Download Quest Powershell with admin guide.

http://www.quest.com/powershell/activeroles-server.aspx


Download Prerequisites

Microsft Powershell

http://support.microsoft.com/kb/968930

DotNet Framework 3.5 SP1

http://www.microsoft.com/downloads/en/details.aspx?FamilyID=d0e5dea7-ac26-4ad7-b68c-fe5076bba986&displaylang=en

For query purpose its does not require any kind of special permission.

See the below link also.

http://blogs.technet.com/b/manojnair/archive/2010/12/27/adding-users-to-ad-group-using-quest-powershell-command-lets.aspx

Before running any ps script put the below command.

Set-ExecutionPolicy Unrestricted

1. How to find group members for n number of groups

$groups=get-content groups.txt
 Foreach($group in $groups)
 {
  
Get-QADGroupMember $group
 Get-qadgroup $group
  
}

Need to create a file called groups.txt and put the entire groups names into that text file. Find the below screenshot.

2. Find memberof for n number of users with powershell

$users=get-content users.txt
 Foreach($user in $users)
 {
  
get-Qadmemberof $user
 Get-qaduser $user
  
}

3. Extract the known attr for "n" number of users

$users= get-content users.txt
 foreach ($user in $users) {Get-QADuser $user -SerializeValues}

4. Find the E-MAILs of Users form an particular OU

get-QADuser -SearchRoot 'contoso.com/test' | select samaccountname,mail,memberof

5. Find the Display Name for n number of users
$users= get-content users.txt
  
foreach ($user in $users) {Get-QADuser $user -sizelimit 0 | Format-table displayname}


6. Find the Display Name,Canonicalname and Samaccountname  for n number of users

$users= get-content users.txt  
foreach ($user in $users) {Get-QADuser $user -sizelimit 0 | Format-table displayname,canonicalname,samaccountname}


7. Verify user is member of AD group
 

if(Get-QADMemberOf 'domain\user' -Indirect -Name GroupName){
     "is member of"
 }else{
     "not member of"
 }

8. Get Password Expiration Date of All Users in Active Directory

Get-QADUser -Name * | select givenName,sn,name,PasswordExpires
  
at the end you can add | Export-CSV c:\pass_exp.csv to export the results to file.
  
like: >Get-QADUser -Name * -sizelimit 0 | select givenName,sn,name,PasswordExpires | Export-CSV c:\pass_exp.csv

For 2008 R2 use this syntax

Get-ADUser -Name * | select givenName,sn,name,PasswordExpires

9. List the values of all properties of the user account.  

Get-QADUser <userlogon> -IncludeAllProperties -SerializeValues

10. Retrieve deleted user accounts with the name (RDN) of biz

C:\PS>Get-QADUser -Tombstone -Name 'biz*'

11. Find all objects for a OU

get-QADObject -Service 'itibase.contoso.com:389' -SearchRoot 'ou=test,dc=contoso,dc=com'

12.Restore a user account that was deleted from a particular container and had the name (RDN) of Bish B:

C:\PS> Get-QADUser -Tombstone -LastKnownParent '<DN of container>' –Name 'Bish B*' | Restore-QADDeletedObject

13. How to check the DACL

Get-QADObject 'cn=users,dc=contoso,dc=com' -SecurityMask Dacl | Get-QADPermission -Inherited -SchemaDefault

14. Checking the permission for an user/group

Get-QADObject 'cn=users,dc=contoso,dc=com' -SecurityMask Dacl | Get-QADPermission -Inherited -SchemaDefault | findstr / 'Groupname'



Group name is case sensitive.

15. Domain Controller Inventory
get-QADComputer -computerRole 'DomainController'| format-table -property computername,osname,osversion,osservicepack
get-QADComputer -computerRole 'DomainController' -IncludeAllProperties -SerializeValues | select cn,operatingSystem,msDS-isGC,msDS-isRODC,msds-sitename | Export-CSV c:\DCS.csv

16. Find the Disabled members from multiple GROUPS.


Get-Content c:\groups.txt | ForEach-Object {
  Get-QADGroupMember $_ -Disabled
}


See Also