Active Directory Cmdlets in Windows PowerShell
Windows PowerShell™ is a task-based command-line shell and scripting language designed especially for system administration. This reference topic for the information technology (IT) professional introduces the 76 Windows PowerShell cmdlets that you can use to manage and administer the Active Directory® directory service and Active Directory Domain Services (AD DS).
What does the Active Directory module do?
The Active Directory module for Windows PowerShell in Windows Server 2008 R2 is a Windows PowerShell module (named Active Directory) that consolidates a group of cmdlets. You can use these cmdlets to manage your Active Directory domains, Active Directory Lightweight Directory Services (AD LDS) configuration sets, and Active Directory Database Mounting Tool instances in a single, self-contained package.
For more information about getting started with the Active Directory Windows PowerShell module, see Active Directory Administration with Windows PowerShell. |
In the Microsoft® Windows® 2000 Server operating system, the Windows Server® 2003 operating system, and Windows Server 2008, administrators used a variety of command-line tools and Microsoft Management Console (MMC) snap-ins to connect to their Active Directory domains and AD LDS configuration sets to monitor and manage them. The Active Directory module in Windows Server 2008 R2 now provides a centralized experience for administering your directory service instances.
Active Directory module provider
Administrators can use the Active Directory module provider to easily navigate and access data that is stored in Active Directory domains, AD LDS instances and configuration sets, and Active Directory Database Mounting Tool instances. The Active Directory module provider exposes the Active Directory database through a hierarchical navigation system, which is very similar to the file system. For example, while you are using the Active Directory module, you can use the following commands to navigate through your directory:
· cd
· dir
· remove
· .
· ..
You can use the Active Directory module provider to map Active Directory domains, AD LDS instances, and Active Directory Database Mounting Tool instances to specific provider drives. When the Active Directory module is first loaded, a default Active Directory drive (AD:) is mounted. To connect to that drive, run the cd AD: command. To connect a new provider drive to an Active Directory domain, an AD LDS server, or an Active Directory Database Mounting Tool instance, use the following cmdlet:
New-PSDrive -Name <name of the drive> -PSProvider ActiveDirectory -Root "<DN of the partition/NC>" –Server <server or domain name (NetBIOS/FQDN)[:port number]> -Credential <domain name><username>
Parameter |
Description |
-Name <name of the drive> |
Specifies the name of the drive that is being added. |
-PSProvider ActiveDirectory |
The name of the provider, in this case, ActiveDirectory. |
-Root "<DN of the partition/NC>" |
Specifies the internal root or path of the provider. |
–Server <server or domain name (NetBIOS/FQDN)[:port number]> |
Specifies the server that hosts your Active Directory domain or an AD LDS instance. |
-Credential <domain name><username> |
Specifies the credentials that you must have to connect to the Active Directory domain or the AD LDS server. |
Active Directory module cmdlets
You can use the Active Directory module cmdlets to perform various administrative, configuration, and diagnostic tasks in your AD DS and AD LDS environments. In this release of Windows Server 2008 R2, you can use the Active Directory module to manage existing Active Directory user and computer accounts, groups, organizational units (OUs), domains and forests, domain controllers, and password policies, or you can create new ones.
The following table lists all the cmdlets that are available in this release of the Active Directory module in Windows Server 2008 R2.
