Working with Active Directory using PowerShell ADSI adapter


Working with Active Directory using PowerShell ADSI adapter (en-US)


PowerShell is very useful for automating Active Directory. It allows to quickly and relatively easy automate mundane actions or perform same operations with many objects. PowerShell provides very broad set of methods to work with Active Directory. There is some of them:In this article provided examples of using ADSI adapter and .NET classes. This is not an easiest method, but sometimes you just need it. For example if you working in organization that uses old operating system for domain controllers (not 2008R2+), and you cannot install any additional software on controllers or servers, but need to work with Active Directory in your script.

Receiving an object representation of Active Directory object.

This method requires knowledge of object's LDAP path.
$Object = [adsi]'LDAP://CN=Notebook1,OU=Computers,DC=consoso,DC=com'

Searching for an object in Active Directory.

001 002 003 004
$Searcher = New-Object DirectoryServices.DirectorySearcher $Searcher.Filter = '(&(objectCategory=person)(anr=gusev))' $Searcher.SearchRoot = 'LDAP://OU=Laptops,OU=Computers,DC=consoso,DC=com' $Searcher.FindAll()
Filter property of the Searcher object uses standard LDAP query syntax  . You can also use FindOne() method to receive just first found object.

Setting "Password never expire" attribute on user object

This property unlike many other properties of AD object are contained in bitmask attribute UserAccountControl (not related in any way with User Account Control feature of Windows). To set it you need to retrieve current value of this attribute and use binary OR operation (-bor) to calculate new value. 
001 002 003 004
$User = [ADSI]"LDAP://cn=Gusev,ou=Users,ou=Lab,dc=contoso,dc=com" $UAC = $User.UserAccountControl[0] -bor 65536 $User.Put("userAccountControl",$UAC) $User.SetInfo()

Get direct AD group membership information

Members of the group are contained as Distinguished Names in Member array property of a group. To get objects representing the members one need to get contents of this property and create ADSI objects from them.
001 002
$Group = [ADSI]"LDAP://cn=Domain Admins,cn=Users,dc=Contoso,dc=Com" $Members = $Group.Member | ForEach-Object {[ADSI]"LDAP://$_"}
  Same way, groups in which AD object is directly included are contained in its MemberOf property. 
001 002
$User = [ADSI]"LDAP://cn=Administrator,cn=Users,dc=Contoso,dc=Com" $Groups = $User.MemberOf | ForEach-Object {[ADSI]"LDAP://$_"}

Get AD object class name

Primary class of AD object are contained in Class property, but there is also ObjectClass property that contains all classes to which object is belong.
PS C:\> $Object = [ADSI]"LDAP://cn=Administrator,cn=Users,dc=Contoso,dc=Com"
PS C:\> $Object.class
PS C:\> $Object.objectclass



Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: