When it comes to PowerShell, there are two real big ways to manage your Active Directory infrastructure. The first method is with the Active Directory module that is installed with RSAT tools. The second main method uses the Quest AD CMDLETs.

Joseph Moody

Joseph Moody is a network admin for a public school system and helps manage 5,500 PCs. He is a Microsoft Most Valuable Professional (MVP) in Cloud and Datacenter Management and blogs at DeployHappiness.com.

Update: The Quest AD CMDLETs have been renamed to PowerShell Commands for Active Directory and you can now download the here.

Why use the Quest AD CMDLETs? ^

In my opinion, the Quest AD CMDLETs are easier to work with. The syntax tends to read as “English PowerShell” instead of “Programmer PowerShell”.

Here are two examples that return all computer names containing ComputerLab

Microsoft AD CMDLET: Get-ADComputer -Filter 'Name -like "COMPUTERLAB*"'

Quest AD CMDLET: Get-QADComputer ComputerLab*

Get-QADComputer

It might just be me, but the Quest AD command seems much simpler.

The second reason to use the Quest AD CMDLETs is the lack of server requirements. To use the native Active Directory PowerShell module, you must have one Windows Server 2008 R2 domain controller or a server running the Active Directory Management Gateway Service.

Before we start working with PowerShell and AD, download the free Quest AD CMDLETs and install them. Be sure to download version 1.6 and not version 1.5.1.

Importing the module (and keeping it imported) ^

Like most PowerShell commands, the Quest commands are logically named. Every command contains QAD in the name and each accurately describe what is being done.

When you launch PowerShell and type get-command *qad*, you will likely see zero results. To make use of the Quest CMDLETs, you will have to import them first. Type Add-PSSnapin Quest.ActiveRoles.ADManagement to import the commands.

When we run get-command *qad*, we should now see an output like this:

All 81 Quest AD commands

All 81 Quest AD commands

To have the Quest commands automatically load when you launch PowerShell, you’ll want to create or modify your PowerShell Profile.

Navigate to the WindowsPowerShell folder within your Documents folder. If the WindowsPowerShell folder does not exist, create it. Now, create a new text document. Rename the text document profile.ps1. Be sure that the actual file extension changes to a Windows PowerShell script.

Open profile.ps1 and paste Add-PSSnapin Quest.ActiveRoles.ADManagement. If you have any other modules that you regularly use, add them now. Save this script and relaunch PowerShell. The Quest commands should automatically import!

The Quest CMDLETs in my PowerShell profile

The Quest cmdlets in my PowerShell profile

 Dealing with Active Directory data ^

Before you can start resetting passwords, disabling account, and modifying attributes, you must querying for data first! To do that, you will use one of the Get-QAD commands. If we wanted to query computers, we would use Get-QADcomputers. For users, it would be Get-QADuser. And so forth.

All Get-QAD commands

All Get-QAD commands

As an example, let’s use the Get-QADcomputer command to retrieve a list of computers in a specific OU that have not been used in 180 days.

The Get-QADComputer command does not have any required parameters meaning that we don’t need to specify a name wildcard (such as Get-QADcomputer –name *). Here is another practical example.

In our environment, we write the computer’s model to the comment attribute. If we wanted to view the model, we could try running: Get-QADcomputer -Name GAMCN* | select Name,Comment

Why is the comment blank

Why is the comment blank?

To save time and resources, any Get-QAD command will only retrieve the most common attributes and their values. To add the comment attribute to this list, we can use the parameter –IncludedProperties Comment. We can also pull all attributes by using the parameter –IncludeAllProperties. Here is our output now:

IncludeAllProperties

IncludeAllProperties

 Modifying Active Directory Objects ^

Retrieving data is fun but I would imagine you have higher demands. Let’s take our inactive computer command from above and have it actually do something.

Awesome! By piping the Get-QADComputer results to the Disable-QADComputer command, our inactive computers are disabled. But we are 4sysopians! We can take this a bit further:

So what does this command actually do? It starts by building our inactive computers list and disables the account. It then uses the Set-QADComputer command to timestamp the location attribute of the computer. This lets you know when the computer was disabled. Finally, it moves the computer to a new OU named Computers_Stale.

What will you automate? ^

The Quest AD CMDLETS can automate all of your routine Active Directory tasks. In this article, we covered how to install the tool and configuring it for ease of use. Finally, we worked through a basic problem by gathering Active Directory details and manipulating our computer objects.

Using this guide, what routine Active Directory task will you automate?

Join the 4sysops PowerShell group!

Your question was not answered? Ask in the forum!

1+
Share
13 Comments
  1. Brad 5 years ago

    What attribute needs write permissions to update the "Comments" of a computer object?

    1+

    • Author
      Joseph Moody 5 years ago

      Hi Brad - I am afraid I don't fully understand your question. Can you elaborate?

      1+

  2. Lucky 5 years ago

    In order to get all the users in a group and its associative sub-groups what cmdlet should i use so that I can pypass the limit that AD imposes (1000 at a time) whicle fetching the userAccounts (sAMAccountName) in one cycle?

    1+

  3. Author
    Joseph Moody 5 years ago

    You would want to use the -sizelimit 0 as your parameter.

    1+

  4. yiannis 5 years ago

    what would be the cmd to get details OS version, Service Pack, Computer S/N, Monitor S/N ?

    thank you

    1+

  5. Author
    Joseph Moody 5 years ago

    All of that info is a bit harder to get. This will get you started: https://4sysops.com/archives/automatically-fill-the-computer-description-field-in-active-directory/

    1+

  6. Saeid 1 year ago

    Hi,

    what is the command to remove a computer in AD using quest?

    1+

    • Author
      Joseph Moody 1 year ago

      It is a bit misleading. The command is remove-qadobject

      1+

  7. David Figueroa 1 year ago

    One of the best things I have found with the Quest cmdlets is the -identity parameter they all use.  The -identity can be any one of a number of identifying characteristics.  You can use things like the samaccountname, the displayname, the distinguishedname, etc.

    And to add a bit more Saied, you would do something like this:

    David F.

    1+

    • Author
      Joseph Moody 1 year ago

      You are absolutely right! Searching with the quest cmdlets are easier than using the native AD cmdlets (at least in my opinion).

      2+

  8. Marcelo 1 year ago

    Add-PSSnapin : No snap-ins have been registered for Windows PowerShell version 5.
    At line:3 char:1
    + Add-PSSnapin Quest.ActiveRoles.ADManagement
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : InvalidArgument: (Quest.ActiveRoles.ADManagement:String) [Add-PSSnapin], PSArgumentException
    + FullyQualifiedErrorId : AddPSSnapInRead,Microsoft.PowerShell.Commands.AddPSSnapinCommand

    2+

  9. Zack 1 year ago

    Hi,

    I´m using Quest AD CMDLET to get the information from "info" field of AD computer properties (Windows Server 2016): Get-QADcomputer <ComputerName> -includeAllProperties | FT Name, info -AutoSize

    It works fine for a single computer but when I try to apply the same querry to get a list of all computers with their respective names and "info" field, I´m getting only the name field, without "info":

    Get-QADcomputer -includeAllProperties | FT Name, info -AutoSize

    D0 you know why? How to overcome this?

    Thanks

    0

  10. David Figueroa 1 year ago

    I don't have a domain to test this right now.. but you are telling it to retrieve all the properties, but you are really only using 2?  What about if you just get the properties you want?

    [code]
    get-qadcomputer -identity * -includedproperty name,info

    [/code]

    Coralon

    0

Leave a reply

Your email address will not be published. Required fields are marked *

*

© 4sysops 2006 - 2019

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account