AD DS Administration Cmdlets in Windows PowerShell
업데이트 날짜: 2015년 7월
적용 대상: Windows 8.1, Windows PowerShell 4.0, Windows Server 2012 R2
Windows PowerShell™ is a task-based command-line shell and scripting language designed especially for system administration. This reference topic for the information technology (IT) professional introduces the Windows PowerShell cmdlets that you can use to manage and administer the Active Directory® directory service and Active Directory Domain Services (AD DS).
What does the Active Directory module for Windows PowerShell do?
The Active Directory module for Windows PowerShell is a PowerShell module that consolidates a group of cmdlets. You can use these cmdlets to manage your Active Directory domains, Active Directory Lightweight Directory Services (AD LDS) configuration sets, and Active Directory Database Mounting Tool instances in a single, self-contained package.
팁
For more information about getting started with the Active Directory Windows PowerShell module, see Active Directory Administration with Windows PowerShell.
Active Directory module provider
Administrators can use the Active Directory module provider to easily navigate and access data that is stored in Active Directory domains, AD LDS instances and configuration sets, and Active Directory Database Mounting Tool instances. The Active Directory module provider exposes the Active Directory database through a hierarchical navigation system, which is very similar to the file system. For example, while you are using the Active Directory module, you can use the following commands to navigate through your directory:
cd
dir
remove
.
..
You can use the Active Directory module provider to map Active Directory domains, AD LDS instances, and Active Directory Database Mounting Tool instances to specific provider drives. When the Active Directory module is first loaded, a default Active Directory drive (AD:) is mounted. To connect to that drive, run the cd AD: command. To connect a new provider drive to an Active Directory domain, an AD LDS server, or an Active Directory Database Mounting Tool instance, use the following cmdlet:
New-PSDrive -Name <name of the drive> -PSProvider ActiveDirectory -Root "<DN of the partition/NC>" –Server <server or domain name (NetBIOS/FQDN)[:port number]> -Credential <domain name>\<username>
Parameter | Description |
---|---|
-Name <name of the drive> |
Specifies the name of the drive that is being added. |
-PSProvider ActiveDirectory |
The name of the provider, in this case, ActiveDirectory. |
-Root "<DN of the partition/NC>" |
Specifies the internal root or path of the provider. |
–Server <server or domain name (NetBIOS/FQDN)[:port number]> |
Specifies the server that hosts your Active Directory domain or an AD LDS instance. |
-Credential <domain name>\<username> |
Specifies the credentials that you must have to connect to the Active Directory domain or the AD LDS server. |
Active Directory module cmdlets
You can use the Active Directory module cmdlets to perform various administrative, configuration, and diagnostic tasks in your AD DS and AD LDS environments. You can use the cmdlets to manage existing Active Directory user and computer accounts, groups, organizational units (OUs), domains and forests, domain controllers, and password policies, or create new ones. Additionally, you can manage Active Directory replication and topology, as well as configure features such as claims-based access control, cross-forest claims transformation, and authentication silos.
참고
To list all the cmdlets that are available in the Active Directory module, use the Get-Command -AD cmdlet.
For more information about—or for the syntax for—any of the Active Directory module cmdlets, use the Get-Help <cmdlet name> cmdlet, where <cmdlet name> is the name of the cmdlet that you want to research. For more detailed information, you can run any of the following cmdlets:
Get-Help <cmdlet name> -Detailed
Get-Help <cmdlet name> -Full
Get-Help <cmdlet name> -Examples
The following table lists all the cmdlets that are available in this release of the Active Directory module for Windows PowerShell.
