• Blog
  • Webinars
  • Partner
  • Support
  • Contact
  • EN
    • DE
ScriptRunner
  • About us
    • Team
    • Jobs
    • Press
  • Why
  • Use Cases
  • Software
    • ScriptRunner Server
    • ScriptRunner Portal
    • ScriptRunner Portal Widget
    • ScriptRunner Connectors
    • ScriptRunner ActionPacks
  • Try Now
  • Search
  • Menu Menu
You are here: Home1 / ScriptRunner Blog2 / News3 / 10 tips for Active Directory administration with PowerShell

10 tips for Active Directory administration with PowerShell

Author: Thomas Joos | Reading time: 7 minutes | Category: News, PowerShell & Systems, Scripting

For those who frequently need to perform tasks in Active Directory, such as creating and managing users and groups or troubleshooting, PowerShell provides a number of cmdlets that make life easier. Also, the administration of domains and the infrastructure in Active Directory can be solved optimally with the PowerShell. It is not about PowerShell replacing the other management tools. The PowerShell complements the administration tools of Active Directory and is an additional help.

10 tips on administering Active Directory with PowerShell- Thomas Joos

Table of Contents

  • Getting started managing Active Directory with PowerShell
  • Install the PowerShell module for Active Directory administration
  • Activate PowerShell remoting and fix connection problems
  • Display PowerShell modules and cmdlets for Active Directory administration
  • Retrieving Active Directory data
  • Testing the requirements for the operation of Active Directory
  • Installing a domain controller
  • Creating AD objects with Powershell
  • Querying and setting deletion protection with PowerShell

Getting started managing Active Directory with PowerShell

To manage Active Directory with PowerShell, the Active Directory module for PowerShell must be installed. This is one of the standard Active Directory management tools and can be installed in parallel with the graphical interface tools.

Install the PowerShell module for Active Directory administration

On domain controllers, the PowerShell module is automatically installed with the other administration tools. On Windows 10 computers, the installation is performed using the On-demand features. The settings app is used for this purpose. The optional features can be found under “Settings App”. Go to “Optional Features” and click “Add Optional Features”. In the following list you’ll find “RSAT: Tools for Active Directory Domain Services and Lightweight Directory Services” (see Figure 1). The “Install” button is used to integrate the module. By installing the feature, the PowerShell module for Active Directory is also available.

Figure 1: Screenshot of the Settings app on Windows 10 with the "Optional Features" tab open

Figure 1: Screenshot of the Settings app on Windows 10 with the “Optional Features” tab open

On servers the installation can be done by adding the remote administration tools for Active Directory in the Server Manager or the Windows Admin Center (Figure 2). Here you can find the PowerShell module for Active Directory in the Remote Server Administration Tools > Role Administration Tools > AD DS- and AD LDS Tools.

On Windows servers, the Active Directory management tools can also be installed from the PowerShell. This is done by using the Install-WindowsFeature RSAT-AD-PowerShell command.

Figure 2: Screenshot of the Windows Admin Center, installation of the remote administration tools for Actice Directory

Figure 2: Installing Remote Administration Tools on Servers

Activate PowerShell remoting and fix connection problems

To remotely manage a domain controller in PowerShell, the feature must be enabled on the target server. To do this, you enter the Cmdlet Enable-PSRemoting -Force in a PowerShell session on the target server (Figure 3). The command sets up the appropriate exceptions in the firewall and enables the necessary functionality. To undo the operation, use Disable-PSRemoting -Force.

If the connection does not work, you can check in the command prompt or PowerShell with winrm enumerate winrm/config/listener whether a listener with port 5985 is active and bound to all IP addresses of the server.

Abbildung 3: Screenshot PowerShell ISE: Überprüfen der Remote-Verbindung für die PowerShell auf Windows-Servern

Figure 3: Checking the remote connection for PowerShell on Windows servers

Display PowerShell modules and cmdlets for Active Directory administration

Use the cmdlet Get-Command -Module ActiveDirectory to display all the cmdlets that can be used to manage Active Directory. The Get-Module -ListAvailable command displays all the modules. This allows you to see the names of other modules and use Get-Command to get their cmdlets (Figure 4).

