Bill Detwiler: Obtaining user object information via Active Directory Users And Computers is fine for the one-time use, but it falls short for batch tasks.
I'm Bill Detwiler, and during this episode of TR Dojo, I'll share three scripts make it easy to pull user information from Active Directory via PowerShell.
In a, earlier TR Dojo episode, I showed you how to retrieve a list of installed USB devices and kill processes using PowerShell.
But with the release of the Active Directory Module for Windows PowerShell, an enhancement in Windows Server 2008 R2, this utility has become an even more useful tool for network administrators.
This PowerShell environment has several commands optimized for Active Directory and includes features not available through the normal Active Directory Users and Computers GUI.
And while there are plenty of command-line tools for flat dumps and exports, the new AD Module for Windows PowerShell is one of the most powerful tools for managing users in Active Directory Domain Services.
Let's start with changing an attribute for a group of users -- a task easily performed with the Get-ADUser and Set-ADUser cmdlets.
Suppose a new manager has taken over an Accounting department and you want to reflect that change in Active Directory.
From within an Active Directory Module for Windows PowerShell window, you could enter something like the command show here:
Get-ADUser -Filter * -SearchBase "OU=Accounting,OU=UserAccounts,DC=YourDomain,DC=com" | Set-ADUser -Manager "John Doe"
This one-line PowerShell script uses the Get-ADUser cmdlet with the -Filter and -SearchBase parameters to return all user accounts with the Accounting OU and then sends the output to the Set-ADUser cmdlet, which then sets the manager attribute to the value John Doe.
And don't worry, I'll include the text for each script I cover during this show in the blog notes.
Now, looking at the user accounts in the Accounting department through the AD Users and Computers GUI, we can see that the manager attribute has been set to John Doe.
For our second task, suppose an existing employee has transferred into a new department, and needs the same group memberships as others in that department. Using the Get-ADPrincialGroupMembership and Add-ADPrincipalGroupMembership cmdlets you can do just that.
Again from within the Active Directory Module for Windows PowerShell window, you would enter something like this script:
Get-ADPrincipalGroupMembership -Identity JohnDoe | % {Add-ADPrincipalGroupMembership -Identity JaneDoe -MemberOf $_}
This script gets the group memberships of user John Doe and transfers them to user Jane Doe.
Looking at the accounts with the AD Users and Computers GUI, we see that Jane Doe now has the same group memberships as John Doe.
Our last script comes from TechRepublic blogger Rick Vanover. In a recent article, he explained how the Search-ADAccount cmdlet to pull a list of all user accounts with non-expiring passwords. Having this information can be really helpful during a security audit.
To execute the script, open the Windows PowerShell window and enter the script shown here:
Search-ADAccount -PasswordNeverExpires | FT Name, ObjectClass, UserPrincipalName
When you run the script, you should see a table showing the user name, object class, and user principal name of each account with a non-expiring password.
I've shown you just the tip of the iceberg when it comes to working with Active Directory through PowerShell. For more tips, I encourage you to check out this episode's blog notes, where I'll link to more PowerShell resources from TechRepublic and beyond.
And as always, for more teachings on your path to becoming an IT Ninja, visit trdojo.techrepublic.com, or you can follow me on Twitter at twitter.com/billdetwiler.
Thanks for visiting the TR Dojo.
