A quick intro to the Management Shell ...

Andrei Polevoi [Quest]

Posts: 969
Registered: 8/9/06

A quick intro to the Management Shell for AD from Quest Software
Posted: Apr 16, 2007 10:00 AM

Reply

A quick intro the Management Shell for AD from Quest Software.

You might find it useful if you want to extend AD PowerPack or use AD cmdlets to manage your AD.

1. Quick facts and links

You candownload free binaries and user documentation from here: http://www.quest.com/2_0/registration.aspx?requestdefid=13255

Buildshistory for the latest build available here: http://powergui.org/entry.jspa?externalID=762&categoryID=21

ADPowerPack for PowerGUI is available here: http://powergui.org/entry.jspa?externalID=763&categoryID=21

To startthe shell, use the ActiveRoles Management Shell for Active Directory shortcut,located at the Start | Quest Software | ActiveRoles Server start menu group.

(If you wantusing AD management cmdlets in default PowerShell window, you have to add ADManagementsnap-in with the following cmdlet: add-pssnapin Quest.ActiveRoles.ADManagement.)

All AD managementcmdlets are started with "QAD" prefix, for example Get-QADUser or Add-QADGroupMember.

Any cmdletreturns an instance, representing an object in AD. Thus, you can pipe result ofone cmdlet (Get-QADUser) to another (Set-QADUser).

2. Enumerating users, groups and other objects

List allusers in my domain:

PS C:\> Get-QADUser

Name Type DN

---- ---- --

Administrator user CN=Administrator,CN=Users,DC=plab,DC=msk,DC=qsft

Guest user CN=Guest,CN=Users,DC=plab,DC=msk,DC=qsft

SUPPORT_388945a0 user CN=SUPPORT_388945a0,CN=Users,DC=plab,DC=msk,DC=qsft

IUSR_MSK-KRF5PZOQ4 user CN=IUSR_MSK-KRF5PZOQ4,CN=Users,DC=plab,DC=msk,DC=qsft

IWAM_MSK-KRF5PZOQ4 user CN=IWAM_MSK-KRF5PZOQ4,CN=Users,DC=plab,DC=msk,DC=qsft

ASPNET user CN=ASPNET,CN=Users,DC=plab,DC=msk,DC=qsft

krbtgt user CN=krbtgt,CN=Users,DC=plab,DC=msk,DC=qsft

John Lennon user CN=JohnLennon,OU=Demo,DC=plab,DC=msk,DC=qsft

Paul McCartney user CN=PaulMcCartney,OU=Demo,DC=plab,DC=msk,DC=qsft

List allusers in Demo OU:

PS C:\> Get-QADUser -ou plab.msk.qsft/Demo

Name Type DN

---- ---- --

John Lennon user CN=JohnLennon,OU=Demo,DC=plab,DC=msk,DC=qsft

Paul McCartney user CN=PaulMcCartney,OU=Demo,DC=plab,DC=msk,DC=qsft

Get help onGet-QADUser parameters:

PS C:\> Get-Help Get-QADUser -Detailed

Get oneuser - John Lennon:

PS C:\> Get-QADUser 'john lennon'

Name Type DN

---- ---- --

John Lennon user CN=JohnLennon,OU=Demo,DC=plab,DC=msk,DC=qsft

List first-levelorganizational units in your domain:

PS C:\> Get-QADObject -SearchRootplab.msk.qsft/ -Type organizationalUnit -SearchScope OneLevel

Name Type DN

---- ---- --

Domain Controllers organizationalUnit OU=DomainControllers,DC=plab,DC=msk,DC=qsft

Dev organizationalUnit OU=Dev,DC=plab,DC=msk,DC=qsft

Microsoft Excha... organizationalUnitOU=Microsoft Exchange Security Groups,DC=plab,DC=msk,DC=qsft