Screenshot PowerShell ISE: Anzeigen der Cmdlets zur Verwaltung von Active Directory

Figure 4: Displaying the Active Directory administration cmdlets

Retrieving Active Directory data

You can also use the PowerShell to get data from individual domains. The Cmdlet Get-ADDomain is used to do this (Figure 5). The Cmdlet Get-ADForest displays information about overall structures. It can also be filtered by column and pipe to other cmdlets, such as Get-ADDomainController. The CMDlet is useful if you want to display the FSMO roles per domain. In each domain there are the three FSMO roles, which are all displayed with the following command:

Get-ADDomain | Select InfrastructureMaster, RID-Master, PDCEmulator
Abbildung 5: Screenshot PowerShell ISE, Anzeige der Daten einzelner AD-Domänen

Figure 5: Displaying the data of individual AD domains using Get-ADDDomain

Schema Master and Domain Name Master are unique per AD forest. This information can be displayed again by using Get-ADForest:

Get-ADForest | Select-Object DomainNamingMaster, SchemaMaster

Operation Master roles can be moved to other domain controllers in the PowerShell. The equivalent cmdlet is

Move-ADDirectoryServerOperationMasterRole

Get-Help Move-ADDirectoryServerOperationMasterRole displays the full syntax and some examples of the cmdlet (this applies generally to all cmdlets in PowerShell).

Testing the requirements for the operation of Active Directory

The following cmdlets are used in the PowerShell to test domain controllers

  • Test-ADDSDomainControllerInstallation:Enables you to test the prerequisites for installing a domain controller.
  • Test-ADDSDomainControllerUninstallation
  • Test-ADDSDomainInstallation: tests the prerequisites for installing a new domain in Active Directory
  • Test-ADDSForestInstallation: Tests the prerequisites for the installation of a new forest domain in Active Directory
  • Test-ADDSReadOnlyDomainControllerAccountCreation

To run the tests, passwords must be entered at various places. However, the respective cmdlet accepts them only as secure input. An example of the command is:

Test-ADDSDomainControllerInstallation -DomainName -SafeModeAdministratorPassword (Read-Host -Prompt Kennwort -AsSecureString)

Installing a domain controller

After the Active Directory server role is installed, you can begin setting up the domain. To set up Active Directory, use the following cmdlet:

Invoke-Command {Install-ADDSDomainController -DomainName -Credential (Get-Credential) -ComputerName

Creating AD objects with Powershell

Microsoft provides a number of cmdlets for retrieving Active Directory objects such as computers, users, or groups with PowerShell. The fastest way to get a list is to use the Get-Command Get-Ad* command. There are also many cmdlets for creating new objects. To display the list, type Get-Command New-Ad*.

A list of commands to delete objects can be displayed with Get-Command Remove-Ad*. Changes to Active Directory objects are made by using Set- cmdlets. A list is of them is displayed by using Get-Command Set-Ad*.

Querying and setting deletion protection with PowerShell

In addition to the possibility to make settings in the graphical user interface, the deletion protection in Active Directory can also be queried and set in the PowerShell. To query the deletion protection for an object, the following command is used:

Get-ADObject ‹DN of object› -Properties ProtectedFromAccidentalDeletion

The deletion protection can be activated with :

Set-ADObject ‹DN of object› -ProtectedFromAccidentalDeletion $true

If you want to deactivate the deletion protection, you can again set the option “$false”. If no objects are to be protected but organizational units, the cmdlets Get-ADOrganizationalUnit and Set-ADOrganizationalUnit are used.

