On a Windows server (2008 R2 or newer), run the following commands in a PowerShell console (as an Adminsitrator):<\/p>\n
Import-Module ServerManager ;\u00a0Add-WindowsFeature RSAT-AD-PowerShell<\/em><\/strong><\/p>\n Here’s my (poor) ADSI example:<\/p>\n Here’s the same thing with the AD PowerShell cmdlet:<\/p>\n Import-module ActiveDirectory<\/em> Note that with PowerShell version 3 and newer, you don’t need to run the first line since Powershell will identify the necessary module and auto load it.<\/p>\n Once you have the Active Directory PowerShell module loaded, you can do cool stuff like browse AD like a file system<\/p>\n <\/p>\n Finding Useful Commands (Cmdlets):<\/strong><\/span><\/p>\n Discover available PowerShell modules: Get-Module -ListAvailable<\/strong><\/p>\n Discover cmdlets in a PowerShell module:\u00a0Get-Command -module ActiveDirectory<\/strong><\/p>\n \u00a0PowerShell AD Module Cmdlets:<\/span><\/p>\n <\/p>\n Finding Active Directory Flexible Master Single Operation (FSMO) Roles:<\/strong><\/span><\/p>\n Active Directory Module:<\/strong><\/p>\n .NET Calls:<\/strong><\/p>\n <\/p>\n Active Directory PowerShell Module Cmdlet Examples:<\/strong><\/span><\/p>\n <\/p>\n Get-RootDSE<\/strong> gets information about the LDAP server (the Domain Controller) and displays it. There’s some interesting information in the results like what OS the DC is running.<\/p>\n <\/p>\n Get-ADForest<\/strong> provides information about the Active Directory forest the computer you run the command is in.<\/p>\n <\/p>\n Get-ADDomain<\/strong> provides information about the current domain you are in.<\/p>\n <\/p>\n Get-ADDomainController<\/strong> provides computer information specific to Domain Controllers. <\/p>\n Get-ADComputer<\/strong> provides most of what you would want to know about a computer object in AD. <\/p>\n Get-ADUser<\/strong> provides most of what you want to know about an AD user. <\/p>\n Get-ADGroup<\/strong> provides information about an AD group. Find all security groups by running: <\/p>\n Get-ADGroupMember<\/strong> enumerates and returns the group members. Use the Recursive parameter to include all members of nested groups. <\/p>\n These cmdlets are useful to identify situations that previously required purchasing a product or custom scripting.<\/p>\n The following examples find inactive (stale) computers and users – accounts that haven’t changed their passwords in the last 10 days. Note that this is a lab example. For real-world checks, change this to 60 to 90 days for computers and 180 – 365 days for users.<\/p>\n Find inactive computers.<\/strong><\/p>\n Find inactive users.<\/strong><\/p>\n <\/p>\n Enumerate Domain Trusts<\/strong><\/p>\n <\/p>\n Get AD site information.<\/strong> <\/p>\n Backup domain GPOs<\/strong> <\/p>\n Find AD Kerberos Service Accounts<\/strong><\/p>\n <\/p>\n Inventory Domain Controllers <\/p>\n Get-ADReplicationPartnerMetadata <\/strong>(Windows Server 2012 and newer)<\/p>\n <\/p>\n Get-ADReplicationPartnerFailure<\/strong> provides information on DC replication failure status.<\/p>\n <\/p>\n Get-ADReplicationUptodatenessVectorTable<\/strong> tracks replication status between Domain Controllers.<\/p>\n$UserID = \u201cJoeUser\u201d\r\n$root = [ADSI]''\r\n$searcher = new-object System.DirectoryServices.DirectorySearcher($root)\r\n$searcher.filter = \"(&(objectClass=user)(sAMAccountName= $UserID))\"\r\n$user = $searcher.findall()\r\n$user<\/pre>\n
\n$UserID = \u201cJoeUser\u201d<\/em>
