Organized

On many networks, Active Directory (AD) is the must-have setup for authentication and assignment of rights and as a directory service. With such a central service, everything should run smoothly with PowerShell automation. In this article, I show you how to search in AD, how to secure critical accounts, and which PowerShell helpers you will want to use.

Administrators have gained a lot of experience in maintaining and operating Active Directory over its 20-year history. The tools and how they programmatically and automatically trigger changes in the directory have also changed, both in terms of data administration (i.e., managing users, computers, service accounts, and all the other objects in the directory) and in terms of the scripts for controlling the directory service itself (i.e., the service that runs on Windows and provides the domain function). Tasks that used to be automated by VBScripts, plain vanilla LDAP, Win32 calls, and, later, .NET are now a little easier for admins and abstracted by PowerShell.

PowerShell Helpers

Even newcomers or occasional scripters should have a few decent tools for creating scripts or one-off commands in their toolbox. On the one hand, the commands can be assembled with autocompletion, after which parameters can be suggested and easily inserted; on the other hand, tools allow the one-liners or scripts to be executed directly with color coding, thus making copy and paste into a separate PowerShell session unnecessary. The tools also allow individual lines from longer scripts to be executed separately for step-by-step testing. Of course, it is also possible to open a separate PowerShell session and enter and process the commands directly, but why make things more difficult than necessary?

Windows comes with the PowerShell Integrated Scripting Environment (ISE) as an add-on: It is immediately ready for use in PowerShell but is no longer actively developed by Microsoft. You can still create your Windows AD commands with it, specifically because the tool is on board and available on domain controllers with the same feature set.

One alternative is Visual Studio Code (Figure 1), which is downloadable free of charge for all current Windows versions, and it offers PowerShell language support for Visual Studio Code as an extension. The extension then comes with intelligent suggestions for parameters and command highlighting for improved visual processing of tasks.

Figure 1: Tools such as Visual Studio Code are worthwhile to avoid trouble with automation, searches, and changes, even if you only occasionally work with scripts.

Preparing for PowerShell Access to AD

Microsoft provides some ready-made PowerShell commands for AD that, once installed, support easy interaction. These cmdlets then interact with the corresponding services that work on domain controllers and use the APIs that Microsoft provides as part of AD. You don't have to worry about the actual API or functions, as long as the PowerShell wrappers are all you need. These PowerShell commands became part of the OS in Windows 10 version 1809 and are activated manually as a feature; older Windows 10 versions require the Remote Server Administration Tools, which also includes the PowerShell module [1].

On domain controllers, when you promote the server you will be prompted as to whether you want to install the administration tools and PowerShell together with the domain controller role. If the module is not available, you can install it later with Server Manager, which lets you enable the Windows feature (Role Administration Tools | AD DS and AD LDS Tools | Active Directory module for Windows PowerShell ). In PowerShell you can enter:

Import-Module ServerManager
Add-WindowsFeature -Name "RSAT-AD-PowerShell" -IncludeAllSubFeature

Once complete, you can display an overview of all the available cmdlets that you can use for Microsoft Active Directory:

Get-Command -Module ActiveDirectory

You will quickly see that the commands all have the familiar PowerShell verb at the beginning and then the command with the AD* prefix. You will also recognize some known objects among the cmdlets – ADUser, ADGroup, ADComputer, ADGroupMember, ADAccount, and many more.

Searching in Active Directory

Users in AD, which you can query with Get-ADUser, are also of interest. Either the sAMAccountName, the DistinguishedName, the ObjectGUID, or the SID are used as the search keys:

Get-ADUser -Identity flofromm

If you are looking for all employees of a certain department, the filter helps narrow things down on the attribute level:

Get-ADUser -Filter "Department -like 'IT*'"

The filter works with all common attributes. If all relevant users are already grouped into organizational units, you can find them by specifying the directory path as SearchBase. The LDAP notation is used here; the Externals organizational unit (OU) below the corp.frickelsoft.net domain, would be written as:

Get-ADUser -Filter * -SearchBase "OU=Externals,DC=corp,DC=frickelsoft,DC=net"

Of course, you can also combine SearchBase with a filter. The Search-ADAccount cmdlet is also useful if you are looking for AD accounts but do not want to search by user or computer.

The following commands find all locked-out accounts and inactive accounts belonging to both users and computers:

Search-ADAccount -LockedOut
Search-ADAccount -AccountInactive -TimeSpan 120.00:00:00 | ft Name,LastLogonDate,Enabled

To inspect groups, your best option is the Get-ADGroup cmdlet:

Get-ADGroup -Filter * -Properties member

The cmdlet gives you a good overview of the properties of a group. Besides SearchBase, groups can also be narrowed down by Filter (e.g., if you are only looking for security groups):

Get-ADGroup -Filter "GroupCategory-eq 'Security'"-SearchBase "OU=Groups,DC=corp,DC=Frickelsoft,DC=net"

If you explicitly query the group members as an attribute with the Get-ADGroup cmdlet, you are only given text output in return. For further use of the group members as PowerShell objects, try the Get-ADGroupMember cmdlet, which only returns the group members:

Get-ADGroupMember -Identity 'Enterprise Admins' -Recursive
Get-ADGroupMember -Identity 'Domain Admins' -Recursive

The Recursive option also resolves nested group memberships. If you want to reuse the member list in another command with a pipe, the cmdlet of choice is Get-ADGroupMember:

Get-ADGroupMember -Identity 'Domain Admins' -Recursive | Get-ADUser -Properties Emailaddress, lastLogonDate | Export-CSV -Path "C:\ temp\csv\Domain Admins.CSV"

However, all groups can be queried with the Get-ADGroup cmdlet,

Get-ADGroup -Filter "Name -like 'HR*'" -SearchBase 'OU=Groups, DC=nttest,DC=corp,DC=frickelsoft,DC=net' -SearchScope SubTree | Get-ADGroupMember
Get-ADGroup -Filter "Name -like 'HR*'" -SearchBase 'OU=Groups,DC=nttest,DC=corp,DC=frickelsoft,DC=net' -SearchScope SubTree | Export-CSV -Path 'C:\temp\csv\HR_departmental_groups.csv'

and exported (e.g., to a CSV file as in the second command), if so desired.