Introduction
Powershell (PS) is the scripting language of Windows and although I’m not much of a “Windows guy” I do find PS to be very useful when interacting with the Windows systems I have to use everyday. I mainly use Powershell to automate tasks which I carry out frequently or to perform queries against existing systems, like Active Directory or file systems. Of course, there are many other uses too and Powershell is a powerful scripting language in its own right. It is possible to implement a huge variety of functionality with powershell, but it is also important to know when it is the best tool to use and when there may be a better alternative.
PS is probably the best tool to use for most administration-like things you want to do within the windows environment — because that is what it is optimised for. This means it’s often easier, quicker and more efficient to do something Windows specific with a PS script than to try and do it in say, Python or Perl. Below are a few scripts I have used recently for querying Active Directory. You may find them useful in their entirety or to use as part of something else. Note, that I have removed sensitive values and specifics from the scripts and used placeholders instead: you will have to switch these for the correct values for your purpose.
Getting information about users
The Get-ADUser function can be used to return the record of a user. You can see what information is available in each record by running the following against one of your users.
Get-ADUser -identity ExampleUser
Which returns something similar to the following:
DistinguishedName : CN=ExampleUser,OU=xxxx,DC=ex,DC=am,DC=ple
Enabled : True
GivenName : Example
Name : EUser
ObjectClass : user
ObjectGUID : 465............................
SamAccountName : euser
SID : s1.............................
Surname :User
UserPrincipalName : exampleuser@example.ex.amp.le
Here is a script to test if a user exists in AD by calling the Get-ADUser function:
$Name = Read-Host -Prompt "Enter Username you wish to search for: "
$User = $(try {Get-ADUser $Name} catch {$null})
If ($User -ne $Null) {
"User exists in AD" }
Else {
"User not found in AD"}
The above code queries the whole AD database for the search string in $Name. It can be adapted to search on or return any criteria supported by the Get-ADUser function which could then be filtered by piping into the Select-Object function.
Getting information about groups
Likewise we can get information about an AD Group by using the Get-ADGroup function - which when run on one of your groups, will return something like the following:
Get-AdGroup test_example_group
..............................
DistinguishedName : CN=example, ,OU=example Authorisation,OU=w,DC=x,DC=y,DC=z
GroupCategory : Security
GroupScope : Global
Name : test_example_group
ObjectClass : group
ObjectGUID : c14.........................................................
SamAccountName : test_example_group
SID : S-......................................................................
Furthermore, If you want to find out which groups exist in your OU and who are members, you can do something like this:
$Groups = Get-ADGroup -SearchBase "OU=x,DC=x,DC=x,DC=x" -Filter "name -like 'search-string'"
Foreach($Group in $Groups) {
Echo $Group
Get-ADGroupMember -Identity $Group | Get-ADObject -Properties Name, Title, Department | Format-Table Name, Title, Department
}
Note that this will print all the information to the console in a formatted form. You can alternatively export to CSV or some other file type.
Hopefully these examples will be useful to some of you — especially those who have been carrying out some of these tasks manually through the user interface. Powershell is fairly easy to learn and is purpose built for carrying out tasks on the windows platform. So why not have a go at scripting some of the more mundane tasks you have to carry out often and build your PS skills whilst automating some of your workload.