- SmartDeploy: Rethinking software deployment to remote workers in times of a pandemic - Thu, Jul 30 2020
- Outlook attachments now blocked in Office 365 - Tue, Nov 19 2019
- PolicyPak MDM Edition: Group Policy and more for BYOD - Tue, Oct 29 2019
Update: The Quest AD CMDLETs have been renamed to PowerShell Commands for Active Directory and you can now download the here.
Why use the Quest AD CMDLETs? ^
In my opinion, the Quest AD CMDLETs are easier to work with. The syntax tends to read as “English PowerShell” instead of “Programmer PowerShell”.
Here are two examples that return all computer names containing ComputerLab
Microsoft AD CMDLET: Get-ADComputer -Filter 'Name -like "COMPUTERLAB*"'
Quest AD CMDLET: Get-QADComputer ComputerLab*
It might just be me, but the Quest AD command seems much simpler.
The second reason to use the Quest AD CMDLETs is the lack of server requirements. To use the native Active Directory PowerShell module, you must have one Windows Server 2008 R2 domain controller or a server running the Active Directory Management Gateway Service.
Before we start working with PowerShell and AD, download the free Quest AD CMDLETs and install them. Be sure to download version 1.6 and not version 1.5.1.
Importing the module (and keeping it imported) ^
Like most PowerShell commands, the Quest commands are logically named. Every command contains QAD in the name and each accurately describe what is being done.
When you launch PowerShell and type get-command *qad*, you will likely see zero results. To make use of the Quest CMDLETs, you will have to import them first. Type Add-PSSnapin Quest.ActiveRoles.ADManagement to import the commands.
When we run get-command *qad*, we should now see an output like this:
All 81 Quest AD commands
To have the Quest commands automatically load when you launch PowerShell, you’ll want to create or modify your PowerShell Profile.
Navigate to the WindowsPowerShell folder within your Documents folder. If the WindowsPowerShell folder does not exist, create it. Now, create a new text document. Rename the text document profile.ps1. Be sure that the actual file extension changes to a Windows PowerShell script.
Open profile.ps1 and paste Add-PSSnapin Quest.ActiveRoles.ADManagement. If you have any other modules that you regularly use, add them now. Save this script and relaunch PowerShell. The Quest commands should automatically import!
The Quest cmdlets in my PowerShell profile
Dealing with Active Directory data ^
Before you can start resetting passwords, disabling account, and modifying attributes, you must querying for data first! To do that, you will use one of the Get-QAD commands. If we wanted to query computers, we would use Get-QADcomputers. For users, it would be Get-QADuser. And so forth.
All Get-QAD commands
As an example, let’s use the Get-QADcomputer command to retrieve a list of computers in a specific OU that have not been used in 180 days.
Get-QADComputer -SearchRoot "OU=Admins,DC=Test,DC=local" -InactiveFor 180
The Get-QADComputer command does not have any required parameters meaning that we don’t need to specify a name wildcard (such as Get-QADcomputer –name *). Here is another practical example.
In our environment, we write the computer’s model to the comment attribute. If we wanted to view the model, we could try running: Get-QADcomputer -Name GAMCN* | select Name,Comment
Why is the comment blank?
To save time and resources, any Get-QAD command will only retrieve the most common attributes and their values. To add the comment attribute to this list, we can use the parameter –IncludedProperties Comment. We can also pull all attributes by using the parameter –IncludeAllProperties. Here is our output now:
Modifying Active Directory Objects ^
Retrieving data is fun but I would imagine you have higher demands. Let’s take our inactive computer command from above and have it actually do something.
Get-QADComputer -SearchRoot "OU=Admins,DC=Test,DC=local" -InactiveFor 180 | Disable-QADComputer
Awesome! By piping the Get-QADComputer results to the Disable-QADComputer command, our inactive computers are disabled. But we are 4sysopians! We can take this a bit further:
Get-QADComputer -SearchRoot "OU=Admins,DC=Test,DC=local" -InactiveFor 180 | Disable-QADComputer | Set-QADComputer -Location (Get-Date) | Move-QADObject -NewParentContainer 'OU=Computers_Stale,DC=TEST,DC=local'
So what does this command actually do? It starts by building our inactive computers list and disables the account. It then uses the Set-QADComputer command to timestamp the location attribute of the computer. This lets you know when the computer was disabled. Finally, it moves the computer to a new OU named Computers_Stale.
What will you automate? ^
The Quest AD CMDLETS can automate all of your routine Active Directory tasks. In this article, we covered how to install the tool and configuring it for ease of use. Finally, we worked through a basic problem by gathering Active Directory details and manipulating our computer objects.
Using this guide, what routine Active Directory task will you automate?