Cmdlet |
Description |
Adds one or more service accounts to an Active Directory computer. |
|
Adds users, computers, and groups to the Allowed List or the Denied List of the read-only domain controller (RODC) Password Replication Policy (PRP). |
|
Applies a fine-grained password policy to one more users and groups. |
|
Adds one or more members to an Active Directory group. |
|
Adds a member to one or more Active Directory groups. |
|
Clears the expiration date for an Active Directory account. |
|
Disables an Active Directory account. |
|
Disables an Active Directory optional feature. |
|
Enables an Active Directory account. |
|
Enables an Active Directory optional feature. |
|
Gets the Active Directory security groups that contain an account. |
|
Gets the resultant password replication policy for an Active Directory account. |
|
Gets one or more Active Directory computers. |
|
Gets the service accounts that are hosted by an Active Directory computer. |
|
Gets the default password policy for an Active Directory domain. |
|
Gets an Active Directory domain. |
|
Gets one or more Active Directory domain controllers, based on discoverable services criteria, search parameters, or by providing a domain controller identifier, such as the NetBIOS name. |
|
Gets the members of the Allowed List or the Denied List of the RODC PRP. |
|
Gets the resultant password policy of the specified ADAccount on the specified RODC. |
|
Gets one or more Active Directory fine-grained password policies. |
|
Gets the users and groups to which a fine-grained password policy is applied. |
|
Gets an Active Directory forest. |
|
Gets one or more Active Directory groups. |
|
Gets the members of an Active Directory group. |
|
Gets one or more Active Directory objects. |
|
Gets one or more Active Directory optional features. |
|
Gets one or more Active Directory OUs. |
|
Gets the Active Directory groups that have a specified user, computer, or group. |
|
Gets the root of a domain controller information tree. |
|
Gets one or more Active Directory service accounts. |
|
Gets one or more Active Directory users. |
|
Gets the resultant password policy for a user. |
|
Installs an Active Directory service account on a computer. |
|
Moves a domain controller in AD DS to a new site. |
|
Moves operation master (also known as flexible single master operations or FSMO) roles to an Active Directory domain controller. |
|
Moves an Active Directory object or a container of objects to a different container or domain. |
|
Creates a new Active Directory computer. |
|
Creates a new Active Directory fine-grained password policy. |
|
Creates an Active Directory group. |
|
Creates an Active Directory object. |
|
Creates a new Active Directory OU. |
|
Creates a new Active Directory service account. |
|
Creates a new Active Directory user. |
|
Removes an Active Directory computer. |
|
Removes one or more service accounts from a computer. |
|
Removes users, computers, and groups from the Allowed List or the Denied List of the RODC PRP. |
|
Removes an Active Directory fine-grained password policy. |
|
Removes one or more users from a fine-grained password policy. |
|
Removes an Active Directory group. |
|
Removes one or more members from an Active Directory group. |
|
Removes an Active Directory object. |
|
Removes an Active Directory OU. |
|
Removes a member from one or more Active Directory groups. |
|
Removes an Active Directory service account. |
|
Removes an Active Directory user. |
|
Changes the name of an Active Directory object. |
|
Resets the service account password for a computer. |
|
Restores an Active Directory object. |
|
Gets Active Directory user, computer, and service accounts. |
|
Modifies user account control (UAC) values for an Active Directory account. |
|
Sets the expiration date for an Active Directory account. |
|
Modifies the password of an Active Directory account. |
|
< p>Modifies an Active Directory computer. | |
Modifies the default password policy for an Active Directory domain. |
|
Modifies an Active Directory domain. |
|
Sets the domain functional level for an Active Directory domain. |
|
Modifies an Active Directory fine-grained password policy. |
|
Modifies an Active Directory forest. |
|
Sets the forest mode for an Active Directory forest. |
|
Modifies an Active Directory group. |
|
Modifies an Active Directory object. |
|
Modifies an Active Directory OU. |
|
Modifies an Active Directory service account. |
|
Modifies an Active Directory user. |
|
Uninstalls an Active Directory service account from a computer. |
|
Unlocks an Active Directory account. |
To list all the cmdlets that are available in the Active Directory module, use the Get-Command *-AD* cmdlet. |
For more information about—or for the syntax for—any of the Active Directory module cmdlets, use the Get-Help <cmdlet name> cmdlet, where <cmdlet name> is the name of the cmdlet that you want to research. For more detailed information, you can run any of the following cmdlets:
· Get-Help <cmdlet name> -Detailed
· Get-Help <cmdlet name> -Full
· Get-Help <cmdlet name> -Detailed
· Get-Help <cmdlet name> -Examples
More information
For more information about the Active Directory module cmdlets, see the following:
· What’s New in AD DS: Active Directory Module for Windows PowerShell