"Powershell Active Directory Cheat Sheet"

ADVERTISEMENT
ADVERTISEMENT

Download "Powershell Active Directory Cheat Sheet"

192 times
Rate (4.5 / 5) 6 votes
Active Directory PowerShell Quick Reference
Active Directory PowerShell Quick Reference
Getting Started
User Account Tasks
Other Cmdlets
Recycle Bin
Add-ADComputerServiceAccount
To enable the ‘AD Recycle Bin’ feature:
To add the Active Directory module:
Get-ADComputerServiceAccount
To see user account details:
Remove-ADComputerServiceAccount
Enable-ADOptionalFeature
'Recycle
Import-Module
activedirectory
Remove-ADServiceAccount
Get-ADUser -Identity
'Joe Bloggs'
Bin Feature'
-Scope
Set-ADServiceAccount
Get a list of AD Commands:
ForestOrConfigurationSet
-Target
To search for a user:
'test.local'
Add-ADDomainControllerPasswordReplicationPolicy
Get-Command -Module
Get-ADAccountResultantPasswordReplicationPolicy
Get-ADUser -Filter
'Name -like
activedirectory
Get-ADDomainControllerPasswordReplicationPolicy
To restore an AD Account from the Recycle Bin
Get-ADDomainControllerPasswordReplicationPolicyUsage
"Joe Bloggs"'
Remove-ADDomainControllerPasswordReplicationPolicy
For help with a cmdlet, type:
Get-ADObject -Filter
Or search for users in a particular OU:
Remove-ADFineGrainedPasswordPolicy
'samaccountname -eq "JoeBloggs"'
Get-Help
Get-ADUser
-Full
Remove-ADFineGrainedPasswordPolicySubject
-IncludeDeletedObjects
|
Restore-
Get-ADUser -Filter
*
-SearchBase
Set-ADFineGrainedPasswordPolicy
ADObject
"OU=Sales,OU=Users,DC=test,DC=loc
Add-ADPrincipalGroupMembership
al"
Forests and Domains
Get-ADPrincipalGroupMembership
Service Accounts
Remove-ADPrincipalGroupMembership
To see Forest details:
To see additional properties, not just the default set:
To see AD Service Accounts:
Disable-ADOptionalFeature
Get-ADForest
test.local
Get-ADUser -Identity
'JoeBlogs'
-
Get-ADOptionalFeature
Get-ADServiceAccount -Filter
*
Properties
Description,Office
To see Domain details:
Get-ADObject
Move-ADObject
To create a new AD Service Account:
To see all the user properties, not just default set:
Get-ADDomain
test.local
New-ADObject
Get-ADUser -Identity
'JoeBloggs'
New-ADServiceAccount -Name
Remove-ADObject
To raise the Forest functional level:
Rename-ADObject
"Service1"
-SamAccountName
-Properties
*
Set-ADObject
"Service1"
-DisplayName
Set-ADForestMode -Identity
To create a new user:
"Service1"
-AccountPassword
test.local
-ForestMode
Set-ADOrganizationalUnit
(Read-Host -AsSecureString
Remove-ADOrganizationalUnit
Windows2008R2Forest
New-ADUser -Name
"Joe Bloggs"
-
"AccountPassword")
-Enabled
$true
SamAccountName
"JoeBloggs"
-
Get-ADUserResultantPasswordPolicy
To raise the Domain functional level:
GivenName
"Joe"
-Surname
"Bloggs"
Remove-ADUser
Install an existing AD service account on the local
-DisplayName
"Joe Bloggs"
-Path
Set-ADDomainMode -Identity
computer and make the required changes so that the
Get-ADAccountAuthorizationGroup
'OU=Users,OU=Sales,DC=test,DC=loc
test.local
-DomainMode
password can be periodically reset by the computer:
Get-ADDomainController
al'
-OtherAttributes
Windows2008R2Domain
Install-ADServiceAccount -
Move-ADDirectoryServer
@{'Title'="Sales
Manager"} -
Identity
'Service1'
AccountPassword
(Read-Host -
Get the rootDSE from the default domain controller:
Remove-ADGroupMember
AsSecureString
"AccountPassword")
Get-ADRootDSE
Uninstall an existing AD service account on the local
-Enabled
$true
Search-ADAccount
computer:
Move FSMO roles:
Set-ADAccountControl
To change the properties of a user:
Uninstall-ADServiceAccount -
Set-ADComputer
Move-
Identity
'Service1'
Set-ADUser
Joe Bloggs
-City
Set-ADDomain
ADDirectoryServerOperationMasterR
Set-ADForest
London
-Remove
ole -Identity
"TESTDC"
-
To reset the AD Service Account password on the
