dcsimg
Read more on "Data Center Management Spotlight" »

Brushing Up on Essential Active Directory PowerShell Commands

By Nirmal Sharma (Send Email)
Posted April 20, 2016


There are several ways to collect information from Active Directory. Starting with Windows Server 2003, Microsoft provided Domain Services (DS) command-line tools such as DSMod, DSGet, DSQuery and so on to collect objects and information from Active Directory.

Fortunately, the time and effort needed in gathering information from Active Directory has been dramatically reduced dramatically with the introduction of Active Directory PowerShell cmdlets in Windows Server 2008 at later editions. Windows Server Tutorials

While Active Directory PowerShell cmdlets are not exactly new at this point, there are a few essential Active Directory PowerShell commands, explained shortly, you might want to use to streamline your daily operational needs.

In our latest PowerShell tutorial for learning PowerShell commands and scripting, we'll look at some of the most useful Active Directory commands for PowerShell.

1. Disabled Computer Accounts Count and List from Active Directory

In case you need to get a list of disabled computer accounts from Active Directory, you can use the Get-ADComputer PowerShell cmdlet. The Get-ADComputer cmdlet has a -Filter switch you can use to specify a particular computer object property. For example, to get the disabled computer accounts from Active Directory, you will specify "Enabled -eq $false" as shown in the following command:

$CompsDisabledCount=(Get-ADComputer -Filter {(enabled -eq $false)} -ResultPageSize 2000 -resultSetSize 500 -Server Serverwatch.com).count
$CompsDisabledCount

In the above PowerShell commands example, the output is stored in the $CompsDisabledCount variable. If you wish to collect the list of disabled computer accounts from an Active Directory domain, use this command:

$DisabledCompsList = .\CompsDisabledList.CSV
Get-ADComputer -Filter {(enabled -eq $false)} -Server ServerWatch.com -Properties Name, SamAccountName, DistinguishedName, OperatingSystem | Export-CSV "$DisabledCompList" -NoTypeInformation

The PowerShell command above collects the disabled computer name, SamAccountName, full path of the computer, and operating system, and then stores the output in a CSV file named CompsDisabledList.CSV.

2. Disabled User Accounts Count and List from Active Directory

Use these PowerShell commands to get the disabled users count and a list of these users. Change the domain name to your own and then run these commands in a PowerShell window:

To get the disabled users count:

$UsersDisabledCount=(Search-ADAccount -Server Serverwatch.com -ResultPageSize 2000 -resultSetSize 500 -AccountDisabled -UsersOnly).Count
$UsersDisabledCount

To get a list of disabled users and store the output in a CSV file:

$UsersDisabledListCSV = .\DisabledUsersList.CSV
$UsersDisabledList=Search-ADAccount -Server Serverwatch.com -AccountDisabled -UsersOnly | Select-Object Name, SamAccountName, DistinguishedName | Export-CSV "$UsersDisabledListCSV" -NoTypeInformation

Note that in the above commands, we are using the "Search-ADAccount" PowerShell cmdlet. Search-ADAccount is a powerful Active Directory cmdlet that also supports collecting "expired user accounts," "passsord never expires user accounts," "account locked out user accounts," and "inactive user accounts" information from Active Directory. All you need to do is specify the parameter name with Search-ADAccount cmdlet as listed in the table below:

Item

Parameter

Accounts Expired User Accounts

-AccountExpired

Password Never Expires

-PasswordNeverExpires

Locked Out User Accounts

-LockedOut

Stale User Accounts

-AccountInactive

3. Collect accounts expired user accounts count and list:

To collect the count:

$UsersExpiredCount=(Search-ADAccount -Server Serverwatch.com -ResultPageSize 2000 -resultSetSize 500 -AccountExpired -UsersOnly).Count
$UsersExpiredCount

To collect the complete list with a PowerShell command, use:

$UserExpiredList = .\UsersExpired.CSV
$UsersExpiredList=Search-ADAccount -Server Serverwatch.com -AccountExpired -UsersOnly | Select-Object Name, SamAccountName, DistinguishedName | Export-CSV "$UserExpiredList" -NoTypeInformation