Demo organizationalUnitOU=Demo,DC=plab,DC=msk,DC=qsft

ExchDemo organizationalUnit OU=ExchDemo,DC=plab,DC=msk,DC=qsft

prod organizationalUnitOU=prod,DC=plab,DC=msk,DC=qsft

List allusers in my domain, display name and city:

PS C:\> Get-QADUser | Format-Table name,city

Name City

---- ----

Administrator

Guest

SUPPORT_388945a0

IUSR_MSK-KRF5PZOQ4

IWAM_MSK-KRF5PZOQ4

ASPNET

krbtgt

John Lennon ny

Paul McCartney ny

Find all usersin my domain that has City attribute starts with 'ny'

PS C:\> Get-QADUser -city 'ny*'

Name Type DN

---- ---- --

John Lennon user CN=JohnLennon,OU=Demo,DC=plab,DC=msk,DC=qsft

Paul McCartney user CN=PaulMcCartney,OU=Demo,DC=plab,DC=msk,DC=qsft

For JohnLennon display name, description, city, department and title:

PS C:\> Get-QADUser 'john lennon' |Format-Table Name,Description,City,Department

Name Description City Department

---- ----------- ---- ----------

John Lennon abc ny

3. Updating user properties

Set descriptionof the John Lennon's user account:

PS C:\> Set-QADUser 'john lennon'-Description 'The Beatles band'

Name Type DN

---- ---- --

John Lennon user CN=JohnLennon,OU=Demo,DC=plab,DC=msk,DC=qsft

PS C:\> Get-QADUser 'john lennon' |Format-Table Name,Description,City,Department

Name Description City Department

---- ----------- ---- ----------

John Lennon The Beatles band ny

Set city toLiverpool to all user accounts in the Demo OU:

PS C:\> Get-QADUser -ou plab.msk.qsft/demo |Set-QADUser -City Liverpool | Format-Table name,city

Name City

---- ----

John Lennon Liverpool

Paul McCartney Liverpool

4. User creation

Create useraccount for George Harrison and Ringo Starr:

PS C:\> New-QADUser -ou plab.msk.qsft/demo-name 'Ringo Starr' -LogonName 'RStarr' -City Liverpool -Description 'The Beatlesband'

Name Type DN

---- ---- --

Ringo Starr user CN=RingoStarr,OU=Demo,DC=plab,DC=msk,DC=qsft

PS C:\> New-QADUser -ou plab.msk.qsft/demo-name 'George Harrison' -LogonName 'GHarrison' -City Liverpool -Description 'TheBeatles band'

Name Type DN

---- ---- --

George Harrison user CN=GeorgeHarrison,OU=Demo,DC=plab,DC=msk,DC=qsft

5. Group operations

(The outputis omitted when it is not important for the demonstrated scenario)

Create anew group for The Beatles band:

New-QADGroup -ou plab.msk.qsft/demo -name 'TheBeatles' -GroupType Security -GroupScope DomainLocal

Add allusers with description starts with 'The Beatles' to The Beatles group:

Get-QADUser -description 'The Beatles*' |Add-QADGroupMember 'The Beatles'

List groupmembers, display name and description:

PS C:\> Get-QADGroupMember 'the beatles' |Format-Table name,description

Name Description

---- -----------

John Lennon The Beatles band

Paul McCartney The Beatles band

Ringo Starr The Beatles band

George Harrison The Beatlesband

6. Bulk creation

Export useraccounts to a CSV file:

Get-QADUser -ou plab.msk.qsft/demo | export-csvTheBeatles.csv

Delete allusers:

(Will beprovided in next build. For now, please use Active Directory Users andComputers snap-in).

