• PowerShell for Active Directory

    by  • 2011/01/10 • Tech • 0 Comments

    This is where I will be making note of all the commands I use for managing Active Directory with PowerShell.

    How to get Last Logon for all user in an OU:
    Get-ADUser -Filter * -SearchBase "OU=Test,DC=Domain,DC=local" | %{Get-ADUserLastLogon $_}

    To get all users last logon times check out this script.

    What is Get-ADUserLastLogon? Courtesy of TechNet I put this into my Profile:

    <br />
    ##--------------------------------------------------------------------------<br />
    ##  FUNCTION.......:  Get-ADUserLastLogon<br />
    ##  PURPOSE........:  Return account last logon time<br />
    ##  ARGUMENTS......:<br />
    ##  EXAMPLE........:  Get-ADUserLastLogon -UserName SaraDavis<br />
    ##  REQUIREMENTS...:<br />
    ##  NOTES..........:<br />
    ##--------------------------------------------------------------------------<br />
    function Get-ADUserLastLogon([string]$userName)<br />
    {<br />
    $dcs = Get-ADDomainController -Filter {Name -like "*"}<br />
    $time = 0<br />
    foreach($dc in $dcs)<br />
    {<br />
    $hostname = $dc.HostName<br />
    $user = Get-ADUser $userName | Get-ADObject -Properties lastLogon<br />
    if($user.LastLogon -gt $time)<br />
    {<br />
    $time = $user.LastLogon<br />
    }<br />
    }<br />
    $dt = [DateTime]::FromFileTime($time)<br />
    Write-Host $username "last logged on at:" $dt<br />
    }

    Disable all users in an OU:

    get-qaduser -searchbase "OU=Test,DC=Domain,Dc=Local" | Disable-QADuser

    RESET PASSWORD ON ACCOUNT

    Set-ADAccountPassword 'CN=Jeremy Los,OU=Accounts,DC=Fabrikam,DC=com' -Reset -NewPassword (ConvertTo-SecureString -AsPlainText "[email protected]" -Force)

    Instead of using DN you can also use UPN, SAM Account name, GUID, SID, etc.

    GET LIST OF ALL USERS IN GROUP AND SHOW LOGON SCRIPT

    Get-QADGroupMember "GroupName" -IncludedProperties Name, LogonScript | Select-Object Name, LogonScript | ft -property Name,LogonScript

    GET LIST OF ALL USER IN OU AND SHOW LOGON SCRIPT

    Get-QADUser -SearchRoot 'OU=OUName,DC=Domain,DC=Local' | Select-Object Name, LogonScript | Sort-Object -property Name | ft -property Name,LogonScript

    Update: New Function to disable a user and show that the user has been disabled.

    <br />
    ##--------------------------------------------------------------------------<br />
    ##  FUNCTION.......:  Disable-User<br />
    ##  PURPOSE........:  Disable User account and return confirmation<br />
    ##  ARGUMENTS......:<br />
    ##  EXAMPLE........:  Disable-User username<br />
    ##  REQUIREMENTS...: Quest-AD cmdlets<br />
    ##  NOTES..........:<br />
    ##--------------------------------------------------------------------------<br />
    function Disable-User<br />
    {<br />
    param ($username)<br />
    disable-qaduser $username |ft -property name, accountisdisabled<br />
    }

    About

    Clint McGuire is a Computer Consultant based out of Vancouver Canada. He specializes in VMware and Storage.

    Leave a Reply

    Your email address will not be published. Required fields are marked *