Related Content

  • ScriptRunner ActionPack for Active Directory on GitHub
  • Practical example: Delegation of AD user and group administration with ScriptRunner
Beitrag teilen
  • Share on Facebook
  • Share on Twitter
  • Share on WhatsApp
  • Share on LinkedIn
  • Share on Reddit
  • Share by Mail

These articles might also be interesting for you:

Article: PowerShell PSDefaultParameterValuesScriptRunner Software GmbH

PowerShell PSDefaultParameterValues

24. March 2021
Read more
https://www.scriptrunner.com/wp-content/uploads/2021/03/Article-PSDefaultParameterValues.png 449 449 Marco Kamner https://www.scriptrunner.com/wp-content/uploads/2018/05/ScriptRunner_Logo_RGB-300x45.png Marco Kamner2021-03-24 14:10:142021-03-25 13:07:29PowerShell PSDefaultParameterValues
Article: ScriptRunner is sponsoring the PowerShell + DevOps Global Summit 2021ScriptRunner Software GmbH

ScriptRunner is sponsoring the PowerShell + DevOps Global Summit 2021

19. March 2021
Read more
https://www.scriptrunner.com/wp-content/uploads/2021/03/PSDevOpsGlobSummit.jpg 600 600 Birgit Hettler https://www.scriptrunner.com/wp-content/uploads/2018/05/ScriptRunner_Logo_RGB-300x45.png Birgit Hettler2021-03-19 10:00:452021-03-18 18:29:29ScriptRunner is sponsoring the PowerShell + DevOps Global Summit 2021
ScriptRunner ActionPack for CitrixScriptRunner Software GmbH

ScriptRunner ActionPack for Citrix

11. March 2021
Read more
https://www.scriptrunner.com/wp-content/uploads/2021/03/citrixactionpack.jpg 441 441 Heiko Brenn, Head of International Business https://www.scriptrunner.com/wp-content/uploads/2018/05/ScriptRunner_Logo_RGB-300x45.png Heiko Brenn, Head of International Business2021-03-11 13:02:162021-03-11 14:46:04ScriptRunner ActionPack for Citrix

About the author:

Thomas Joos

Thomas Joos is a freelance IT consultant and has been working in IT since 1992. He has published more than 90 practical reference books and writes for numerous IT publications such as c’t, PC Magazin, PC Welt, IT Administrator, Computerwoche and Heise Security.

Latest posts:

  • Article: PowerShell PSDefaultParameterValuesScriptRunner Software GmbHPowerShell PSDefaultParameterValues24. March 2021 - 14:10
  • Article: ScriptRunner is sponsoring the PowerShell + DevOps Global Summit 2021ScriptRunner Software GmbHScriptRunner is sponsoring the PowerShell + DevOps Global Summit 202119. March 2021 - 10:00
  • ScriptRunner ActionPack for CitrixScriptRunner Software GmbHScriptRunner ActionPack for Citrix11. March 2021 - 13:02
  • Artikelbild:ScriptRunner Software GmbH5 PowerShell Scripting Best Practices – From Runnable to Professional Code10. March 2021 - 10:00
  • Artikelbild: Vorschau auf das Produktjahr 2021ScriptRunner Software GmbHPreview of the product year 20219. March 2021 - 10:00

Product

  • ScriptRunner Platform
  • ScriptRunner Server
  • ScriptRunner Portal
  • ScriptRunner Portal Widget
  • ScriptRunner Apps
  • ScriptRunner Connectors
  • Script Collections
  • Licensing
Get your free trial

Solutions

  • IT Administrators
  • IT Team Leaders
  • Use Cases

Resources

  • Blog
  • Documentation
  • Knowledge Base
  • Webinars
  • PowerShell Lexicon
  • PowerShell Poster
  • PowerShell Security Ebook

Company

  • About us
  • Team
  • Jobs
  • Press
  • References
  • Partner

Contact

ScriptRunner Software GmbH
Ludwig-Erhard-Straße 2
76275 Ettlingen
Germany

T: +49 7243 20715-0
M: info(at)scriptrunner.com

Request Demo
© ScriptRunner Software GmbH is a subsidiary of AppSphere AG
  • LinkedIn
  • Xing
  • Twitter
  • Facebook
  • Youtube
  • Imprint
  • Privacy Policy
  • Newsletter
5 Tips On Getting Started with AWS and PowerShell 5 Tips on getting started with AWS and PowerShellScriptRunner Software GmbH ScriptRunner Software GmbH ScriptRunner at Experts Live Switzerland
Scroll to top