@{otherMailbox="Joe.Bloggs"} -Add
OperationMasterRole
local computer:
@{url="test.local"}
-Replace
PDCEmulator,SchemaMaster
@{title="manager"}
-Clear
Reset-ADServiceAccountPassword -
description
Identity
'Service1'
Active Directory PowerShell Quick Reference
Active Directory PowerShell Quick Reference
Getting Started
User Account Tasks
Other Cmdlets
Recycle Bin
Add-ADComputerServiceAccount
To enable the ‘AD Recycle Bin’ feature:
To add the Active Directory module:
Get-ADComputerServiceAccount
To see user account details:
Remove-ADComputerServiceAccount
Enable-ADOptionalFeature
'Recycle
Import-Module
activedirectory
Remove-ADServiceAccount
Get-ADUser -Identity
'Joe Bloggs'
Bin Feature'
-Scope
Set-ADServiceAccount
Get a list of AD Commands:
ForestOrConfigurationSet
-Target
To search for a user:
'test.local'
Add-ADDomainControllerPasswordReplicationPolicy
Get-Command -Module
Get-ADAccountResultantPasswordReplicationPolicy
Get-ADUser -Filter
'Name -like
activedirectory
Get-ADDomainControllerPasswordReplicationPolicy
To restore an AD Account from the Recycle Bin
Get-ADDomainControllerPasswordReplicationPolicyUsage
"Joe Bloggs"'
Remove-ADDomainControllerPasswordReplicationPolicy
For help with a cmdlet, type:
Get-ADObject -Filter
Or search for users in a particular OU:
Remove-ADFineGrainedPasswordPolicy
'samaccountname -eq "JoeBloggs"'
Get-Help
Get-ADUser
-Full
Remove-ADFineGrainedPasswordPolicySubject
-IncludeDeletedObjects
|
Restore-
Get-ADUser -Filter
*
-SearchBase
Set-ADFineGrainedPasswordPolicy
ADObject
"OU=Sales,OU=Users,DC=test,DC=loc
Add-ADPrincipalGroupMembership
al"
Forests and Domains
Get-ADPrincipalGroupMembership
Service Accounts
Remove-ADPrincipalGroupMembership
To see Forest details:
To see additional properties, not just the default set:
To see AD Service Accounts:
Disable-ADOptionalFeature
Get-ADForest
test.local
Get-ADUser -Identity
'JoeBlogs'
-
Get-ADOptionalFeature
Get-ADServiceAccount -Filter
*
Properties
Description,Office
To see Domain details:
Get-ADObject
Move-ADObject
To create a new AD Service Account:
To see all the user properties, not just default set:
Get-ADDomain
test.local
New-ADObject
Get-ADUser -Identity
'JoeBloggs'
New-ADServiceAccount -Name
Remove-ADObject
To raise the Forest functional level:
Rename-ADObject
"Service1"
-SamAccountName
-Properties
*
Set-ADObject
"Service1"
-DisplayName
Set-ADForestMode -Identity
To create a new user:
"Service1"
-AccountPassword
test.local
-ForestMode
Set-ADOrganizationalUnit
(Read-Host -AsSecureString
Remove-ADOrganizationalUnit
Windows2008R2Forest
New-ADUser -Name
"Joe Bloggs"
-
"AccountPassword")
-Enabled
$true
SamAccountName
"JoeBloggs"
-
Get-ADUserResultantPasswordPolicy
To raise the Domain functional level:
GivenName
"Joe"
-Surname
"Bloggs"
Remove-ADUser
Install an existing AD service account on the local
-DisplayName
"Joe Bloggs"
-Path
Set-ADDomainMode -Identity
computer and make the required changes so that the
Get-ADAccountAuthorizationGroup
'OU=Users,OU=Sales,DC=test,DC=loc
test.local
-DomainMode
password can be periodically reset by the computer:
Get-ADDomainController
al'
-OtherAttributes
Windows2008R2Domain
Install-ADServiceAccount -
Move-ADDirectoryServer
@{'Title'="Sales
Manager"} -
Identity
'Service1'
AccountPassword
(Read-Host -
Get the rootDSE from the default domain controller:
Remove-ADGroupMember
AsSecureString
"AccountPassword")
Get-ADRootDSE
Uninstall an existing AD service account on the local
-Enabled
$true
Search-ADAccount
computer:
Move FSMO roles:
Set-ADAccountControl
To change the properties of a user:
Uninstall-ADServiceAccount -
Set-ADComputer
Move-
Identity
'Service1'
Set-ADUser
Joe Bloggs
-City
Set-ADDomain
ADDirectoryServerOperationMasterR
Set-ADForest
London
-Remove
