Use PowerShell Cmdlets to Search Active Directory

Use PowerShell Cmdlets to Search Active Directory

  • Comments 3
  • Likes

Summary: Windows PowerShell MVP, Sean Kearney, shows how to use Windows PowerShell cmdlets to search Active Directory.

Microsoft Scripting Guy, Ed Wilson, is here. Honorary Scripting Guy and Microsoft PowerShell MVP, Sean Kearney, is back today with Part 2 of PowerShell in Blueville. Take it away Sean…

So the story today, we continue for you,
Is about Mr. Finch, no script he could do,
Never learned in the past, too tricky for he,
Because that vbscript, was not that easy you see.
But yesterday I think, about half past two,
He sat there a chatting, with Mister Stu Blue.
A happy IT worker, Mr. Finch he did sell
A wonderful technology, we call Powershell.
So easy to use, the curve it was low,
Unlocking divisions, off he did go.
Mr. Finch sat now leaning, off on the rail,
Thinking aloud, let’s continue the tale…

He gazed down below at the scampering Blues
As they happily worked in ones and in twos.
No grumbling was made, no groaning was heard,
As they scripted, they work with nary a word.

Perhaps they might know, the answer today
In their happy go lucky fun little way.
A problem that plagued him, and poked him in bed,
A nattering issue that was stuck in his head.

A division was added, to Blueville that day,
But a split of its assets would be carried away.
The controller they had not, and only half of the staff,
Such a stumbler…Mr. Finch had just had to laugh.

“All that typing away! Mistakes could be made!
And security groups too! The settings to wade!”

“Oh if only there was a way…” he sadly would sigh,
“To export all that content, in Excel it could fly.
I could take what I wanted, and then purge all the rest,
Then maybe import it, that would be best.”

Down the rail he did go, he did take a slide
To the Blues working below, oh what a ride!
He ran into a worker, right out of the blue,
Was a network admin, who’s name it was Hugh.

Hugh Blue came out to Mr. Finch holding his hand,
Kicking a RhymeOMatic, right in the can.

“Thanks, I can never think quite clear with those,” said good Mr. Finch. “So I ran in to Stu, who showed me this new technology called Windows PowerShell.”

Hugh nodded. “Yep makes our life far easier. Without it, I’m not sure what we’d be doing.”

Mr. Finch nodded. “So perhaps you might be able to help me out. There is a new division we have acquired, but due to a split of the assets, we will not get the domain controller because only half the assets and people are coming over. They will give us temporary access to the domain controller to pull out data from the OU that contains those users, but I would rather have something cleaner to work with than running an LDIFDE command. Can Windows PowerShell help?”

A smile spread across Hugh’s face. “Piece of cake with Windows PowerShell and the Quest ActiveRoles cmdlets! It is a free tool that I can download from the Internet to manage Active Directory, particularly on older systems!”

Mr. Finch looked on as Hugh entered a line on his computer.

GET-QADUSER –searchroot ‘Blueville.local/Boston/Legal’

“This will give you all the users within the legal OU under Boston in our Active Directory, Mr. Finch…”

Mr. Finch gazed upon the list flowing on the screen. “That looks easy, but will that give me all the information about those users?”

“If you like, I can pull down all the properties for the users, it will take longer of course, but I simply add this parameter.”

GET-QADUSER –searchroot ‘Blueville.local/Boston/Legal’ –includeallproperties

“That’s nice, but I’d really like that in some kind of text file so I could manipulate and cherry pick what I need. Even if it was a raw text file that I could work with in Excel somehow…”

“Excel you say?” Hugh blinked. “You will like this then. Windows PowerShell has a cmdlet called Export-CSV, which will export everything that is sent to it as a comma-separated value file. Perfect for Excel. We just make this one minor change to the line.”

GET-QADUSER –searchroot ‘Blueville.local/Boston/Legal’ –includeallproperties | EXPORT-CSV Users.CSV

In moments, Mr. Finch was staring at an exported spreadsheet of all the users, and he could see fields available, including whether their accounts were disabled or enabled and the dates that they were created. He was impressed, but then a thought struck him.

“Hugh, with my problem I need to pull the users from the system, but I won’t be on their domain. I will have credentials, of course, and the IP address of the server, but I don’t think they’ll let me install Windows PowerShell on their server just to do this.”

“No problem, Mr. Finch! Here is a slight change we can make, and then we can use those credentials on your work laptop as long as the wire is attached. We use another cmdlet called Get-Credential and connect away like this:

$Credentials=GET-CREDENTIAL

Mr. Finch watched as Hugh ran the cmdlet. It produced a standard validation box on the screen.

“For the test domain here, which is NEWCONTOSO, I type this:”

NEWCONTOSO\Administrator

“And of course, my super secret password. And now I put in the IP address of the server and the results from $Credentials in this line:

GET-QADUSER –searchroot ‘NewContoso.local/OtherUsers/OnesWeOwn’ –includeallproperties –service ‘192.168.1.5:389’ –credential $Credentials | EXPORT-CSV Users.CSV

Mr. Finch almost fell back. Not only was Windows PowerShell pulling down the information, but he noted that Hugh was doing it on his Windows 7 Premium laptop, which was not even on the domain.

Hugh saved all the lines into a file called GETTHEUSERS.PS1, and then he stored it and the free software needed to install the Quest cmdlets on Mr. Finch’s laptop. “Call me if you have problems, but this should work well.”

Mr. Finch could not wait to tackle the problem. This Windows PowerShell seemed to make everything easy again!

So waving to Hugh, and out of the door
Mr. Finch ran with a smile, and tore up the floor.
Couldn’t wait to get started on the task and the site,
With PowerShell here, it wouldn’t take all night.

 

Sean continues to share his creativeness with us tomorrow in Part 3.

I invite you to follow me on Twitter and Facebook. If you have any questions, send email to me at scripter@microsoft.com, or post your questions on the Official Scripting Guys Forum. See you tomorrow. Until then, peace.

Ed Wilson, Microsoft Scripting Guy 

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment
  • Hi Sean, my brilliant poetical friend!

    Well done, Sean! ... we can have it all

    We can get each property of our AD install

    And we can even query another Ad domain

    including our credential leads to the gain!

    Well, you could add the "Add-PSSnapin Quest.ActiveRolesManagement"

    to the beginning of your blog entry but I don't mind.

    The poem at the top is something I'll consider to teach my children

    for christmas day. No presents before they have recited this poem accurately!!

    Is it OK, that ... If they complain ... I'd give them your phone number?

    Klaus.

  • Klaus

    If thee should do this, my good scripting friend,

    the holding of presents, far to the end

    The gnashing of teeth and shrieks thee shall hear

    Will torture you far to the end of next year

    ....I'd not do it if I were you ;)

    Sean

  • thanks