
  • TsWorkDirectory (string)
  • TsInitialProgram (string)
  • TsMaxDisconnectionTime (TimeSpan)
  • TsMaxConnectionTime (TimeSpan)
  • TsMaxIdleTime (TimeSpan)
  • TsAllowLogon (bool)
  • TsRemoteControl (int)
  • TsReconnectionAction (int)
  • TsBrokenConnectionAction (int)
  • TsConnectClientDrives (bool)
  • TsConnectPrinterDrives (bool)
  • TsDefaultToMainPrinter (bool)

5. New properties of User object

  • HomeDirectory (string)
  • HomeDrive (string)
  • ProfilePath (string)
  • LogonScript (string)
  • AccountExpires (DateTime, nullable)
  • PasswordLastSet (DateTime, nullable, readonly)
  • PasswordAge (TimeSpan, nullable, readonly)
  • PasswordExpires (DateTime, nullable, readonly)
  • LastLogonTimestamp (DateTime, nullable, readonly)
  • LastLogon (DateTime, nullable, readonly)
  • LastLogoff (DateTime, nullable, readonly)
  • AccountIsDisabled (bool)
  • AccountIsLockedOut (bool)
  • PasswordNeverExpires (bool)
  • UserMustChangePassword (bool)

6. Set-QADGroup now has GroupType and GroupScope parameters (to change group type and scope ;))
7. New cmdlet Get-QADRootDSE
8. Disambiguation prefixes in Identity parameter: e.g. Get-QADUser ‘dn=cn=object_with@sign’
9. Access to default domain password policies through the domain object:e.g. Get-QADObject mydomain.local/ | format-list *
10. Functionality specific to Quest ActiveRoles Server (this will only work if you have the commercial app):

  • Access template link management,
  • Dynamic groups.

Lots of cool and exciting features and numerous bugfixes.

You can download the beta on the Quest’s AD cmdlets page. Please provide your feedback in the AD PowerShell discussion forums.

Tags: , , , , , , , , ,

AD cmdlets support policies

Now that AD cmdlets are gold and the RTM version is available I would like to clarify the support policies you can expect for them.

This is actually very simple and straight-forward:

1. If you are downloading and using AD cmdlets for free, you can use the AD discussion forum at to report issues and get help.

2. Commercial customers of Quest AD management products (ActiveRoles Direct and ActiveRoles Server) get full support including phone, etc.

So you have both options depending on the money you are willing to spend and the level of support you want to get.

Tags: , , , ,

AD cmdlets in the voting booth

Found this via Jackson. ActiveRoles Server – the AD rules, roles, policy, identity management, provisioning, etc. product which has the AD cmdlets as a freeware component (and frankly pays the bill for the effort) is featured in a few nominations in the Info Security reader’s choice awards.

So if you like the cmdlets, one of the ways to show that is going to the site and voting for ActiveRoles Server over there.

A few other Quest products are nominated as well, so if you happen to be using them – feel free to add them to the ballot.

Tags: , , , ,

New AD cmdlets demo

Robert Bobel who is Quest’s Product Manager for ActiveRoles Server (AD management, rules, roles, provisioning, approval workflow tool) and AD cmdlets has just posted his new demo of both of his products working separately and together.

He gives a quick introduction to ActiveRoles, then switches to the PowerShell command-line, explores the AD (gets users, groups, etc.), performs bulk operations like provisioning users from csv file, etc.

Then he demonstrates the integration of the free PowerShell command-line with the commercial application and shows how his PowerShell scripts can go through automated policy enforcement and approval workflows.

To see the demo just go to the Quest’s PowerShell page and click the Product in Action picture in the AD cmdlets section.

Also, if you have not seen a more detailed webcast of AD management with PowerShell which Bob and I gave a few months ago – the recording is still available for you to grab.

Tags: , , , , , , , , ,

PowerShell makes Quest Microsoft’s Global ISV Partner of the Year

Just another indicator of how important PowerShell is for Microsoft: Quest Software has just got Microsoft’s Global ISV Partner of the Year award at the Worldwide Partner Conference in Denver.

Peter Boit presented the award and he made a very clear point that Quest was the first ISV to adopt Powershell for AD management.

This is a great news! Congratulations to everyone involved in the free and commercial products Quest is delivering and supporting around PowerShell: AD cmdlets, PowerGUI, ActiveRoles Server, and a few more in the pipeline!

Microsoft Worldwide Partner ConferenceĀ banner

Tags: , , , , , , , ,

AD PowerShell Webcast in 3 hours

Just a reminder that Quest is giving Webcast: Active Directory Management Made Easy with PowerShell in about 3 hours from now.

Tags: , , , , , , , , , ,

Webcast: Active Directory Management Made Easy with PowerShell

On July 12 I will be co-presenting (with Bob Bobel – Quest’s Senior Product Manager for Active Directory products) at a webcast:

Webcast: Active Directory Management Made Easy with PowerShell

When: Thursday, July 12, 2007 – 10 a.m. PDT/1 p.m. EDT

In this session, we will talk about using Windows PowerShell to manage Active Directory. We’ll cover different approaches ranging from ADSI to AD cmdlets, and demo the features that are backwards-compatible with Windows 2000/2003 and the ones unique to Windows Server 2008 (e.g. Server Core and Read Only Domain Controller).

In the first half of the session, we will also highlight how you can customize and extend provisioning with Quest ActiveRoles Server through PowerShell. In the second half of the session, weā€™ll demo how you can use PowerGUI to build custom administrative consoles for PowerShell enabled systems, such as Active Directory, IIS, Exchange and Operations Manager.

Register at the webcast page

As you can see from the description besides the general introduction to PowerShell and AD cmdlets you will get exposed to Quest commercial products as well – which can still be pretty handy if you are planning using PowerShell to manage AD in enterprise infrastructure.

You can register here (you might want to pre-register and login in advance because I think those webcasts have limited number of connections).

Tags: , , , , , , , , , ,


The posts on this blog are provided ā€œas isā€ with no warranties and confer no rights. The opinions expressed on this site are mine and mine alone, and do not necessarily represent those of my employer - WSO2 or anyone else for that matter. All trademarks acknowledged.

Ā© 2007-2014 Dmitry Sotnikov

May 2023

%d bloggers like this: