Here is a start of a series of articles on using PowerShell I would suggest for the beginner use PowerShell ISE this will help you with the commands.
Here are some cmdlets that Manage User Accounts
|
Cmdlet |
Description |
|
New-ADUser |
Creates user accounts |
|
Set-ADUser |
Modifies properties of user accounts |
|
Remove-ADUser |
Deletes user accounts |
|
Set-ADAccountPassword |
Resets the password of a user account |
|
Set-ADAccountExpiration |
Modifies the expiration date of a user account |
|
Unlock-ADAccount |
Unlocks a user account after it has become locked after too many incorrect login attempts |
|
Enable-ADAccount |
Enables a user account |
|
Disable-ADAccount |
Disables a user account |
Here are some cmdlets that Manage Groups
|
Cmdlet |
Description |
|
New-ADGroup |
Creates new groups |
|
Set-ADGroup |
Modifies properties of groups |
|
Get-ADGroup |
Displays properties of groups |
|
Remove-ADGroup |
Deletes groups |
|
Add-ADGroupMember |
Adds members to groups |
|
Get-ADGroupMember |
Displays membership of groups |
|
Remove-ADGroupMember |
Removes members from groups |
|
Add-ADPrincipalGroupMembership |
Adds group membership to objects |
|
Get-ADPrincipalGroupMembership |
Displays group membership of objects |
|
Remove-ADPrincipalGroupMembership |
Removes group membership from an object |
Here are some cmdlets that Manage Computer Accounts
|
Cmdlet |
Description |
|
New-ADComputer |
Creates new computer accounts |
|
Set-ADComputer |
Modifies properties of computer accounts |
|
Get-ADComputer |
Displays properties of computer accounts |
|
Remove-ADComputer |
Deletes computer accounts |
|
Test-ComputerSecureChannel |
Verifies or repairs the trust relationship between a computer and the domain |
|
Reset -ComputerMachinePassword |
Resets the password for a computer account |
Here are some cmdlets that Manage OUs
|
Cmdlet |
Description |
|
New-ADOrganizationalUnit |
Creates OUs |
|
Set-ADOrganizationalUnit |
Modifies properties of OUs |
|
Get-ADOrganizationalUnit |
Views properties of OUs |
|
Remove-ADOrganizationalUnit |
Deletes OUs |
So now that we have basic commands look what we can do just using the Get-ADuser PowerShell command.
Show all the properties for a user account:
Get-ADUser –Name “Administrator” -Properties
Show all the user accounts in the Sales OU and all its sub containers in the foo.com domain
Get-ADUser –Filter * -SearchBase “ou=Sales,dc=foo, dc=com” -SearchScope subtree
Show all of the user accounts with a last logon date older than a specific date:
Get-ADUser -Filter {lastlogondate -lt “January 1, 2015”}
Show all of the user accounts in the Sales department that have a last logon date older than a specific date:
Get-ADUser -Filter {(lastlogondate -lt “January 1, 2015”) -and (department -eq “Sales”)}
Now let’s get Wild…… Let show how to make this really easy to use by the use of Pipes.
Use the pipe character ( | ) to pass a list of objects to a cmdlet for further processing (think about the results of 1 cmdlet being used by the next.
So this script will look for users who have not login since January 1, 2015 and the use that to then disable those accounts….
Get‑ADUser ‑Filter {lastlogondate ‑lt “January 1, 2012”} | Disable‑ADAccount
I could have saved the first part of the command to a text file called users.txt and then ran
Get-Content C:users.txt | Disable-ADAccount