Export (0) Print
Expand All
Expand Minimize
1 out of 1 rated this helpful - Rate this topic

AD DS Administration Cmdlets in Windows PowerShell

Windows Server 2012 R2 and Windows 8.1

Updated: March 26, 2014

Applies To: Windows 8.1, Windows PowerShell 4.0, Windows Server 2012 R2

Windows PowerShell™ is a task-based command-line shell and scripting language designed especially for system administration. This reference topic for the information technology (IT) professional introduces the Windows PowerShell cmdlets that you can use to manage and administer the Active Directory® directory service and Active Directory Domain Services (AD DS).

What does the Active Directory module do?

The Active Directory module for Windows PowerShell is a Windows PowerShell module (named Active Directory) that consolidates a group of cmdlets. You can use these cmdlets to manage your Active Directory domains, Active Directory Lightweight Directory Services (AD LDS) configuration sets, and Active Directory Database Mounting Tool instances in a single, self-contained package.

TipTip
For more information about getting started with the Active Directory Windows PowerShell module, see Active Directory Administration with Windows PowerShell.

Active Directory module provider

Administrators can use the Active Directory module provider to easily navigate and access data that is stored in Active Directory domains, AD LDS instances and configuration sets, and Active Directory Database Mounting Tool instances. The Active Directory module provider exposes the Active Directory database through a hierarchical navigation system, which is very similar to the file system. For example, while you are using the Active Directory module, you can use the following commands to navigate through your directory:

  • cd

  • dir

  • remove

  • .

  • ..

You can use the Active Directory module provider to map Active Directory domains, AD LDS instances, and Active Directory Database Mounting Tool instances to specific provider drives. When the Active Directory module is first loaded, a default Active Directory drive (AD:) is mounted. To connect to that drive, run the cd AD: command. To connect a new provider drive to an Active Directory domain, an AD LDS server, or an Active Directory Database Mounting Tool instance, use the following cmdlet:

New-PSDrive -Name <name of the drive> -PSProvider ActiveDirectory -Root "<DN of the partition/NC>" –Server <server or domain name (NetBIOS/FQDN)[:port number]> -Credential <domain name>\<username>

 

Parameter Description

-Name <name of the drive>

Specifies the name of the drive that is being added.

-PSProvider ActiveDirectory

The name of the provider, in this case, ActiveDirectory.

-Root "<DN of the partition/NC>"

Specifies the internal root or path of the provider.

–Server <server or domain name (NetBIOS/FQDN)[:port number]>

Specifies the server that hosts your Active Directory domain or an AD LDS instance.

-Credential <domain name>\<username>

Specifies the credentials that you must have to connect to the Active Directory domain or the AD LDS server.

Active Directory module cmdlets

You can use the Active Directory module cmdlets to perform various administrative, configuration, and diagnostic tasks in your AD DS and AD LDS environments. You can use the cmdlets to manage existing Active Directory user and computer accounts, groups, organizational units (OUs), domains and forests, domain controllers, and password policies, or create new ones. Additionally, you can manage Active Directory replication and topology, as well as configure features such as claims-based access control, cross-forest claims transformation, and authentication silos.

noteNote
To list all the cmdlets that are available in the Active Directory module, use the Get-Command *-AD* cmdlet.

For more information about—or for the syntax for—any of the Active Directory module cmdlets, use the Get-Help <cmdlet name> cmdlet, where <cmdlet name> is the name of the cmdlet that you want to research. For more detailed information, you can run any of the following cmdlets:

  • Get-Help <cmdlet name> -Detailed

  • Get-Help <cmdlet name> -Full

  • Get-Help <cmdlet name> -Examples

Active Directory cmdlets

The following table lists all the cmdlets that are available in this release of the Active Directory module.

 

Cmdlet Description

Add-ADCentralAccessPolicyMember

Adds central access rules to a central access policy in Active Directory.

Add-ADComputerServiceAccount

Adds one or more service accounts to an Active Directory computer.

Add-ADDomainControllerPasswordReplicationPolicy

Adds users, computers, and groups to the allowed or denied list of a read-only domain controller password replication policy.

Add-ADFineGrainedPasswordPolicySubject

Applies a fine-grained password policy to one more users and groups.

