AD-Powershell for Active Directory Administrators Table of Contents Computer object commands Group object commands Organizational Unit (OU) commands User object commands See Also Computer object commands List all computer accounts in a domain

Get-ADComputer –Filter {Name –Like "*"}

View all computers that are logged in for 90 days to the Active Directory

Search-ADaccount -AccountInactive -Timespan 90 -ComputersOnly

OR

$lastLogon = (get-date).adddays(-90).ToFileTime()

Get-ADComputer -filter {lastLogonTimestamp -gt $lastLogon}

Find and delete all disabled Computer accounts in Active Directory

Search-ADAccount -AccountDisabled -ComputersOnly | Sort-Object | Remove-ADComputer

Find and delete disabled computer accounts from a specific OU

Search-ADAccount -AccountDisabled -Searchbase "OU=IT,DC=Contoso,DC=Com" -ComputersOnly | Sort-Object | Remove-ADComputer

Find and delete all computer accounts that no longer have signed up since 11/20/2011 to the Active Directory

Search-ADAccount -AccountInactive -DateTime "20.11.2011" –ComputersOnly | Sort-Object | Remove-ADComputer

List only disabled Computer accounts in Domain

Search-ADAccount -AccountDisabled -ComputersOnly | Format-Table Name

Move Computer to other OU (example: Computer=CLIENT1 to OU=IT)

Get-ADComputer CLIENT1 | Move-ADObject -TargetPath "OU=IT,DC=Contoso,DC=Com"

See Computer account detail (example: Computer=CLIENT1)

Get-ADComputer -Filter {Name -Like "CLIENT1"}

Get a specific computer showing all the properties (example: Computer=CLIENT1)

Get-ADComputer "CLIENT1" -Properties *

List Computers (Name, Operating System, Service Pack, Operating System version)

Get-ADComputer -Filter * -Property * | Format-Table Name,OperatingSystem,OperatingSystemServicePack,OperatingSystemVersion -Wrap –Auto

Export Computers List (Name, Operating System, Service Pack, Operating System version)to CSV File

Get-ADComputer -Filter * -Property * | Select-Object Name,OperatingSystem,OperatingSystemServicePack,OperatingSystemVersion | Export-CSV AllWindows.csv -NoTypeInformation -Encoding UTF8

Get Computer IPv4 Address and DnsHostName

Get-ADComputer -Filter {Name -Like "Computer-Name"} -Properties IPv4Address | Format-List Name,DnsHostName,IPv4Address

Get all Computers in a specific OU (example: OU=IT, Domain=Contoso.com)

Get-ADComputer -SearchBase "OU=IT,DC=Contoso,DC=Com" -filter *

Get all the Computers without a specific DNS suffix

Get-ADComputer -filter "DnsHostName -notlike '*.Contoso.Com'"

Get Computer Service Principal Names (SPNs)

Get-ADComputer "Computer-Name" –Properties ServicePrincipalNames | Select-Object –Expand ServicePrincipalNames

Get Computers Security Identifiers (SIDs)

Get-ADComputer -Filter {Name -like "*"} | Select Name,SID | Format-Table -Auto

All computer accounts that were created in the last 90 days in the Active Directory

Get-ADComputer -Filter * -Properties whenCreated | ? { ((Get-Date) - $_.whenCreated).Days -lt 90} | Format-Table Name,WhenCreated,Name,DistinguishedName -Autosize -Wrap

All computer accounts that were created as of December 1, 2011 (12/01/2011) in the Active Directory

Get-ADComputer -LDAPFilter "(&(objectCategory=person)(whenCreated>=20111201000000.0Z))" -Properties whenCreated | Format-Table Name,whenCreated,distinguishedName -Autosize -Wrap

All computer accounts that were created here in a given time, between the 10/01/2011 and 12/01/2011 in Active Directory

$Start = Get-Date -Day 01 -Month 10 -Year 2011 -Hour 00

$End = Get-Date -Day 01 -Month 12 -Year 2011 -Hour 23 -Minute 59

Get-ADComputer -Filter * -Properties whenCreated | ? { ($.whenCreated -gt $Start) -and ($.whenCreated -le $End) } | Format-Table Name,WhenCreated,DistinguishedName -Autosize -Wrap

All computer accounts, Last Password Set in a given time, between the 10/01/2011 and 12/01/2011 in Active Directory

$Start = Get-Date -Day 01 -Month 10 -Year 2011 -Hour 00

$End = Get-Date -Day 01 -Month 12 -Year 2011 -Hour 23 -Minute 59

Get-ADComputer -Filter * -Properties PasswordLastSet | ? { ($.PasswordLastSet -gt $Start) -and ($.PasswordLastSet -le $End) } | Format-Table Name,WhenCreated,DistinguishedName -Autosize -Wrap

All computer accounts, Last Password Set in the last 90 days in Active Directory

$Date = (Get-Date).AddDays(-90)

Get-ADComputer -Filter * -Properties PasswordLastSet | where { $_.PasswordLastSet -le $Date } | Format-Table Name,PasswordLastSet,DistinguishedName -Autosize -Wrap

