Tip

Alternative PowerShell commands for Active Directory management

While Microsoft has added many new cmdlets for PowerShell 2.0, admins can also use additional options from Quest Software and other outlets when working with Active Directory.

Brandon Shell
By
Published: 06 Jul 2010

Previously, we looked at how PowerShell can be used to manage Active Directory in Windows Server 2008 R2. In this article, we'll cover some alternatives to the Microsoft cmdlets.

The benefit to these other options is that there are no dependencies -- well, other than the Active Directory cmdlets themselves. These cmdlets are provided by Quest Software and my own open source module, called BSonPosh.

Quest was really the first on the Active Directory scene, and it has also been around since the early days of Windows PowerShell (about four years), so the cmdlets are very mature. They have no dependencies on anything specific, and while the cmdelts work against all "Active Directories," they can also target a Quest ActiveRoles Server, which provides a much higher degree of object management and security. Outside of that, they behave very much the same as the Microsoft cmdlets.

The one weakness of these Quest cmdlets is that they don't venture into the realm of infrastructure management, which is why I wrote the BSonPosh module to fill the gap. To be clear, my module covers far more than just Active Directory, but the AD infrastructure management coverage is pretty good.

While we don't have the time or space to cover the entire set of cmdlets offered by Quest and BSonPosh, we can take a look at a few of the more prominent ones in both management categories.

     Note: You may notice the Quest cmdlets have a verb prefix of QAD. This allows
     them to play nice with other Active Directory cmdlet providers.

Object management (Quest)

Get-QADUser -- gets a specific user object or does a search for user objects that match the query

     Examples:
              # Get the user account for a user with ambiguous name resolution (ANR)
              of BSonPosh
              Get-QADUser bsonposh

              # Get all the users that have the BSonPosh as manager
              Get-QADUser –Manager bsonposh

              # Get all the users that have the last name "Shell" using LDAP filter
              Get-QADUser -LDAPFilter "(sn=shell)"

     For more examples:
              Get-help Get-QADUser –example

Get-QADComputer -- gets a specific computer object or does a search for computer objects that match the query

     Examples:
              # Get all the computers in a given organization unit (OU)
             Get-QADComputer -SearchRoot "OU=XenDesktop,DC=Dev,DC=Lab"

              # Get all the computers with a given role (i.e. member, DC, undefined)
              Get-QADComputer –ComputerRole DC

              # Find all Windows 7 machines
              Get-QADComputer –OSName "Windows 7*"

     For more examples:
              Get-help Get-QADComputer –example

Get-QADGroup -- gets a specific group object or does a search for group objects that match the query

     Examples:
              # List all the universal groups
              Get-QADGroup -GroupScope 'Universal'

              # Get the group members
              Get-QADGroup "domain Admins" | select -ExpandProperty
              member

              # An easier way to get group members
              Get-ADGroupMember "Domain Admins"

              # Find empty groups
              Get-QADGroup –empty $true

     For more examples:
              Get-help Get-QADGroup –example

Infrastructure management (BSonPosh)

Get-Forest -- returns the current forest

     Examples:
              # Get the current forest
              Get-Forest

              # Get the forest for a specific domain controller (DC)
              Get-Forest –DomainController CoreDC

     For more examples:
              Get-help Get-Forest –example

Get-Domain -- returns a domain object

     Examples:
              # Gets the current domain
              Get-Domain

              # Gets the domain of specified DC
              Get-Domain -DomainController CoreDC

     For more examples:
              Get-help Get-Domain –example

Get-DomainController -- returns a domain controller object that matches the parameters passed

     Examples:
              # Gets the current domain controller for the user session
              Get-DomainController

              # Gets domain controllers with specific names (RegEx)
              Get-DomainController -Filter "mydc(nyc|dr)\d">

              # Returns all DCs in a given domain
              Get-DomainController –Domain Dev.Lab

     For more examples:
              Get-help Get-DomainController-example

Get-FSMO -- returns the operation masters for forest/domain

     Examples:
              # Returns all the Flexible Single Master Operations (FSMO) for the forest
              and domain
              Get-FSMO

              # Returns just the domain FSMO
              Get-FSMO –Domain

              # Returns the forest FSMO
              Get-FSMO –Forest

     For more examples:
              Get-help Get-FSMO –example>

Here is a list of all the cmdlets provided with the Quest Active Directory module:

  • Add-QADGroupMember
  • Add-QADMemberOf
  • Add-QADPasswordSettingsObjectAppliesTo
  • Add-QADPermission
  • Approve-QARSApprovalTask
  • Connect-QADService
  • Convert-QADAttributeValue
  • Deprovision-QADUser
  • Disable-QADUser
  • Disconnect-QADService
  • Enable-QADUser
  • Get-QADComputer
  • Get-QADGroup
  • Get-QADGroupMember
  • Get-QADMemberOf
  • Get-QADObject
  • Get-QADObjectSecurity
  • Get-QADPasswordSettingsObject
  • Get-QADPasswordSettingsObjectAppliesTo
  • Get-QADPermission
  • Get-QADPSSnapinSettings
  • Get-QADRootDSE
  • Get-QADUser
  • Get-QARSAccessTemplate
  • Get-QARSAccessTemplateLink
  • Get-QARSApprovalTask
  • Get-QARSOperation
  • Move-QADObject
  • New-QADGroup
  • New-QADObject
  • New-QADPasswordSettingsObject
  • New-QADUser
  • New-QARSAccessTemplateLink
  • Reject-QARSApprovalTask
  • Remove-QADGroupMember
  • Remove-QADMemberOf
  • Remove-QADObject
  • Remove-QADPasswordSettingsObjectAppliesTo
  • Remove-QADPermission
  • Remove-QARSAccessTemplateLink
  • Rename-QADObject
  • Restore-QADDeletedObject
  • Set-QADGroup
  • Set-QADObject
  • Set-QADObjectSecurity
  • Set-QADPSSnapinSettings
  • Set-QADUser
  • Set-QARSAccessTemplateLink
  • Unlock-QADUser

And finally, here are all of the Active Directory cmdlets that can be found in the BSonPosh module:

  • ConvertTo-DistinguishedName
  • ConvertTo-DNSName
  • ConvertTo-Name
  • ConvertTo-NetbiosName
  • ConvertTo-Sid
  • ConvertTo-UACFLag
  • Get-ADACL
  • Get-DCConnectionObject
  • Get-Domain
  • Get-DomainController
  • Get-Forest
  • Get-FSMO
  • Get-Schema
  • Get-SchemaClass
  • Get-SchemaOID
  • Get-SchemaProperty
  • Get-SiteLink
  • Get-Site
  • New-ADACE
  • Set-ADACL

You can find more on using these PowerShell cmdlets for Active Directory object and infrastructure management via the online help for Quest cmdlets and the source code for BSonPosh.

Miss a column? Check out our Scripting School archive.

Recent PowerShell columns

  • Making Windows PowerShell your own
  • How to customize your Windows PowerShell environment
  • The terms and commands you absolutely need to know

ABOUT THE AUTHOR
Brandon Shell has been in the IT industry since 1994. He started out as a PC tech and general fix-it guy for numerous companies. In 2007, he joined the PowerShell MVP ranks, and Shell has spent the past several years building his PowerShell knowledge and helping others build theirs.

Dig Deeper on Microsoft messaging and collaboration