Add-ADGroupMember

Adds one or more members to an Active Directory group.

Add-ADPrincipalGroupMembership

Adds a member to one or more Active Directory groups.

Add-ADResourcePropertyListMember

Adds one or more resource properties to a resource property list in Active Directory.

Clear-ADAccountExpiration

Clears the expiration date for an Active Directory account.

Clear-ADClaimTransformLink

Removes a claims transformation from being applied to one or more cross-forest trust relationships in Active Directory.

Disable-ADAccount

Disables an Active Directory account.

Disable-ADOptionalFeature

Disables an Active Directory optional feature.

Enable-ADAccount

Enables an Active Directory account.

Enable-ADOptionalFeature

Enables an Active Directory optional feature.

Get-ADAccountAuthorizationGroup

Gets the accounts token group information.

Get-ADAccountResultantPasswordReplicationPolicy

Gets the resultant password replication policy for an Active Directory account.

Get-ADAuthenticationPolicy

Gets one or more Active Directory Domain Services authentication policies.

Get-ADAuthenticationPolicySilo

Gets one or more Active Directory Domain Services authentication policy silos.

Get-ADCentralAccessPolicy

Retrieves central access policies from Active Directory.

Get-ADCentralAccessRule

Retrieves central access rules from Active Directory.

Get-ADClaimTransformPolicy

Returns one or more Active Directory claim transform objects based on a specified filter.

Get-ADClaimType

Returns a claim type from Active Directory.

Get-ADComputer

Gets one or more Active Directory computers.

Get-ADComputerServiceAccount

Gets the service accounts hosted by a computer.

Get-ADDCCloningExcludedApplicationList

Returns the installed programs and services present on this domain controller that are not in the default or user defined inclusion list.

Get-ADDefaultDomainPasswordPolicy

Gets the default password policy for an Active Directory domain.

Get-ADDomain

Gets an Active Directory domain.

Get-ADDomainController

Gets one or more Active Directory domain controllers based on discoverable services criteria, search parameters or by providing a domain controller identifier, such as the NetBIOS name.

Get-ADDomainControllerPasswordReplicationPolicy

Gets the members of the allowed list or denied list of a read-only domain controller's password replication policy.

Get-ADDomainControllerPasswordReplicationPolicyUsage

Gets the Active Directory accounts that are authenticated by a read-only domain controller or that are in the revealed list of the domain controller.

Get-ADFineGrainedPasswordPolicy

Gets one or more Active Directory fine grained password policies.

Get-ADFineGrainedPasswordPolicySubject

Gets the users and groups to which a fine grained password policy is applied.

Get-ADForest

Gets an Active Directory forest.

Get-ADGroup

Gets one or more Active Directory groups.

Get-ADGroupMember

Gets the members of an Active Directory group.

Get-ADObject

Gets one or more Active Directory objects.

Get-ADOptionalFeature

Gets one or more Active Directory optional features.

Get-ADOrganizationalUnit

Gets one or more Active Directory organizational units.

Get-ADPrincipalGroupMembership

Gets the Active Directory groups that have a specified user, computer, group, or service account.

Get-ADReplicationAttributeMetadata

Returns the replication metadata for one or more Active Directory replication partners.

Get-ADReplicationConnection

Returns a specific Active Directory replication connection or a set of AD replication connection objects based on a specified filter.

Get-ADReplicationFailure

Returns a collection of data describing an Active Directory replication failure.

Get-ADReplicationPartnerMetadata

Returns the replication metadata for a set of one or more replication partners.

Get-ADReplicationQueueOperation

Returns the contents of the replication queue for a specified server.

Get-ADReplicationSite

Returns a specific Active Directory replication site or a set of replication site objects based on a specified filter.

Get-ADReplicationSiteLink

Returns a specific Active Directory site link or a set of site links based on a specified filter.

Get-ADReplicationSiteLinkBridge

Returns a specific Active Directory site link bridge or a set of site link bridge objects based on a specified filter.

Get-ADReplicationSubnet

Returns a specific Active Directory subnet or a set of AD subnets based on a specified filter.

Get-ADReplicationUpToDatenessVectorTable

Displays the highest Update Sequence Number (USN) for the specified domain controller.