ole -Identity
"TESTDC"
-
To reset the AD Service Account password on the
@{otherMailbox="Joe.Bloggs"} -Add
OperationMasterRole
local computer:
@{url="test.local"}
-Replace
PDCEmulator,SchemaMaster
@{title="manager"}
-Clear
Reset-ADServiceAccountPassword -
description
Identity
'Service1'
Active Directory PowerShell Quick Reference
Active Directory PowerShell Quick Reference
Password Policies
Group Tasks
User Account Security
Computer Account Tasks
sks
To see the Default Domain Password Policy:
To see group details:
To disable a user account:
To see computer account details:
Get-ADDefaultDomainPasswordPolicy
Disable-ADAccount -Identity
Get-ADComputer -Filter
'Name -
Get-ADGroup -Identity
'Sales
-Identity
test.local
JoeBloggs
like "Server01"'
Users'
To create a new computer account:
To change the properties of the Default Domain
To enable a user account:
To create a new group:
Password Policy:
New-ADComputer -Name
"Server01"
-
Enable-ADAccount -Identity
New-ADGroup -Name
"Sales Users"
-
Set-ADDefaultDomainPasswordPolicy
SamAccountName
"Server01"
-Path
JoeBloggs
SamAccountName
SalesUsers
-
-Identity
test.local
-
"OU=Computers,OU=Resources,DC=tes
GroupCategory
Security
-
LockoutDuration
00:40:00
-
t,DC=local"
-Enabled
$true
-
To set the expiration date for a user account:
GroupScope
Global
-DisplayName
LockoutObservationWindow
00:20:00
Location
"London"
‘Sales Users’
-Path
-MaxPasswordAge
10.00:00:00
-
Set-ADAccountExpiration -Identity
"OU=Groups,OU=Resources,DC=test,D
MinPasswordLength
8
JoeBloggs
-DateTime
"10/18/2008"
To remove a computer account:
C=local"
-Description
"All Sales
Users"
Remove-ADComputer -Identity
To create a new Fine-Grained Password Policy:
To clear the expiration date for a user account:
"Server01"
-Confirm:$false
New-ADFineGrainedPasswordPolicy -
To change the properties of a group:
Clear-ADAccountExpiration -
Name
"Standard Users PSO"
-
Identity
JoeBloggs
Set-ADGroup -Identity
Precedence
500
-ComplexityEnabled
Organisational Unit Tasks
'SalesUsers'
-GroupCategory
$true
-Description
"Standard
To change the password for a user account:
Distribution
-GroupScope
Users Password Policy"
-
To see OU details:
Set-ADAccountPassword -Identity
Universal
-ManagedBy
'JoeBloggs'
DisplayName
"Standard Users PSO"
JoeBloggs
-Reset -NewPassword
Get-ADOrganizationalUnit -
-Clear
Description
-LockoutDuration
"0.12:00:00"
-
(ConvertTo-SecureString -
Identity
LockoutObservationWindow
AsPlainText
"p@ssw0rd"
-Force)
'OU=Users,OU=Sales,DC=test,DC=loc
To remove a group:
"0.00:15:00"
-LockoutThreshold
10
al'
Remove-ADGroup -Identity
To unlock a user account:
To see all Fine-Grained Password Policies:
'SalesUsers'
-Confirm:$false
To create a new OU:
Unlock-ADAccount -Identity
Get-ADFineGrainedPasswordPolicy -
JoeBloggs
New-ADOrganizationalUnit -Name
To see group members:
Filter
{name
-like
"*"}
Users
-Path
Get-ADGroupMember -Identity
'OU=Marketing,DC=test,DC=local'
To apply a Fine-Grained Password Policy to a group
of users:
'SalesUsers'
-Recursive
Add-
To add group members:
ADFineGrainedPasswordPolicySubjec
How to Get More Information
t
'Standard Users PSO'
-Subjects
Add-ADGroupMember -Identity
'Standard Users'
'SalesUsers'
-Members
Check out the AD PowerShell Blog
JoeBloggs,SarahJane
To see which users have been applied to a Fine-
http://blogs.msdn.com/adpowershell/default.aspx
Grained Password Policy:
To remove group members:
Make sure you visit the following sites for PowerShell Podcasts
Get-
For the latest version of this doc check
Remove-ADGroupMember -Identity
ADFineGrainedPasswordPolicySubjec
http://get-scripting.blogspot.com/
'SalesUsers'
-Members
http://jonathanmedd.net
t -Identity
'Standard Users PSO'
http://powerscripting.net/
JoeBloggs,SarahJane
v0.1
Page of 2