tshell

13   12   5

  • Founder
  • TEC 2010 USA Alumni
  • Watchman
  • Instigator
  • Participant

Visit MyRoom

Active Directory cmdlet of the week "Holiday Special"

Wed 11 Mar 2009


LIKED BY
0
PEOPLE
Due to the holidays we are doing only one "cmdlet of the week" in the month of December so I decided to make it a special one and give you a sneak peek at what Microsoft has planned for its next Server OS release. While you will find a complete (at least for this build) list of AD cmdlets below I wanted to focus on one particular cmdlet "New-ADUser." New-ADUser This cmdlet act very much like the New-QADUser we covered last week:
Parameters (abbreviated list)
  • -AccountExpirationDate []: When the Account should Expire
  • -AccountNotDelegated []; sets the AccountNotDelegated property and the ADS_UF_NOT_DELEGATED flag of the User Account Control (UAC) attribute
  • -AccountPassword []: A SecureString Value to be used as the password
  • -AllowReversiblePasswordEncryption []: Specifies whether reversible password encryption is allowed for the account.
  • -CannotChangePassword []: Specifies whether the account password can be changed.
  • -Certificates []: Modifies the DER-encoded X509v3 certificates of the account.
  • -ChangePasswordAtLogon []: Sets the ADS_UF_PASSWORD_EXPIRED flag of the Active Directory User Account Control (UAC) attribute
  • -Enabled []: Specifies if an account is enabled. An enabled account requires a password.
  • -Instance []: Specifies an instance of a user object to use as a template for a new user object.
  • -PasswordNeverExpires []: whether the password of an account can expire.
  • -PasswordNotRequired []: whether the account requires a password.
  • -PermittedLogonTime []: Specifies the time period during which you can logon to an account during a given day of the week.
Gotchas
  • Name and sAMAccountName are required
  • AccountPassword needs to be a secure string. (You can use convertTo-Securestring to change a plaintext string to securestring.)
  • This cmdlet does not work with an Active Directory Snapshot.
  • This cmdlet does not work with a read-only domain controller.
Examples Below is some Example code using New-ADUser to import users from a CSV. I am hoping when they go live they include the ability to directly import a CSV like the Quest cmdlet has.

  1. Param($list = "C:\temp\UserList.csv",[switch]$whatif) 
  2. $users = Import-Csv $List  
  3. $OU = "OU=MyUsers,DC=Test,DC=Lab" 
  4. $password = convertTo-SecureString -AsPlainText "P@ssw0rd!!" -force  
  5. foreach($user in $users) 
  6. {
  7.      $props = @{}
  8.      $propNames = $user | Get-Member -MemberType properties | %{$_.name}
  9.      foreach($prop in $propNames)
  10.      {
  11.          if($prop -ne "sAMAccountName")
  12.          {
  13.              $value = $user.$prop -replace "'|`"",""
  14.              $props += @{$prop=$value}
  15.          }
  16.      }
  17.      $MyUser = new-aduser -sAMAccountName $user.sAMAccountName   `
  18.                           -name ("`"{0}`"" -f $user.DisplayName -replace "\,","\,") `
  19.                           -AccountPassword $password             `
  20.                           -OtherAttributes $props                `
  21.                           -path $OU                              `
  22.                           -whatif:$whatif     $MyUser 
  23. }
Below is a full List of AD cmdlets included in Windows 7 Server build 6801 (aka Win2008 R2) grouped by Verb.

Note: There is also a Active Directory Provider that allows you interact with AD like a filesystem. I plan to play with that and provide more detail later.

Verb: Add
Add-ADComputerServiceAccount
Add-ADDomainControllerPasswordReplicationPolicy
Add-ADFineGrainedPasswordPolicySubject
Add-ADGroupMember
Add-ADPrincipalGroupMembership

Verb: Clear
Clear-ADAccountExpiration

Verb: Disable Disable-ADAccount
Disable-ADOptionalFeature

Verb: Enable
Enable-ADAccount
Enable-ADOptionalFeature

Verb: Get
Get-ADAccountAuthorizationGroup
Get-ADAccountResultantPasswordReplicationPolicy
Get-ADComputer
Get-ADComputerServiceAccount
Get-ADDefaultDomainPasswordPolicy
Get-ADDomain
Get-ADDomainController
Get-ADDomainControllerPasswordReplicationPolicy
Get-ADDomainControllerPasswordReplicationPolicyUsage
Get-ADFineGrainedPasswordPolicy
Get-ADFineGrainedPasswordPolicySubject
Get-ADForest
Get-ADGroup
Get-ADGroupMember
Get-ADObject
Get-ADOptionalFeature
Get-ADOrganizationalUnit
Get-ADPrincipalGroupMembership
Get-ADRootDSE
Get-ADServiceAccount
Get-ADUser
Get-ADUserResultantPasswordPolicy

Verb: Install
Install-ADServiceAccount

Verb: Move
Move-ADDirectoryServer
Move-ADDirectoryServerOperationMasterRole
Move-ADObject

Verb: New
New-ADComputer
New-ADFineGrainedPasswordPolicy
New-ADGroup
New-ADObject
New-ADOrganizationalUnit
New-ADServiceAccount
New-ADUser

Verb: Remove
Remove-ADComputer
Remove-ADComputerServiceAccount
Remove-ADDomainControllerPasswordReplicationPolicy
Remove-ADFineGrainedPasswordPolicy
Remove-ADFineGrainedPasswordPolicySubject
Remove-ADGroup
Remove-ADGroupMember
Remove-ADObject
Remove-ADOrganizationalUnit
Remove-ADPrincipalGroupMembership
Remove-ADServiceAccount
Remove-ADUser

Verb: Rename
Rename-ADObject

Verb: Reset
Reset-ADServiceAccountPassword

Verb: Restore
Restore-ADObject

Verb: Search
Search-ADAccount

Verb: Set
Set-ADAccountControl
Set-ADAccountExpiration
Set-ADAccountPassword
Set-ADComputer
Set-ADDefaultDomainPasswordPolicy
Set-ADDomain
Set-ADDomainMode
Set-ADFineGrainedPasswordPolicy
Set-ADForest
Set-ADForestMode
Set-ADGroup
Set-ADObject
Set-ADOrganizationalUnit
Set-ADServiceAccount
Set-ADUser

Verb: Uninstall
Uninstall-ADServiceAccount

Verb: Unlock
Unlock-ADAccount
permalink

Tagged with:

activedirectory ad cmdlets directory logon microsoft object quest server user windows

Related Content

In This Community...

Replies

None, yet.

Post a Reply

Click here for help with the editor.



Load a new image 		 

You are posting anonymously.
Please enter the five characters
shown to the left:
Save Your Reply