Prof. Powershell

The Quest for the Active Directory Grail

PowerShell doesn't have tools to automate AD management, but some vendors have developed tools that can get you nearer to that goal.

Managing Active Directory has always been a GUI-based task that unfortunately doesn't lend itself to automation. But once you have some PowerShell fundamentals, there are a number of tools you can begin using to leverage PowerShell.

Last time we looked at the Active Directory provider from Microsoft that ships with Windows Server 2008 R2. One potential drawback is that it requires an R2 domain controller, or that you install the Active Directory Management Gateway service on one or more domain controllers. But there is an alternative.

Quest Software offers a free set of PowerShell cmdlets for managing Active Directory. The cmdlets are designed to complement their commercial Active Directory product, which is worth checking out if you run a large enterprise-wide Active Directory infrastructure. However, the cmdlets will work with any version of Active Directory and install on XP or later with PowerShell 1.0.

You don't have to touch any domain controllers. Go here to download the setup file. There are 32- and 64-bit flavors. After you install, open a PowerShell prompt and add the snapin to your session:

PS C:\> Add-PSSnapin Quest.ActiveRoles.ADManagement

Use Get-Command to discover all the cmdlets. Notice that many of the nouns are prefaced with QAD:

PS C:\> Get-Command -module Quest.ActiveRoles.ADManagement

These cmdlets take a more traditional LDAP approach, although that isn't always apparent:

PS C:\> get-qaduser $env:username | select *

Let's find all the users in Omaha:

PS C:\> Get-QADUser -city "Omaha"

This will return everyone assuming you have less than 1000 users in Omaha. If you have more then you'll need to use the -SizeLimit parameter. Fortunately all the Quest cmdlets have terrific help and examples.

But let's say we need to update their zip code. This is a one line PowerShell command that you can type and execute faster than it would take you to use the GUI:

PS C:\> Get-QADuser -City Omaha | Set-QADUser -PostalCode 68144

Or perhaps I want to find all my empty security groups and save the information to a CSV file that I can open with Excel:

PS C:\> Get-QADgroup -Empty $True -GroupType Security |

>> Select Name,DN,WhenCreated,Whenchanged,Description |
>> Export-CSV F:\Data\EmptyGroups.csv -NoTypeInformation

I could go on and on here, but the point is that once you know a little PowerShell you have an entire new world of management opportunities.

I hope you noticed that I didn't write a single script in my examples. Scripting lets you take things to an even greater level, but only when you are ready. PowerShell can dramatically alter the way you work--and for the better.

About the Author

Jeffery Hicks is an IT veteran with over 25 years of experience, much of it spent as an IT infrastructure consultant specializing in Microsoft server technologies with an emphasis in automation and efficiency. He is a multi-year recipient of the Microsoft MVP Award in Windows PowerShell. He works today as an independent author, trainer and consultant. Jeff has written for numerous online sites and print publications, is a contributing editor at, and a frequent speaker at technology conferences and user groups.

comments powered by Disqus
Most   Popular