Group object commands List all members of a group (example: Group=Experts)

Get-ADGroupMember Experts | Format-Table Name

All properties of a group (example: Group=IT)

Get-ADGroup IT -Properties *

List only Universal Security groups

Get-ADGroup –LDAPFilter "(&(objectCategory=group)(groupType:1.2.840.113556.1.4.803:=-2147483640))"

List only Global Security groups

Get-ADGroup –LDAPFilter "(&(objectCategory=group)(groupType:1.2.840.113556.1.4.803:=-2147483646))"

List only Domain Local Security groups

Get-ADGroup –LDAPFilter "(&(objectCategory=group)(groupType:1.2.840.113556.1.4.803:=-2147483644))"

List all Group memberships for a user (example: User=EdPrice)

Get-ADAccountAuthorizationGroup EdPrice

Move a Group to another OU (example: Group=Experts, Old-OU=IT, New-OU=Service, Domain=Contoso.com) Move-ADObject "CN=Experts,OU=IT,DC=Contoso,DC=com" -TargetPath "OU=Service,DC=Contoso,DC=com"

Add members to a group (example: Group=Experts, User=EdPrice)

Add-ADGroupmember Experts -Member EdPrice

Delete Group (example: Group=Experts)

Remove-ADGroup Experts

Delete a User from a Group (example: Group=Experts, User=EdPrice)

Remove-ADGroupMember Experts -Member EdPrice

Set Description for a Group (example: Group=JoinPC, Description=This group is allowed join PCs to Domain)

Set-ADGroup JoinPC -Description "This group is allowed join PCs to Domain"

Add Users from one Group to another Group (example: from Group1=DataUsers to Group2=SQLUsers)

Get-ADGroupMember DataUsers | Select sAMAccountName | ForEach { Add-ADGroupMember SQLUsers -Members $_.sAMAccountName }

Comparing two Groups to see the Group memberships (example: Group1=Administratorso, Group2=DNSAdmins)

Compare-Object ( Get-ADGroupMember Administrators) ( Get-ADGroupMember DNSAdmins) -IncludeEqual

Organizational Unit (OU) commands All OUs in Domain

Get-ADOrganizationalUnit -Filter {Name -like „*“} | FT Name, DistinguishedName -A

Create OU (example: OU=IT, Domain=Contoso.com)

New-ADOrganizationalUnit -Name IT -Path "DC=Contoso,DC=Com"

Contents of a specific OU (example: OU=IT, Domain=Contoso.com)

Get-ADObject -Filter {Name -Like "*"} -Searchbase "OU=IT,DC=Contoso,DC=Com"

Rename OU (example: Old-Name=IT, New-Name=Admin, Domain=Contoso.com)

Rename-ADObject "OU=IT,DC=Contoso,DC=Com" -NewName Admin

Delete OU including contents (example: OU=IT, Domain=Contoso.com)

Remove-ADOrganizationalUnit IT -Recursive

Delete user from specific OU (example: User=EdPrice, OU=IT, Domain=Contoso.com)

Remove-ADObject "CN=EdPrice,OU=IT,DC=Contoso,DC=Com"

Move all objects from one OU to another OU (example: Old-OU=IT, New-OU=Manager, Domain=Contoso.com)

Get-ADObject -Filter {Name -Like "*"} -Searchbase "OU=IT,DC=Contoso,DC=Com" -SearchScope OneLevel | Move-ADObject -TargetPath "OU=Manager,DC=Contoso,DC=Com"

User object commands List all User accounts in the Domain

Get-ADUser –Filter *

List all User accounts in a specific OU (example: OU=IT, Domain=Contoso.com)

Get-ADUser –Filter * -Searchbase "OU=IT,DC=Contoso,DC=Com" | FT

List all User accounts from specific City (example: City=NewYork)

Get ADUser -Filter {city - like "NewYork"} | FT

List only disabled User accounts in Domain

Search-ADAccount –AccountDisabled –Usersonly | FT Name

List all User accounts whose First Name is Ed

Get-ADUser –Filter {givenName –Like "Ed"} | FT

List all User accounts whose Last Name is Price

Get-ADUser –Filter {Surname –Like "Price"} | FT

List all User accounts from the specific Department (example: Department=Support)

Get-ADUser –Filter {Department –Like "Support"} | FT

List a User's Group memberships (example: User=Richard)

Get-ADPrincipalGroupMembership -Identity Richard

List all Users from specific Group and move Users to another OU (example: Group=People, Target OU=NewYork, Domain=Contoso.com)

Get-ADGroupMember People -Recursive | Move-ADObject –TargetPath "OU=NewYork,DC=Contoso,DC=Com"

Remove all users in an OU from a specific Group (example: Group=People, OU=NewYork, Domain=Contoso.com)

$Users = Get-ADUser -Filter * -Searchbase "OU=NewYork,DC=Contoso,DC=Com"

Remove-ADGroupMember -Identity People -Member $Users -Confirm:0

From:https://social.technet.microsoft.com/wiki/contents/articles/5819.ad-powershell-for-active-directory-administrators.aspx