4. Collect password never expires user accounts count and list:

To collect the count:

$UsersPassNeverExpireCount=(Search-ADAccount -Server Serverwatch.com -ResultPageSize 2000 -resultSetSize 500 -PasswordNeverExpires -UsersOnly).Count
$UsersPassNeverExpireCount

To collect the complete list:

$UserNeverExpireList = .\UserNeverExpireList.CSV
$UsersPassNeverExpireList=Search-ADAccount -Server Serverwatch.com -PasswordNeverExpires -UsersOnly | Select-Object Name, SamAccountName, DistinguishedName | Export-CSV "$UserNeverExpireList " -NoTypeInformation

5. Collect the account locked-out user accounts count and list:

To collect the count:

$UsersAccountLockOutCount=(Search-ADAccount -Server $ItemName -ResultPageSize 2000 -resultSetSize 500 -LockedOut -UsersOnly).Count
$UsersAccountLockOutCount

To collect the complete list:

$UserAccountLockOutCSV = .\UserAccountLockOut.CSV
$UsersAccountLockOutList=Search-ADAccount -Server $ItemName -LockedOut -UsersOnly | Select-Object Name, SamAccountName, DistinguishedName | Export-CSV "$UserAccountLockOutCSV " -NoTypeInformation

6. Collect the stale user accounts count and list:

To collect the count:

$UsersInactiveAccountCount=(Search-ADAccount -Server $ItemName -ResultPageSize 2000 -resultSetSize 500 -AccountInactive -UsersOnly).Count
$UsersInactiveAccountCount

To collect the complete list with a PowerShell command, use:

$UsersInactiveListFile = .\UsersInactiveList.CSV
$UsersInactiveAccountList=Search-ADAccount -Server Serverwatch.com -AccountInactive -UsersOnly | Select-Object Name, SamAccountName, DistinguishedName | Export-CSV "$UsersInactiveListFile" -NoTypeInformation

Adding the Power of a ForEach Loop

The above commands are designed to collect the computer and user information from a single Active Directory domain. We've used "Serverwatch.com" as the target domain in these examples.

If you need to run the above commands for multiple domains in an Active Directory forest, you will need to use "PowerShell ForEach loop" in a script. For example, to collect a list of disabled computers from all domains in an Active Directory forest, execute the following PowerShell commands in a PowerShell window:

$DomainList = ".\DomainList.TXT"
$DisabledCompsList = .\CompsDisabledList.CSV
ForEach ($DomainName in Get-Content "$DomainList")
{
Get-ADComputer -Filter {(enabled -eq $false)} -Server $DomainName -Properties Name, SamAccountName, DistinguishedName, OperatingSystem | Select-Object Name, SamAccountName, DistinguishedName, OperatingSystem, @{Name='Active Directory Domain';Expression={$DomainName}} | Export-CSV "$DisabledCompsList" -NoTypeInformation
}

In the list of PowerShell commands above, DomainList.TXT contains the list of domains that the ForEach loop processes to collect the list of disabled computer accounts from each domain. The output for each domain is stored in a single CSV file named CompsDisabledList.CSV.

Similarly, if you wish to execute PowerShell commands explained in this article for multiple domains, use the above code as a template.

The Active Directory PowerShell commands examples detailed in this article are supported on Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2 and Windows Server 2016.


Nirmal Sharma is a MCSEx3, MCITP and Microsoft MVP in Directory Services. He specializes in directory services, Microsoft Azure, Failover clusters, Hyper-V, System Center and Exchange Servers, and has been involved with Microsoft technologies since 1994. In his spare time, he likes to help others and share some of his knowledge by writing tips and articles on various sites and contributing to Health Packs for ADHealthProf.ITDynamicPacks.Net solutions. Nirmal can be reached at nirmal_sharma@mvps.org.

Follow ServerWatch on Twitter and on Facebook

Page 1 of 1

Read more on "Data Center Management Spotlight" »

Comment and Contribute

Your name/nickname

Your email

(Maximum characters: 1200). You have characters left.


 

 


Thanks for your registration, follow us on our social networks to keep up-to-date