Get-ADResourceProperty

Gets one or more resource properties.

Get-ADResourcePropertyList

Retrieves resource property lists from Active Directory.

Get-ADResourcePropertyValueType

Retrieves a resource property value type from Active Directory.

Get-ADRootDSE

Gets the root of a Directory Server information tree.

Get-ADServiceAccount

Gets one or more Active Directory managed service accounts or group managed service accounts.

Get-ADTrust

Returns all trusted domain objects in the directory.

Get-ADUser

Gets one or more Active Directory users.

Get-ADUserResultantPasswordPolicy

Gets the resultant password policy for a user.

Grant-ADAuthenticationPolicySiloAccess

Grants permission to join an authentication policy silo.

Install-ADServiceAccount

Installs an Active Directory managed service account on a computer or caches a group managed service account on a computer.

Move-ADDirectoryServer

Moves a directory server in Active Directory to a new site.

Move-ADDirectoryServerOperationMasterRole

Moves operation master roles to an Active Directory directory server.

Move-ADObject

Moves an Active Directory object or a container of objects to a different container or domain.

New-ADAuthenticationPolicy

Creates an Active Directory Domain Services authentication policy object.

New-ADAuthenticationPolicySilo

Creates an Active Directory Domain Services authentication policy silo object.

New-ADCentralAccessPolicy

Creates a new central access policy in Active Directory containing a set of central access rules.

New-ADCentralAccessRule

Creates a new central access policy entry in Active Directory.

New-ADClaimTransformPolicy

Creates a new claim transformation policy object in Active Directory.

New-ADClaimType

Creates a new claim type in Active Directory.

New-ADComputer

Creates a new Active Directory computer.

New-ADDCCloneConfigFile

Performs prerequisite checks for cloning a domain controller and generates a clone configuration file if all checks succeed.

New-ADFineGrainedPasswordPolicy

Creates a new Active Directory fine grained password policy.

New-ADGroup

Creates an Active Directory group.

New-ADObject

Creates an Active Directory object.

New-ADOrganizationalUnit

Creates a new Active Directory organizational unit.

New-ADReplicationSite

Creates a new Active Directory replication site in the directory.

New-ADReplicationSiteLink

Creates a new Active Directory site link for in managing replication.

New-ADReplicationSiteLinkBridge

Creates a new site link bridge in Active Directory for replication.

New-ADReplicationSubnet

Creates a new site link bridge in Active Directory for replication.

New-ADResourceProperty

Creates a new resource property in Active Directory.

New-ADResourcePropertyList

Creates a new resource property list in Active Directory.

New-ADServiceAccount

Creates a new Active Directory managed service account or group managed service account object.

New-ADUser

Creates a new Active Directory user.

Remove-ADAuthenticationPolicy

Removes an Active Directory Domain Services authentication policy object.

Remove-ADAuthenticationPolicySilo

Removes an Active Directory Domain Services authentication policy silo object.

Remove-ADCentralAccessPolicy

Creates a new central access policy in Active Directory containing a set of central access rules.

Remove-ADCentralAccessPolicyMember

Removes central access rules from a central access policy in Active Directory.

Remove-ADCentralAccessRule

Removes a central access policy entry from Active Directory.

Remove-ADClaimTransformPolicy

Removes a claim transformation policy object from Active Directory.

Remove-ADClaimType

Removes a claim type from Active Directory.

Remove-ADComputer

Removes an Active Directory computer.

Remove-ADComputerServiceAccount

Removes one or more service accounts from a computer.

Remove-ADDomainControllerPasswordReplicationPolicy

Removes users, computers and groups from the allowed or denied list of a read-only domain controller password replication policy.

Remove-ADFineGrainedPasswordPolicy

Removes an Active Directory fine grained password policy.

Remove-ADFineGrainedPasswordPolicySubject

Removes one or more users from a fine grained password policy.

Remove-ADGroup

Removes an Active Directory group.

Remove-ADGroupMember

Removes one or more members from an Active Directory group.

Remove-ADObject

Removes an Active Directory object.

Remove-ADOrganizationalUnit

Removes an Active Directory organizational unit.