Import useraccounts from a CSV file:

PS C:\> Import-Csv TheBeatles.csv |ForEach-Object {New-QADUser -ou plab.msk.qsft/demo -name $_.Name -Description$_.Description -City $_.City}

Name Type DN

---- ---- --

John Lennon user CN=JohnLennon,OU=Demo,DC=plab,DC=msk,DC=qsft

Paul McCartney user CN=PaulMcCartney,OU=Demo,DC=plab,DC=msk,DC=qsft

Ringo Starr user CN=Ringo Starr,OU=Demo,DC=plab,DC=msk,DC=qsft

George Harrison user CN=GeorgeHarrison,OU=Demo,DC=plab,DC=msk,DC=qsft

Import useraccounts from CSV file and instantly add them to The Beatles group:

(You haveto delete users created on previous step before running import once again):

Import-Csv TheBeatles.csv | ForEach-Object {New-QADUser-ou plab.msk.qsft/demo -name $_.Name -Description $_.Description -City $_.City| Add-QADGroupMember 'The Beatles'}

Message was edited by: Andrei Polevoi

Regards,
Andrei [Quest]
This posting is provided "AS IS" with no warranties, and confers no rights

simon.painter@moneypartne...

Posts: 5
Registered: 6/28/07

Re: A quick intro to the Management Shell for AD from Quest Software
Posted: Jun 28, 2007 4:24 AM

in response to: Andrei Polevoi ...

Reply

Where can I obtain a list of all the attributes. I have modified profilepath with this and would like to manipulate things like the terminal services profile path or the logon script but I do not have the object attribute names.

Rostislav Pridatko

Posts: 25
Registered: 2/15/07

Re: A quick intro to the Management Shell for AD from Quest Software
Posted: Jun 28, 2007 4:46 AM

in response to: simon.painter@m...

Reply

If you want to get a list of names of all attributes of user objects in AD, you can use:

Get-QADUser -ReturnPropertyNamesOnly -IncludeAllProperties

simon.painter@moneypartne...

Posts: 5
Registered: 6/28/07

Re: A quick intro to the Management Shell for AD from Quest Software
Posted: Jul 2, 2007 2:33 AM

in response to: Rostislav Prida...

Reply

Which version did -ReturnPropertyNamesOnly come in with?

Rostislav Pridatko

Posts: 25
Registered: 2/15/07

Re: A quick intro to the Management Shell for AD from Quest Software
Posted: Jul 2, 2007 2:37 AM

in response to: simon.painter@m...

Reply

1.0.3.

simon.painter@moneypartne...

Posts: 5
Registered: 6/28/07

Re: A quick intro to the Management Shell for AD from Quest Software
Posted: Jul 2, 2007 3:07 AM

in response to: Rostislav Prida...

Reply

That list has nothing for changing the terminal services profile. Is that accessible?

Rostislav Pridatko

Posts: 25
Registered: 2/15/07

Re: A quick intro to the Management Shell for AD from Quest Software
Posted: Jul 2, 2007 5:05 AM

in response to: simon.painter@m...

Reply

Managing terminal services is a different task, you should have created a new thread for that. In short, there isn't just one attribute for terminal service profile path, for example, as it is stored in encoded form in attribute named userParameters (it's actually is more complicated than that, I'm not an expert on the matter).
To view/modify TS properties, you can invoke properties of IADsTSUserEx (http://msdn2.microsoft.com/En-US/library/aa380823.aspx). To do this in PS, you can use script like this:
# ---------------------
# Setting terminal service profile path
# see http://msdn2.microsoft.com/En-US/library/aa380823.aspx
# get terminal service profile path
$de=(Get-QADUser 'CN=user1,OU=ou1,DC=lab,DC=local').DirectoryEntry
$methodName = "TerminalServicesProfilePath"
$bindFlagsGetProp = [System.Reflection.BindingFlags]::GetProperty
$obj = $de.psbase.NativeObject
# print terminal service profile path
[System.__ComObject].InvokeMember($methodName,$bindFlagsGetProp,$null, $obj, $null)
$newPath = "\\somePathHere"
$bindFlagsPutProp = [System.Reflection.BindingFlags]::PutDispProperty
# set terminal service profile path to $newPath
[System.__ComObject].InvokeMember($methodName,$bindFlagsPutProp,$null, $obj, @($newPath))
# print terminal service profile path again to check it's been set
[System.__ComObject].InvokeMember($methodName,$bindFlagsGetProp,$null, $obj, $null)
# ---------------------

dmeng@csnstores.com

Posts: 3
Registered: 11/8/07

Re: A quick intro to the Management Shell for AD from Quest Software
Posted: Nov 8, 2007 1:19 PM

in response to: Andrei Polevoi ...

