Active Directory Cmdlets in Windows PowerShell

Active Directory Cmdlets in Windows PowerShell

Windows PowerShell™ is a task-based command-line shell and scripting language designed especially for system administration. This reference topic for the information technology (IT) professional introduces the 76 Windows PowerShell cmdlets that you can use to manage and administer the Active Directory® directory service and Active Directory Domain Services (AD DS).

What does the Active Directory module do?

The Active Directory module for Windows PowerShell in Windows Server 2008 R2 is a Windows PowerShell module (named Active Directory) that consolidates a group of cmdlets. You can use these cmdlets to manage your Active Directory domains, Active Directory Lightweight Directory Services (AD LDS) configuration sets, and Active Directory Database Mounting Tool instances in a single, self-contained package.

clip_image001Tip

For more information about getting started with the Active Directory Windows PowerShell module, see Active Directory Administration with Windows PowerShell.

In the Microsoft® Windows® 2000 Server operating system, the Windows Server® 2003 operating system, and Windows Server 2008, administrators used a variety of command-line tools and Microsoft Management Console (MMC) snap-ins to connect to their Active Directory domains and AD LDS configuration sets to monitor and manage them. The Active Directory module in Windows Server 2008 R2 now provides a centralized experience for administering your directory service instances.

Active Directory module provider

Administrators can use the Active Directory module provider to easily navigate and access data that is stored in Active Directory domains, AD LDS instances and configuration sets, and Active Directory Database Mounting Tool instances. The Active Directory module provider exposes the Active Directory database through a hierarchical navigation system, which is very similar to the file system. For example, while you are using the Active Directory module, you can use the following commands to navigate through your directory:

· cd

· dir

· remove

· .

· ..

You can use the Active Directory module provider to map Active Directory domains, AD LDS instances, and Active Directory Database Mounting Tool instances to specific provider drives. When the Active Directory module is first loaded, a default Active Directory drive (AD:) is mounted. To connect to that drive, run the cd AD: command. To connect a new provider drive to an Active Directory domain, an AD LDS server, or an Active Directory Database Mounting Tool instance, use the following cmdlet:

New-PSDrive -Name <name of the drive> -PSProvider ActiveDirectory -Root "<DN of the partition/NC>" –Server <server or domain name (NetBIOS/FQDN)[:port number]> -Credential <domain name><username>

Parameter

Description

-Name <name of the drive>

Specifies the name of the drive that is being added.

-PSProvider ActiveDirectory

The name of the provider, in this case, ActiveDirectory.

-Root "<DN of the partition/NC>"

Specifies the internal root or path of the provider.

–Server <server or domain name (NetBIOS/FQDN)[:port number]>

Specifies the server that hosts your Active Directory domain or an AD LDS instance.

-Credential <domain name><username>

Specifies the credentials that you must have to connect to the Active Directory domain or the AD LDS server.

Active Directory module cmdlets

You can use the Active Directory module cmdlets to perform various administrative, configuration, and diagnostic tasks in your AD DS and AD LDS environments. In this release of Windows Server 2008 R2, you can use the Active Directory module to manage existing Active Directory user and computer accounts, groups, organizational units (OUs), domains and forests, domain controllers, and password policies, or you can create new ones.

The following table lists all the cmdlets that are available in this release of the Active Directory module in Windows Server 2008 R2.

Cmdlet

Description

Add-ADComputerServiceAccount

Adds one or more service accounts to an Active Directory computer.

Add-ADDomainControllerPasswordReplicationPolicy

Adds users, computers, and groups to the Allowed List or the Denied List of the read-only domain controller (RODC) Password Replication Policy (PRP).

Add-ADFineGrainedPasswordPolicySubject

Applies a fine-grained password policy to one more users and groups.

Add-ADGroupMember

Adds one or more members to an Active Directory group.

Add-ADPrincipalGroupMembership

Adds a member to one or more Active Directory groups.

Clear-ADAccountExpiration

Clears the expiration date for an Active Directory account.

Disable
-ADAccount

Disables an Active Directory account.

Disable-ADOptionalFeature

Disables an Active Directory optional feature.

Enable-ADAccount

Enables an Active Directory account.

Enable-ADOptionalFeature

Enables an Active Directory optional feature.

Get-ADAccountAuthorizationGroup

Gets the Active Directory security groups that contain an account.

Get-ADAccountResultantPasswordReplicationPolicy

Gets the resultant password replication policy for an Active Directory account.

Get-ADComputer

Gets one or more Active Directory computers.

Get-ADComputerServiceAccount

Gets the service accounts that are hosted by an Active Directory computer.

Get-ADDefaultDomainPasswordPolicy

Gets the default password policy for an Active Directory domain.

Get-ADDomain

Gets an Active Directory domain.

Get-ADDomainController

Gets one or more Active Directory domain controllers, based on discoverable services criteria, search parameters, or by providing a domain controller identifier, such as the NetBIOS name.

Get-ADDomainControllerPasswordReplicationPolicy

Gets the members of the Allowed List or the Denied List of the RODC PRP.

Get-ADDomainControllerPasswordReplicationPolicyUsage

Gets the resultant password policy of the specified ADAccount on the specified RODC.

