Active Directory PowerShell Scripts Management Tool For Admins

Microsoft Active Directory is at the heart of the company’s server systems. From Windows Server to Exchange Server and beyond, the power of configuring Active Directory policies and objects allows IT to manage a vast empire of resources, users, and workstations in the Enterprise computing environment. Unfortunately, all of that scalability and flexibility can quickly add up to a high amount of complexity.

Simply finding the right objects and then updating their properties or implementing changes can be a cumbersome process. Many Microsoft systems engineers have developed their own shortcuts and conventions over the years for dealing with the administration of complex Active Directory structures. One tool that has been lacking, however, is the ability to write powerful scripts to manage Active Directory.

The good news is that the arrival of Windows Server 2008 R2 with PowerShell 2.0 and the Active Directory Module changes all of that for the better.

Of the many new features in Windows Server 2008 R2, PowerShell 2.0 is one that may finally be coming into its own. One of the key new features in PowerShell 2.0 is the addition of modules. Modules differ from PowerShell 1.0 snap-ins in that they are self-contained and do not require registration or installation. Rather, modules are imported into the shell via the Import-Module command. Modules can also be offloaded when they are no longer needed.


To use the Active Directory Module, there needs to be at least on Windows Server 2008 R2 Domain Controller running Active Directory Web Services (ADWS) in the domain. As an alternative, the Active Directory Management Gateway Service can be installed on Windows Server 2003 SP2 servers and Windows Server 2008 (non-R2) servers with or without SP2 installed.

For the most powerful configuration of PowerShell 2.0 with the Active Directory Module, you will want to be able to do your scripting remotely from your own computer, or other workstation. This does require Windows 7 in order to install the Remote Server Administration Tools (RSAT).

The Active Directory Module provides a powerful way to manage AD structures even across domains. Part of the AD Module is the PSDrive Provider which allows you to map to an Active Directory domain using whatever credentials are required via the New-PSDrive cmdlet. Users are connected to their current domain by default. The mapped rights persist for the entire shell session, even if it requires using different login credentials for several different AD domains.

There are many different commands included in the Active Directory Module. One count places the total number of new commands at 82. The most commonly used commands, however, are those that match up with the most common Windows Server Administrator tasks. The naming convention for Active Directory cmdlets dictates that each cmdlet start with “AD” in order to help separate the Active Directory versions from similar PowerShell cmdlets available in the base PowerShell.

Thanks to this naming convention, obtaining a list of all the Active Directory Module cmdlets can be done by running the Help *-AD* command.

The most difficult part of getting up to speed with Active Directory management via PowerShell 2.0 is mastering all of the parameters available for each cmdlet. In an effort to allow virtually any function that can be performed manually to be scripted, Microsoft had to provide a working parameter for pretty much every setting, checkbox, and field that there is in the GUI. That means that some commands have a mind boggling array of available options. Fortunately, only a small subset of any cmdlet’s parameters are mandatory in order to run the desired command.

As with any new programming language, the key is to focus in the beginning on the basics and most frequently used options and build mastery as you go along. While it may seem daunting at first, one will quickly find that using built-in cmdlets specifically designed for their purpose ends up being much easier to both code and manage than mastering all of the work-arounds and band-aids currently required to perform the same tasks.

Common Active Directory Cmdlets for PowerShell

The most common administrative tasks within Active Directory are those that relate to creating, finding, and changing objects and users. Not surprisingly, these cmdlets make a great place to start learning and using PowerShell 2.0 to manage Active Directory.

Commonly used PowerShell AD cmdlets include:

  • New-ADUser
  • New-ADGroup
  • New-ADComputer
  • New-ADOrganization
  • New-ADServiceAccount
  • Unlock-ADAccount
  • Enable-ADAccount
  • Disable-ADAccount
  • Get-ADUser
  • Add-ADGroupMember
  • Get-ADGroupMember
  • Get-ADForest
  • Get-ADDomain
  • Get-ADDomainController

Of course, the real power from scripting comes not from typing in a bunch of esoteric computer commands instead of clicking mouse buttons, but from the ability to save useful scripts and use them over and over again. To this end, Active Directory cmdlets support piping information into the cmdlets. For example, to create a couple dozen new users, the administrator could take the Excel Spreadsheet supplied from Human Resources, export it as a CSV file and then pipe the resulting data to the New-ADUser command: Import-CSV c:neweuserdataapril-new-employees.csv | New-ADUser and let the script take care of all the basic data entry.

Using parts of the same file, the admin can go back through and using the appropriate cmdlets add users to their respective groups and domains and even apply additional group policies to the new users.

Of course, easy, but highly repetitive tasks can be automated as well. Imagine picking up the phone with a call from a panicked user who has locked himself out of his account (again). A tiny shortcut launched directly with minimal typing and clicking requiring nothing more than the user’s login name quickly firing off and unlocking or even re-enabling the account, all without ever having to leave the screen you were already working on when the phone rang.

PowerShell Resources

Even though the Active Directory Module is new with PowerShell 2.0 there are already some great references available for Microsoft server administrators. Check out Jonathan Medd’s Active Directory PowerShell Quick Reference Guide for help getting up to speed and remembering lesser used commands. Microsoft has a general PowerShell Quick Reference guide as well. For those of you lamenting the hours spent mastering VBScripting, check out the VBScript to Windows PowerShell Conversion Guide.

Learning new technology and skills is never easy, but the truth — if we are willing to admit it — is that as high-tech computer administrators, we quickly grow bored with doing the same things over and over again. Not only does PowerShell 2.0 and the Active Directory Module provide some new material for the skills menu, it also provides a way to eliminate far more tedious, repetitive tasks than ever before.

Comments