Remove-ADPrincipalGroupMembership

Removes a member from one or more Active Directory groups.

Remove-ADReplicationSite

Deletes the specified replication site object from Active Directory.

Remove-ADReplicationSiteLink

Deletes an Active Directory site link used to manage replication.

Remove-ADReplicationSiteLinkBridge

Deletes the specified replication site link bridge from Active Directory.

Remove-ADReplicationSubnet

Deletes the specified Active Directory replication subnet object from the directory.

Remove-ADResourceProperty

Removes a resource property from Active Directory.

Remove-ADResourcePropertyList

Removes one or more resource property lists from Active Directory.

Remove-ADResourcePropertyListMember

Removes one or more resource properties from a resource property list in Active Directory.

Remove-ADUser

Removes an Active Directory user.

Rename-ADObject

Changes the name of an Active Directory object.

Reset-ADServiceAccountPassword

Resets the password for a standalone managed service account. Reset is not supported for group managed service accounts.

Restore-ADObject

Restores an Active Directory object.

Revoke-ADAuthenticationPolicySiloAccess

Revokes membership in an authentication policy silo for the specified account.

Search-ADAccount

Revokes membership in an authentication policy silo for the specified account.

Set-ADAccountAuthenticationPolicySilo

Modifies the authentication policy or authentication policy silo of an account.

Set-ADAccountControl

Modifies user account control (UAC) values for an Active Directory account.

Set-ADAccountExpiration

Sets the expiration date for an Active Directory account.

Set-ADAccountPassword

Modifies the password of an Active Directory account.

Set-ADAuthenticationPolicy

Modifies an Active Directory Domain Services authentication policy object.

Set-ADAuthenticationPolicySilo

Modifies an Active Directory Domain Services authentication policy silo object.

Set-ADCentralAccessPolicy

Modifies a central access policy in Active Directory.

Set-ADCentralAccessRule

Modifies a central access rule in Active Directory.

Set-ADClaimTransformLink

Applies a claims transformation to one or more cross-forest trust relationships in Active Directory.

Set-ADClaimTransformPolicy

Sets the properties of a claims transformation policy in Active Directory.

Set-ADClaimType

Modify a claim type in Active Directory.

Set-ADComputer

Modifies an Active Directory computer object.

Set-ADDefaultDomainPasswordPolicy

Modifies the default password policy for an Active Directory domain.

Set-ADDomain

Modifies an Active Directory domain.

Set-ADDomainMode

Sets the domain mode for an Active Directory domain.

Set-ADFineGrainedPasswordPolicy

Modifies an Active Directory fine grained password policy.

Set-ADForest

Modifies an Active Directory forest.

Set-ADForestMode

Sets the forest mode for an Active Directory forest.

Set-ADGroup

Modifies an Active Directory group.

Set-ADObject

Modifies an Active Directory object.

Set-ADOrganizationalUnit

Modifies an Active Directory organizational unit.

Set-ADReplicationConnection

Sets properties on Active Directory replication connections.

Set-ADReplicationSite

Sets the replication properties for an Active Directory site.

Set-ADReplicationSiteLink

Sets the properties for an Active Directory site link.

Set-ADReplicationSiteLinkBridge

Sets the properties of a replication site link bridge in Active Directory.

Set-ADReplicationSubnet

Sets the properties of an Active Directory replication subnet object.

Set-ADResourceProperty

Modifies a resource claim type in Active Directory.

Set-ADResourcePropertyList

Modifies a resource property list in Active Directory.

Set-ADServiceAccount

Modifies an Active Directory managed service account or group managed service account object.

Set-ADUser

Modifies an Active Directory user.

Show-ADAuthenticationPolicyExpression

Displays the Edit Access Control Conditions window update or create security descriptor definition language (SDDL) security descriptors.

Sync-ADObject

Replicates a single object between any two domain controllers that have partitions in common.

Test-ADServiceAccount

Tests a managed service account from a computer.

Uninstall-ADServiceAccount

Uninstalls an Active Directory managed service account from a computer or removes a cached group managed service account from a computer.

Unlock-ADAccount

Unlocks an Active Directory account.

More information

For more information about the Active Directory module cmdlets, see the following:

Did you find this helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft. All rights reserved.