Get-ADFineGrainedPasswordPolicy

Gets one or more Active Directory fine-grained password policies.

Get-ADFineGrainedPasswordPolicySubject

Gets the users and groups to which a fine-grained password policy is applied.

Get-ADForest

Gets an Active Directory forest.

Get-ADGroup

Gets one or more Active Directory groups.

Get-ADGroupMember

Gets the members of an Active Directory group.

Get-ADObject

Gets one or more Active Directory objects.

Get-ADOptionalFeature

Gets one or more Active Directory optional features.

Get-ADOrganizationalUnit

Gets one or more Active Directory OUs.

Get-ADPrincipalGroupMembership

Gets the Active Directory groups that have a specified user, computer, or group.

Get-ADRootDSE

Gets the root of a domain controller information tree.

Get-ADServiceAccount

Gets one or more Active Directory service accounts.

Get-ADUser

Gets one or more Active Directory users.

Get-ADUserResultantPasswordPolicy

Gets the resultant password policy for a user.

Install-ADServiceAccount

Installs an Active Directory service account on a computer.

Move-ADDirectoryServer

Moves a domain controller in AD DS to a new site.

Move-ADDirectoryServerOperationMasterRole

Moves operation master (also known as flexible single master operations or FSMO) roles to an Active Directory domain controller.

Move-ADObject

Moves an Active Directory object or a container of objects to a different container or domain.

New-ADComputer

Creates a new Active Directory computer.

New-ADFineGrainedPasswordPolicy

Creates a new Active Directory fine-grained password policy.

New-ADGroup

Creates an Active Directory group.

New-ADObject

Creates an Active Directory object.

New-ADOrganizationalUnit

Creates a new Active Directory OU.

New-ADServiceAccount

Creates a new Active Directory service account.

New-ADUser

Creates a new Active Directory user.

Remove-ADComputer

Removes an Active Directory computer.

Remove-ADComputerServiceAccount

Removes one or more service accounts from a computer.

Remove-ADDomainControllerPasswordReplicationPolicy

Removes users, computers, and groups from the Allowed List or the Denied List of the RODC PRP.

Remove-ADFineGrainedPasswordPolicy

Removes an Active Directory fine-grained password policy.

Remove-ADFineGrainedPasswordPolicySubject

Removes one or more users from a fine-grained password policy.

Remove-ADGroup

Removes an Active Directory group.

Remove-ADGroupMember

Removes one or more members from an Active Directory group.

Remove-ADObject

Removes an Active Directory object.

Remove-ADOrganizationalUnit

Removes an Active Directory OU.

Remove-ADPrincipalGroupMembership

Removes a member from one or more Active Directory groups.

Remove-ADServiceAccount

Removes an Active Directory service account.

Remove-ADUser

Removes an Active Directory user.

Rename-ADObject

Changes the name of an Active Directory object.

Reset-ADServiceAccountPassword

Resets the service account password for a computer.

Restore-ADObject

Restores an Active Directory object.

Search-ADAccount

Gets Active Directory user, computer, and service accounts.

Set-ADAccountControl

Modifies user account control (UAC) values for an Active Directory account.

Set-ADAccountExpiration

Sets the expiration date for an Active Directory account.

Set-ADAccountPassword

Modifies the password of an Active Directory account.

Set-ADComputer

< p>Modifies an Active Directory computer.

Set-ADDefaultDomainPasswordPolicy

Modifies the default password policy for an Active Directory domain.

Set-ADDomain

Modifies an Active Directory domain.

Set-ADDomainMode

Sets the domain functional level for an Active Directory domain.

Set-ADFineGrainedPasswordPolicy

Modifies an Active Directory fine-grained password policy.

Set-ADForest

Modifies an Active Directory forest.

Set-ADForestMode

Sets the forest mode for an Active Directory forest.

Set-ADGroup

Modifies an Active Directory group.

Set-ADObject

Modifies an Active Directory object.

Set-ADOrganizationalUnit

Modifies an Active Directory OU.

Set-ADServiceAccount

Modifies an Active Directory service account.

Set-ADUser

Modifies an Active Directory user.

Uninstall-ADServiceAccount

Uninstalls an Active Directory service account from a computer.

Unlock-ADAccount

Unlocks an Active Directory account.

clip_image002Note

To list all the cmdlets that are available in the Active Directory module, use the Get-Command *-AD* cmdlet.

For more information about—or for the syntax for—any of the Active Directory module cmdlets, use the Get-Help <cmdlet name> cmdlet, where <cmdlet name> is the name of the cmdlet that you want to research. For more detailed information, you can run any of the following cmdlets:

· Get-Help <cmdlet name> -Detailed

· Get-Help <cmdlet name> -Full

· Get-Help <cmdlet name> -Detailed

· Get-Help <cmdlet name> -Examples

More information

For more information about the Active Directory module cmdlets, see the following:

· What’s New in AD DS: Active Directory Module for Windows PowerShell

Active Directory Administration with Windows PowerShell

Source: Active Directory Cmdlets in Windows PowerShell

Leave a Reply

Your email address will not be published. Required fields are marked *