Reply

I actually have a very quick question:

When i get that output from anything like get-qadgroup and it says the title for each set it returns like:

Name Type DN

and all the info below it. How do i remoev the Name,Type,DN from showing? I am trying to output for a script and i need those removed.

Any help would be great!

KirkAMunro

Posts: 822
Registered: 3/20/07

Re: A quick intro to the Management Shell for AD from Quest Software
Posted: Nov 8, 2007 5:58 PM

in response to: dmeng@csnstores...

Reply

Fortunately there is a very simple answer!

You'll want to do something like this:

Get-QADUser "Kirk Munro" | Format-Table -HideTableHeaders

This works for all PowerShell cmdlets when outputting the results as a table.

Note that in the future I would recommend posting a question like this on a new thread because it can more easily be found by others.

--
Kirk Munro
Poshoholic
http://poshoholic.com

Kirk Munro [MVP]
Poshoholic

My blog: http://poshoholic.com
Follow me on Twitter: http://twitter.com/poshoholic

dmeng@csnstores.com

Posts: 3
Registered: 11/8/07

Re: A quick intro to the Management Shell for AD from Quest Software
Posted: Nov 9, 2007 5:48 AM

in response to: KirkAMunro

Reply

Thanks you so much for the quick easy response.

PowerGUI rocks!!!

dmeng@csnstores.com

Posts: 3
Registered: 11/8/07

Re: A quick intro to the Management Shell for AD from Quest Software
Posted: Nov 9, 2007 5:49 AM

in response to: dmeng@csnstores...

Reply

Is there also one for Format-List?

KirkAMunro

Posts: 822
Registered: 3/20/07

Re: A quick intro to the Management Shell for AD from Quest Software
Posted: Nov 9, 2007 8:11 AM

in response to: dmeng@csnstores...

Reply

You mean to show the values only and not the property names? No, that doesn't exist for Format-List as far as I know. I would question the usefulness of that because when looking at multiple data items in list format, you would have a hard time determining what the data meant since you wouldn't see multiple-items worth of a given property next to each other like you do in Format-Table.

--
Kirk Munro
Poshoholic
http://poshoholic.com

Kirk Munro [MVP]
Poshoholic

My blog: http://poshoholic.com
Follow me on Twitter: http://twitter.com/poshoholic

bretcollins

Posts: 1
Registered: 1/13/08

Re: A quick intro to the Management Shell for AD from Quest Software
Posted: Jan 13, 2008 8:58 PM

in response to: Rostislav Prida...

Reply

Rostislav - how can I modify your script to show me the profile path for all users, instead of specifying a user? Thanks.

Andrey Moiseev (Quest)

Posts: 415
Registered: 9/4/07

Re: A quick intro to the Management Shell for AD from Quest Software
Posted: Jan 14, 2008 1:11 AM

in response to: bretcollins

Reply

Hi, Bret!
Now I am in charge of development Quest Management Shell for AD, not Rostislav :)

As for your question, in recently released 1.0.6 version we introduced the more user-friendly way to work with terminal services related properties.

To get all users in certain organizational unit and display their terminal services profile path use the following command:

Get-QADUser -SearchRoot 'DN of organizational unit' | ft name, TsProfilePath

Or, if you want to do more complex processing of users profile path, not just display:

Get-QADUser -SearchRoot 'DN of organizational unit' | %{$ProfilePath=$_.TsProfilePath; <Do something else>}

Note, that you must run Powershell on Windows Server OS (Win2K or later) to work with terminal services properties.

Best wishes!