Cmdlet | Description |
---|---|
Adds central access rules to a central access policy in Active Directory. |
|
Adds one or more service accounts to an Active Directory computer. |
|
Adds users, computers, and groups to the allowed or denied list of a read-only domain controller password replication policy. |
|
Applies a fine-grained password policy to one more users and groups. |
|
Adds one or more members to an Active Directory group. |
|
Adds a member to one or more Active Directory groups. |
|
Adds one or more resource properties to a resource property list in Active Directory. |
|
Clears the expiration date for an Active Directory account. |
|
Removes a claims transformation from being applied to one or more cross-forest trust relationships in Active Directory. |
|
Disables an Active Directory account. |
|
Disables an Active Directory optional feature. |
|
Enables an Active Directory account. |
|
Enables an Active Directory optional feature. |
|
Gets the accounts token group information. |
|
Gets the resultant password replication policy for an Active Directory account. |
|
Gets one or more Active Directory 도메인 서비스 authentication policies. |
|
Gets one or more Active Directory 도메인 서비스 authentication policy silos. |
|
Retrieves central access policies from Active Directory. |
|
Retrieves central access rules from Active Directory. |
|
Returns one or more Active Directory claim transform objects based on a specified filter. |
|
Returns a claim type from Active Directory. |
|
Gets one or more Active Directory computers. |
|
Gets the service accounts hosted by a computer. |
|
Returns the installed programs and services present on this domain controller that are not in the default or user defined inclusion list. |
|
Gets the default password policy for an Active Directory domain. |
|
Gets an Active Directory domain. |
|
Gets one or more Active Directory domain controllers based on discoverable services criteria, search parameters or by providing a domain controller identifier, such as the NetBIOS name. |
|
Gets the members of the allowed list or denied list of a read-only domain controller's password replication policy. |
|
Gets the Active Directory accounts that are authenticated by a read-only domain controller or that are in the revealed list of the domain controller. |
|
Gets one or more Active Directory fine grained password policies. |
|
Gets the users and groups to which a fine grained password policy is applied. |
|
Gets an Active Directory forest. |
|
Gets one or more Active Directory groups. |
|
Gets the members of an Active Directory group. |
|
Gets one or more Active Directory objects. |
|
Gets one or more Active Directory optional features. |
|
Gets one or more Active Directory organizational units. |
|
Gets the Active Directory groups that have a specified user, computer, group, or service account. |
|
Returns the replication metadata for one or more Active Directory replication partners. |
|
Returns a specific Active Directory replication connection or a set of AD replication connection objects based on a specified filter. |
|
Returns a collection of data describing an Active Directory replication failure. |
|
Returns the replication metadata for a set of one or more replication partners. |
|
Returns the contents of the replication queue for a specified server. |
|
Returns a specific Active Directory replication site or a set of replication site objects based on a specified filter. |
|
Returns a specific Active Directory site link or a set of site links based on a specified filter. |
|
Returns a specific Active Directory site link bridge or a set of site link bridge objects based on a specified filter. |
|
Returns a specific Active Directory subnet or a set of AD subnets based on a specified filter. |
|
Displays the highest Update Sequence Number (USN) for the specified domain controller. |
|
Gets one or more resource properties. |
|
Retrieves resource property lists from Active Directory. |
|
Retrieves a resource property value type from Active Directory. |
|
Gets the root of a Directory Server information tree. |
|
Gets one or more Active Directory managed service accounts or group managed service accounts. |
|
Returns all trusted domain objects in the directory. |
|
Gets one or more Active Directory users. |
|
Gets the resultant password policy for a user. |
|
Grants permission to join an authentication policy silo. |
|
Installs an Active Directory managed service account on a computer or caches a group managed service account on a computer. |
|
Moves a directory server in Active Directory to a new site. |
|
Moves operation master roles to an Active Directory directory server. |
|
Moves an Active Directory object or a container of objects to a different container or domain. |
|
Creates an Active Directory 도메인 서비스 authentication policy object. |
|
Creates an Active Directory 도메인 서비스 authentication policy silo object. |
|
Creates a new central access policy in Active Directory containing a set of central access rules. |
|
Creates a new central access policy entry in Active Directory. |
|
Creates a new claim transformation policy object in Active Directory. |
|
Creates a new claim type in Active Directory. |
|
Creates a new Active Directory computer. |
|
Performs prerequisite checks for cloning a domain controller and generates a clone configuration file if all checks succeed. |
