Active Directory is the most popular solution for centrally managing users within an organization. Active Directory management can be relatively easy in smaller organizations with a limited number of resources. However, large enterprises can find it difficult without automation. To get up to speed on the definition of Active Directory, we offer Windows Server training.
Information gathering is the key to Active Directory automation’s power. Without PowerShell, it is impossible to get data from a specific user attribute across the entire forest. Or, to apply a specific setting or attribute for a group of users.
Active Directory automation also offers health checking. You can automate important health checks using either a third-party tool or the built-in task scheduler. Let’s take a look below at some PowerShell Active Directory commands.
The Most Common AD PowerShell Commands
The most common commands for Active Directory through PowerShell work are the most basic. These are just a few PowerShell commands that you should be familiar with:
Learn how to become a security expert with SPOTO’s Cybersecurity Training
Get started training1. Get-ADUser
This command can be used to retrieve information from a specific user ID in Active Directory or a group of users using either an array (*) or wildcard (*). It will return information about all users in Active Directory.
Exporting the output to CSV can be done using the ExportTo-CSV cmdlet. This is a great option for creating reports that are requested by management or internal auditors.
You can also choose which output you want to export using the Select-Object cmdlet. Select the information such as sAMAccountName and Department, LasLoginTime and HomeDirectories.
2. Get-ADComputer
This allows us extract information from a specific computer or all computer accounts within the domain using the wildcard character (*). This cmdlet can be used to clean up the Active Directory for stale accounts. Select the LastPasswordReset object, and compare it with the current date.
If the difference between the last secure channel password reset date and the current date is high, that computer account can be deleted. It hasn’t been used for a long period of time.
3. Get-ADObject
This command can extract information from any Active Directory object. It is not limited to users or computers. This cmdlet is different from the others because we can use attributes to filter our search results. The following command can be used to execute the following command:
1Get-ADObject -Filter ‘WhenChanged -gt $ChangeDate’ -IncludeDeletedObjects
This will search for objects that have been modified after the date specified by the $ChangeDate variable. This cmdlet is very powerful as it can extract a lot useful information using a granular search. To extract information from a specific AD Group, we can use Get-ADGroup.
4. Get-ADGroupMember
This will extract a list of users that are part of a specific AD Group. This cmdlet is compatible with the Get-ADGroup cmdlet. Take this example:
Get-ADGroupMember
Assigning Attributes & Configurations
Next, we need to assign attributes and configurations to users. We will use the cmdlets counterparts to do this. Almost every GET has a SET counterpart. The following cmdlets can be used in our case:
123456789Set-ADUserSet-ADComputerSet-ADObjectSet-ADGroupAdd-ADGroupMember
The cmdlets above allow us to get detailed reports about users, computers, and groups (the three major object categories in AD), as we can create users, modify attributes and query objects and manage AD Groups.
Automation and Health Checks