\nGet-ADUser $UserID \u2013property *<\/em><\/p>\n![\"\"](\"https:\/\/adsecurity.org\/wp-content\/uploads\/2017\/08\/AD-Drive-Usage.png\")
<\/p>\n\n
(Get-Command -module ActiveDirectory).count<\/strong><\/pre>\n
\n
(Get-ADForest).SchemaMaster<\/pre>\n<\/li>\n
(Get-ADForest).DomainNamingMaster<\/pre>\n<\/li>\n
(Get-ADDomain).InfrastructureMaster<\/pre>\n<\/li>\n
(Get-ADDomain).PDCEmulator<\/pre>\n<\/li>\n
(Get-ADDomain).RIDMaster\r\n\r\n<\/pre>\n<\/li>\n<\/ul>\n
\n
([System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest()).SchemaRoleOwner<\/pre>\n<\/li>\n
([System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest()).NamingRoleOwner<\/pre>\n<\/li>\n
([System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()).InfrastructureRoleOwner<\/pre>\n<\/li>\n
([System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()).PdcRoleOwner<\/pre>\n<\/li>\n
([System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()).RidRoleOwner<\/pre>\n<\/li>\n<\/ul>\n
![\"\"](\"https:\/\/adsecurity.org\/wp-content\/uploads\/2017\/08\/Get-ADRootDSE.png\")
<\/p>\n![\"\"](\"https:\/\/adsecurity.org\/wp-content\/uploads\/2017\/08\/Get-ADForest.png\")
<\/p>\n![\"\"](\"https:\/\/adsecurity.org\/wp-content\/uploads\/2017\/08\/Get-ADDomain.png\")
<\/p>\n
\nThis cmdlet makes it easy to find all DCs in a specific site or running an OS version.<\/p>\n![\"\"](\"https:\/\/adsecurity.org\/wp-content\/uploads\/2017\/08\/Get-ADDomainController.png\")
<\/p>\n
\nRun with “-Prop *” to show all standard properties.<\/em><\/p>\n![\"\"](\"https:\/\/adsecurity.org\/wp-content\/uploads\/2017\/08\/Get-ADComputer.png\")
<\/p>\n
\nRun with “-Prop *” to show all standard properties.<\/em><\/p>\n![\"\"](\"https:\/\/adsecurity.org\/wp-content\/uploads\/2017\/08\/Get-ADUser.png\")
<\/p>\n
\nGet-ADGroup -Filter {GroupCategory -eq ‘Security}<\/em><\/p>\n![\"\"](\"https:\/\/adsecurity.org\/wp-content\/uploads\/2017\/08\/Get-ADGroup.png\")
<\/p>\n
\nGet-ADGroupMember ‘Administrators’ -Recursive<\/em><\/p>\n![\"\"](\"https:\/\/adsecurity.org\/wp-content\/uploads\/2017\/08\/Get-ADGroupMember.png\")
<\/p>\n![\"\"](\"https:\/\/adsecurity.org\/wp-content\/uploads\/2017\/08\/Finding-Inactive-Computers.png\")
<\/p>\n![\"\"](\"https:\/\/adsecurity.org\/wp-content\/uploads\/2017\/08\/Finding-Inactive-Users.png\")
<\/p>\n![\"\"](\"https:\/\/adsecurity.org\/wp-content\/uploads\/2017\/08\/Enumerate-Domain-Trusts.png\")
<\/p>\n
\nNote that the Windows 2012 module includes cmdlet for sites (Get-ADReplicationSite<\/a>*).<\/p>\n![\"\"](\"https:\/\/adsecurity.org\/wp-content\/uploads\/2017\/08\/Get-ADSites.png\")
<\/p>\n
\nNote this requires that the Group Policy PowerShell module is installed, which is separate from the Active Directory module.<\/p>\n![\"\"](\"https:\/\/adsecurity.org\/wp-content\/uploads\/2017\/08\/Backup-GPOs.png\")
<\/p>\n![\"\"](\"https:\/\/adsecurity.org\/wp-content\/uploads\/2017\/08\/Find-AD-Kerberos-Service-Accounts.png\")
<\/p>\n
\n<\/strong>Get-ADDomainController\u2013filter * | `select hostname,IPv4Address,IsGlobalCatalog,IsReadOnly,OperatingSystem | `format-table -auto<\/p>\n![\"\"](\"https:\/\/adsecurity.org\/wp-content\/uploads\/2017\/08\/DC-Inventory.png\")
<\/p>\n![\"\"](\"https:\/\/adsecurity.org\/wp-content\/uploads\/2017\/08\/Get-ADReplicationPartnerMetadata.png\")
<\/p>\n![\"\"](\"https:\/\/adsecurity.org\/wp-content\/uploads\/2017\/08\/Get-ADReplicationFailure.png\")
<\/p>\n![\"\"](\"https:\/\/adsecurity.org\/wp-content\/uploads\/2017\/08\/Get-ADReplicationUTDV.png\")
<\/p>\n