|
Creates a new Active Directory fine grained password policy. |
|
Creates an Active Directory group. |
|
Creates an Active Directory object. |
|
Creates a new Active Directory organizational unit. |
|
Creates a new Active Directory replication site in the directory. |
|
Creates a new Active Directory site link for in managing replication. |
|
Creates a new site link bridge in Active Directory for replication. |
|
Creates a new site link bridge in Active Directory for replication. |
|
Creates a new resource property in Active Directory. |
|
Creates a new resource property list in Active Directory. |
|
Creates a new Active Directory managed service account or group managed service account object. |
|
Creates a new Active Directory user. |
|
Removes an Active Directory 도메인 서비스 authentication policy object. |
|
Removes an Active Directory 도메인 서비스 authentication policy silo object. |
|
Creates a new central access policy in Active Directory containing a set of central access rules. |
|
Removes central access rules from a central access policy in Active Directory. |
|
Removes a central access policy entry from Active Directory. |
|
Removes a claim transformation policy object from Active Directory. |
|
Removes a claim type from Active Directory. |
|
Removes an Active Directory computer. |
|
Removes one or more service accounts from a computer. |
|
Removes users, computers and groups from the allowed or denied list of a read-only domain controller password replication policy. |
|
Removes an Active Directory fine grained password policy. |
|
Removes one or more users from a fine grained password policy. |
|
Removes an Active Directory group. |
|
Removes one or more members from an Active Directory group. |
|
Removes an Active Directory object. |
|
Removes an Active Directory organizational unit. |
|
Removes a member from one or more Active Directory groups. |
|
Deletes the specified replication site object from Active Directory. |
|
Deletes an Active Directory site link used to manage replication. |
|
Deletes the specified replication site link bridge from Active Directory. |
|
Deletes the specified Active Directory replication subnet object from the directory. |
|
Removes a resource property from Active Directory. |
|
Removes one or more resource property lists from Active Directory. |
|
Removes one or more resource properties from a resource property list in Active Directory. |
|
Removes an Active Directory user. |
|
Changes the name of an Active Directory object. |
|
Resets the password for a standalone managed service account. Reset is not supported for group managed service accounts. |
|
Restores an Active Directory object. |
|
Revokes membership in an authentication policy silo for the specified account. |
|
Revokes membership in an authentication policy silo for the specified account. |
|
Modifies the authentication policy or authentication policy silo of an account. |
|
Modifies user account control (UAC) values for an Active Directory account. |
|
Sets the expiration date for an Active Directory account. |
|
Modifies the password of an Active Directory account. |
|
Modifies an Active Directory 도메인 서비스 authentication policy object. |
|
Modifies an Active Directory 도메인 서비스 authentication policy silo object. |
|
Modifies a central access policy in Active Directory. |
|
Modifies a central access rule in Active Directory. |
|
Applies a claims transformation to one or more cross-forest trust relationships in Active Directory. |
|
Sets the properties of a claims transformation policy in Active Directory. |
|
Modify a claim type in Active Directory. |
|
Modifies an Active Directory computer object. |
|
Modifies the default password policy for an Active Directory domain. |
|
Modifies an Active Directory domain. |
|
Sets the domain mode for an Active Directory domain. |
|
Modifies an Active Directory fine grained password policy. |
|
Modifies an Active Directory forest. |
|
Sets the forest mode for an Active Directory forest. |
|
Modifies an Active Directory group. |
|
Modifies an Active Directory object. |
|
Modifies an Active Directory organizational unit. |
|
Sets properties on Active Directory replication connections. |
|
Sets the replication properties for an Active Directory site. |
|
Sets the properties for an Active Directory site link. |
|
Sets the properties of a replication site link bridge in Active Directory. |
|
Sets the properties of an Active Directory replication subnet object. |
|
Modifies a resource claim type in Active Directory. |
|
Modifies a resource property list in Active Directory. |
|
Modifies an Active Directory managed service account or group managed service account object. |
|
Modifies an Active Directory user. |
|
Displays the Edit Access Control Conditions window update or create security descriptor definition language (SDDL) security descriptors. |
|
Replicates a single object between any two domain controllers that have partitions in common. |
|
Tests a managed service account from a computer. |
|
Uninstalls an Active Directory managed service account from a computer or removes a cached group managed service account from a computer. |
|
Unlocks an Active Directory account. |
More information
For more information about the Active Directory module cmdlets, see the following: