Useful AD PowerShell Commands

Having worked a lot with Active Directory over the years, I have learned to utilise AD PowerShell commands to help me analyse and assess the state of an Active Directory infrastructure quickly and easily.

I’ve seen many blog/web articles where people have shared complex scripts for gathering information from Active Directory, most of these can be easily achieved without the need for complex scripts. Many can be achieved with single-line PowerShell commands as we will find out below.

Count the Number of Disabled User Accounts in AD

The following command enables you to quickly count the number of disabled user accounts within Active Directory:

Get-ADUser -Filter * -Property Enabled -Server "contoso.com"| Where-Object {$_.Enabled -like “false”} | Measure-Object

Count the Number of Enabled User Accounts in AD

The following command enables you to quickly count the number of enabled user accounts within Active Directory:

Get-ADUser -Filter * -Property Enabled -Server "contoso.com"| Where-Object {$_.Enabled -like “true”} | Measure-Object

Count the Total Number of User Accounts in AD

The following command enables you to quickly count the number of user accounts within Active Directory:

Get-ADUser -Properties * -Filter * -Server "contoso.com"| Measure-Object

Count the Number of Domain Admin Accounts in AD

The following command enables you to quickly count the number of Domain Admin user accounts within Active Directory:

Get-ADGroupMember -Identity "Domain Admins" -Server "contoso.com" | Measure-Object

Count the Number of ‘Active’ Domain Admin Accounts in AD

The following script enables you to count the total number of ‘Active’ Domain Admin user accounts within Active Directory:

$Days = 90
$Date = ((Get-Date).AddDays(-$Days)).Date
$Members = (Get-ADGroupMember -Identity "Domain Admins" -Recursive -Server "contoso.com").DistinguishedName
$i = 0
ForEach ($Member in $Members)
{
$Active = Get-ADUser -Identity $Member -Property LastLogonDate -Server "contoso.com" | Where LastLogonDate -lt $Date | Select SamAccountName,UserPrincipalName,LastLogonDate
ForEach ($Active in $Active)
{
$i = $i + 1
}
}
Write-Host "Number of Active Admins: " $i

Count the Number of ‘Active’ User Accounts in AD

Again, the following script, with some slight modifications, enables you to count the number of ‘Active’ user accounts within Active Directory:

$Age = 90
$When = ((Get-Date).AddDays(-$Age)).Date
$Members = (Get-ADUser -Filter * -Property Enabled -Server "contoso.com" | Where-Object {$_.Enabled -like “true”} ).DistinguishedName
$i = 0
ForEach ($Member in $Members)
{
$Active = Get-ADUser -Identity $Member -Property LastLogonDate -Server "contoso.com" | Where LastLogonDate -lt $When | Select SamAccountName,UserPrincipalName,LastLogonDate
ForEach ($Active in $Active)
{
$i = $i + 1
}
}
Write-Host "Number of Active Users: " $i

Count the Number of Security Groups in AD

The following command enables you to quickly count the number of security groups within Active Directory:

Get-ADGroup -Properties * -Filter * -Server "contoso.com" | Measure-Object

Count the Number of Organisational Units (OU’s) in AD

The following command enables you to quickly count the number of Organisational Units (OU’s) within Active Directory.

Get-ADOrganizationalUnit -Properties * -Filter * -Server "contoso.com" | Measure-Object

Count the Number of GPO’s in AD

The following command enables you to quickly count the number of Group Policy Objects (GPO’s) within Active Directory.

Get-GPO -all -Server "contoso.com" | Measure-Object

Get Active Directory Forest Configuration

The following command enables you to quickly overview the Active Directory Forest Configuration.

Get-ADForest -Server "contoso.com"

Get Active Directory Domain Configuration

The following command enables you to quickly overview the Active Directory Domain configuration.

Get-ADDomain -Server "contoso.com"

Leave a Reply

Your email address will not be published. Required fields are marked *