Skip to content
Windows
Active Directory

Active Directory

Useful Active Directory PowerShell commands for common administration workflows.

Group Membership

Add AD group members from one group to another:

1

Add-ADGroupMember -Identity 'New Group' -Members (Get-ADGroupMember -Identity 'Old Group' -Recursive)

Password Reset

Prompt for password securely and reset:

1
2

$pw = Read-Host "password" -AsSecureString
Set-ADAccountPassword -Identity '' -Reset -NewPassword $pw

Example with plain text conversion:

1

Set-ADAccountPassword -Identity '' -Reset -NewPassword (ConvertTo-SecureString -AsPlainText "p@ssw0rd" -Force)

Unlock Account 

1

Unlock-ADAccount -Identity ''

Check lock status:

1

Get-ADUser -Identity '' -Properties LockedOut | Select Name, LockedOut

User Queries

Search AD users:

1

Get-ADUser -Filter "Name -eq ''"

View all user properties:

1

Get-ADUser -Identity '' -Properties *

Get all groups for a user:

1

Get-ADPrincipalGroupMembership '' | Select Name

Find login scripts for all users and export:

1

Get-ADUser -Filter * -Properties scriptpath, homedrive, homedirectory | Format-Table Name, scriptpath, homedrive, homedirectory | Out-File C:\temp\logonscriptoutput.txt

Setting Up Active Directory

Reference for AD domain naming best practices:

https://social.technet.microsoft.com/wiki/contents/articles/34981.active-directory-best-practices-for-internal-domain-and-network-names.aspx

Before creating the domain, ensure time and date settings on the primary domain controller are correct.

Hybrid AD Password Reset Fix

Microsoft guidance

Re-sync AD Account with Azure AD

Issues may occur when accounts are created incorrectly or are deleted and restored.

You may need to manually re-sync AD objects between on-prem AD and Azure AD using ImmutableID.

Get the account in AD and convert objectGUID to Base64:

1

Get-ADUser -Filter "Name -eq ''" -Properties objectGUID | Select-Object UserPrincipalName, objectGUID, @{Name = 'ImmutableID'; Expression = { [System.Convert]::ToBase64String(([GUID]$_.objectGUID).ToByteArray()) } } | Export-CSV users.csv

Set the ImmutableID on the Azure account:

1

Set-MsolUser -UserPrincipalName USER@DOMAIN.COM -ImmutableID "ABCdefGHIjklMNO=="

Reference: https://www.theictguy.co.uk/ad-connect-and-hard-matching-immutableid/

Domain/AD Ports

  • UDP 88: Kerberos authentication.
  • TCP and UDP 135: Domain controller communication and client/DC operations.
  • TCP 139 and UDP 138: File Replication Service between domain controllers.
  • UDP 389: LDAP queries from clients to domain controllers.
  • TCP and UDP 445: Replication, authentication, and Group Policy.
  • TCP and UDP 464: Kerberos password change.
  • TCP 3268 and 3269: Global Catalog access.
  • TCP and UDP 53: DNS traffic between clients and domain controllers.
  • Ephemeral ports: TCP/UDP 1025-5000 and 49152-65535.

https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd772723(v=ws.10)?redirectedfrom=MSDN

DHCP in Active Directory

Get all DHCP servers registered to the domain:

1

Get-DhcpServerInDC
Group PolicyDomain Controller