- SmartDeploy: Rethinking software deployment to remote workers in times of a pandemic - Thu, Jul 30 2020
- Outlook attachments now blocked in Office 365 - Tue, Nov 19 2019
- PolicyPak MDM Edition: Group Policy and more for BYOD - Tue, Oct 29 2019
Update: The Quest AD CMDLETs have been renamed to PowerShell Commands for Active Directory and you can now download the here.
Why use the Quest AD CMDLETs?
In my opinion, the Quest AD CMDLETs are easier to work with. The syntax tends to read as “English PowerShell” instead of “Programmer PowerShell”.
Here are two examples that return all computer names containing ComputerLab
Microsoft AD CMDLET: Get-ADComputer -Filter 'Name -like "COMPUTERLAB*"'
Quest AD CMDLET: Get-QADComputer ComputerLab*
It might just be me, but the Quest AD command seems much simpler.
The second reason to use the Quest AD CMDLETs is the lack of server requirements. To use the native Active Directory PowerShell module, you must have one Windows Server 2008 R2 domain controller or a server running the Active Directory Management Gateway Service.
Before we start working with PowerShell and AD, download the free Quest AD CMDLETs and install them. Be sure to download version 1.6 and not version 1.5.1.
Importing the module (and keeping it imported)
Like most PowerShell commands, the Quest commands are logically named. Every command contains QAD in the name and each accurately describe what is being done.
When you launch PowerShell and type get-command *qad*, you will likely see zero results. To make use of the Quest CMDLETs, you will have to import them first. Type Add-PSSnapin Quest.ActiveRoles.ADManagement to import the commands.
When we run get-command *qad*, we should now see an output like this:
All 81 Quest AD commands
To have the Quest commands automatically load when you launch PowerShell, you’ll want to create or modify your PowerShell Profile.
Navigate to the WindowsPowerShell folder within your Documents folder. If the WindowsPowerShell folder does not exist, create it. Now, create a new text document. Rename the text document profile.ps1. Be sure that the actual file extension changes to a Windows PowerShell script.
Open profile.ps1 and paste Add-PSSnapin Quest.ActiveRoles.ADManagement. If you have any other modules that you regularly use, add them now. Save this script and relaunch PowerShell. The Quest commands should automatically import!
The Quest cmdlets in my PowerShell profile
Dealing with Active Directory data
Before you can start resetting passwords, disabling account, and modifying attributes, you must querying for data first! To do that, you will use one of the Get-QAD commands. If we wanted to query computers, we would use Get-QADcomputers. For users, it would be Get-QADuser. And so forth.
All Get-QAD commands
As an example, let’s use the Get-QADcomputer command to retrieve a list of computers in a specific OU that have not been used in 180 days.
Get-QADComputer -SearchRoot "OU=Admins,DC=Test,DC=local" -InactiveFor 180
The Get-QADComputer command does not have any required parameters meaning that we don’t need to specify a name wildcard (such as Get-QADcomputer –name *). Here is another practical example.
In our environment, we write the computer’s model to the comment attribute. If we wanted to view the model, we could try running: Get-QADcomputer -Name GAMCN* | select Name,Comment
Why is the comment blank?
To save time and resources, any Get-QAD command will only retrieve the most common attributes and their values. To add the comment attribute to this list, we can use the parameter –IncludedProperties Comment. We can also pull all attributes by using the parameter –IncludeAllProperties. Here is our output now:
Modifying Active Directory Objects
Retrieving data is fun but I would imagine you have higher demands. Let’s take our inactive computer command from above and have it actually do something.
Get-QADComputer -SearchRoot "OU=Admins,DC=Test,DC=local" -InactiveFor 180 | Disable-QADComputer
Awesome! By piping the Get-QADComputer results to the Disable-QADComputer command, our inactive computers are disabled. But we are 4sysopians! We can take this a bit further:
Get-QADComputer -SearchRoot "OU=Admins,DC=Test,DC=local" -InactiveFor 180 | Disable-QADComputer | Set-QADComputer -Location (Get-Date) | Move-QADObject -NewParentContainer 'OU=Computers_Stale,DC=TEST,DC=local'
So what does this command actually do? It starts by building our inactive computers list and disables the account. It then uses the Set-QADComputer command to timestamp the location attribute of the computer. This lets you know when the computer was disabled. Finally, it moves the computer to a new OU named Computers_Stale.
What will you automate?
The Quest AD CMDLETS can automate all of your routine Active Directory tasks. In this article, we covered how to install the tool and configuring it for ease of use. Finally, we worked through a basic problem by gathering Active Directory details and manipulating our computer objects.
Using this guide, what routine Active Directory task will you automate?
Join the 4sysops PowerShell group!
Your question was not answered? Ask in the PowerShell forum!
What attribute needs write permissions to update the “Comments” of a computer object?
Hi Brad – I am afraid I don’t fully understand your question. Can you elaborate?
In order to get all the users in a group and its associative sub-groups what cmdlet should i use so that I can pypass the limit that AD imposes (1000 at a time) whicle fetching the userAccounts (sAMAccountName) in one cycle?
You would want to use the -sizelimit 0 as your parameter.
what would be the cmd to get details OS version, Service Pack, Computer S/N, Monitor S/N ?
All of that info is a bit harder to get. This will get you started: https://4sysops.com/archives/automatically-fill-the-computer-description-field-in-active-directory/
what is the command to remove a computer in AD using quest?
It is a bit misleading. The command is remove-qadobject
One of the best things I have found with the Quest cmdlets is the -identity parameter they all use. The -identity can be any one of a number of identifying characteristics. You can use things like the samaccountname, the displayname, the distinguishedname, etc.
And to add a bit more Saied, you would do something like this:
You are absolutely right! Searching with the quest cmdlets are easier than using the native AD cmdlets (at least in my opinion).
Add-PSSnapin : No snap-ins have been registered for Windows PowerShell version 5.
At line:3 char:1
+ Add-PSSnapin Quest.ActiveRoles.ADManagement
+ CategoryInfo : InvalidArgument: (Quest.ActiveRoles.ADManagement:String) [Add-PSSnapin], PSArgumentException
+ FullyQualifiedErrorId : AddPSSnapInRead,Microsoft.PowerShell.Commands.AddPSSnapinCommand
I´m using Quest AD CMDLET to get the information from “info” field of AD computer properties (Windows Server 2016): Get-QADcomputer <ComputerName> -includeAllProperties | FT Name, info -AutoSize
It works fine for a single computer but when I try to apply the same querry to get a list of all computers with their respective names and “info” field, I´m getting only the name field, without “info”:
Get-QADcomputer -includeAllProperties | FT Name, info -AutoSize
D0 you know why? How to overcome this?
I don’t have a domain to test this right now.. but you are telling it to retrieve all the properties, but you are really only using 2? What about if you just get the properties you want?
get-qadcomputer -identity * -includedproperty name,info