Clik here to view.
Almost 10 years ago Quest Software released a free set of cmdlets to simplify interaction with Active Directory. This set of cmdlets provides quite flexible options for administering Active Directory, managing AD objects, AD ACLs, password settings, and security.
Up to version 1.5.1 Quest Active Directory cmdlets were provided for free. Later, Dell acquired the Quest company and began selling licenses for the later versions. Later, the product was renamed to Active Roles and you can download it here: https://www.oneidentity.com/products/active-roles/. However, the majority of administrators know this PowerShell module as Quest Active Directory Cmdlets for Powershell.
Despite the fact that you can’t download the Active Roles module from the official website for free, it’s easy to find an archive with the old free version of QAD cmdlets (1.5.1) on the Internet – Quest_ActiveRolesManagementShellforActiveDirectoryx64_151.msi.
In this article we’ll take a look at the installation and usage of the Quest Active Directory module Cmdlets for Powershell to administer the AD domain.
To install this PoSh module on your computer, you must have .Net Framework 3.5 installed. Installing the module is quite simple – run the MSI file and follow the instructions of the installer.
Image may be NSFW.
Clik here to view.
After the installation is completed, you need to import the module into the PoSh session with the command:
Add-PSSnapin Quest.ActiveRoles.ADManagement
You can display the list of available cmdlets for the Quest module with the command:
get-command *qad*
Image may be NSFW.
Clik here to view.
An example of cmdlets from a module:
- Get-QADUser
- Set-QADUser
- New-QADUser
- New-QADGroup
- Add-QADGroupMember
- Remove-QADGroupMember
- Connect-QADService
- Disconnect-QADService
First of all, let’s connect to the domain controller:
$pwd = read-host "Enter domain user password" -AsSecureString Connect-QADService -service 'dc01.theitbros.com:389' -ConnectionAccount 'theitbros\user1' -ConnectionPassword $pwd
List the users and computers accounts in the domain:
Get-QADUser Get-QADComputer
Image may be NSFW.
Clik here to view.
You can get the information about a certain user and AD parameter. Format-List is required to display all the received properties:
Get-QADUser -Name JKelly -IncludeAllProperties | Format-List *
Let’s check if the user account is disabled:
(Get-QADUSer -Name "JKelly").AccountIsDisabled
You can also get a list of accounts in the group and save it to a csv file:
(Get-QADGroup "Domain Admins").members | Get-MemberName | Export-Csv "C:\PS\AdminGroupMembers.csv"
For example, create a new user account:
New-QADUser -name 'TJones' -ParentContainer 'OU=Users,OU=USA,DC=theitbros,DC=com' -UserPassword ‘P@ssw0rd!!’
Now let’s list the users who have not registered in the domain within 2 months and save the list to the HTML file:
$2months = (Get-Date).AddMonths(-2)
Get-QADUser -IncludedProperties LastLogon | where { $_.lastLogon -le
$2months} | Select DisplayName, LastLogon, AccountIsDisabled | ?{-not
$_.AccountIsDisabled} | ConvertTo-Html | Out-File c:\ps\inactiveusers.html
Accordingly, to disable, enable or unlock you can use: Disable-QADUser, Enable-QADUser and Unlock-QADUser. Cmdlets starting with Set are used to set and change parameters, they are often used in scripts.
Get-QADUser -Department Sales | Set-QADUser -ObjectAttributes @{"Department"="New Sales";"Description"="Sales dept"}
Disable all accounts that were not registered within 2 months:
Get-QADUser -IncludedProperties LastLogon | where { $_.lastLogon -le $2months} | where {-not $_.AccountIsDisabled} | Disable-QADUser
Of course, in Quest AD there is a big drawback: this module is not a part of the OS and is not supported by Microsoft, for its operation it is necessary to install the appropriate provider. These cmdlets were released by Quest before Microsoft had its own module for interacting with the AD – ActiveDirectory module for Windows PowerShell, which was introduced in Windows Server 2008 R2/Windows 7. Most of the functionality available in Quest AD cmdlets is now also available in the Active Directory module for Windows, so Quest AD cmdlets are used less and less.
The post Using Quest Active Directory Cmdlets for PowerShell appeared first on TheITBros.