Query (read only) tools for Active Directory. Intended for use on workstations where rights to install AD RSAT Powershell is not provided. Only provides basic viewing of properties of AD user and group objects. Use RSAT Powershell module in preference to this module if available.
Most functions assume the user has rights to read relevant account properties. This may not be the case if 'Authenticated Users' has been removed from the 'Built-in\pre-Windows 2000 compatible access' security group. In this case you may need to use an account with greater rights.
- Find-ADGroup
- Get-ADGroupMembers
- Get-ADObjectGroupMembership
- Get-ADUserDetails
- Get-ADUserLastLogon
- Get-ADUserLockoutStatus
- Get-ADSites
- Convert-ADTimestamp
Searches for all groups matching a name. Exact match unless a wildcard modifier '*' is included in the string.
Find-ADGroup [-Name] <String> [<CommonParameters>]-Name <string>: The name of the group
Find-ADGroup -Name "VPN Users"
Display the members of an active directory group
Get-ADGroupMembers [-Name] <String> [<CommonParameters>]-Name <string>: The name of the group
Get-ADGroupMembers -Name "VPN Users"
Display the group membership for an AD object. Defaults to user objects, unless -ObjectType parameter used to query Computer, Contact, or Group objects. Exact match unless a wildcard modifier '*' is included in the string.
Get-ADObjectGroupMembership [-Identity] <String> [[-ObjectType] <String>] [<CommonParameters>]-Identity <string>: The user identity (samAccountName) to search for.
Get-ADObjectGroupMembership -Identity Rob
Get-ADObjectGroupMembership -Identity Server1 -ObjectType Computer
Display the common properties for an AD user account. Exact match for each search parameter unless a wildcard modifier '*' is included in the string.
Get-ADUserDetails [-Identity] <String> [-AllProperties] [<CommonParameters>]
Get-ADUserDetails [[-Surname] <String>] [[-Firstname] <String>] [-AllProperties] [<CommonParameters>]
Get-ADUserDetails [-Displayname] <String> [-AllProperties] [<CommonParameters>]
Get-ADUserDetails [-EmailAddress] <String> [-AllProperties] [<CommonParameters>]-Identity <string>: The user identity (samAccountName) to search for.
-Surname <string>: The user surname to search for.
-Firstname <string>: The user firstname to search for.
-Displayname <string>: The user Displayname to search for.
-EmailAddress <string>: The user's primary email address to search for.
-AllProperties: Switch to include all AD user attributes.
# Find user with Logon Id matching 'Rob' exactly.
Get-ADUserDetails -Identity rob
# Find all users with Logon Id matching 'Rob', display all AD properties
Get-ADUserDetails -Identity rob -AllProperties
# Find all users with surname of 'Holme' and firstname beginning with 'R'
Get-ADUserDetails -Surname Holme -Firstname R*
# Find all users with surname starting with 'Ho'
Get-ADUserDetails -Surname Ho*
# Find all users with a displayname stating with "SQL Service"
Get-ADUserDetails -Displayname "SQL Service*"
# Find the user with a primary email address of '[email protected]'
Get-ADUserDetails -EmailAddress [email protected]
Query all domain controllers and return the most recent logon date/time. Exact match on Identity parameter unless a wildcard modifier '*' is included in the string.
Get-ADUserLastLogon [-Identity] <String> [-ShowAllDomainControllers] [-SiteName <String>] [-Timeout <Int32>] [<CommonParameters>]-Identity <string>: The user identity (samAccountName) to search for.
-ShowAllDomainControllers: List the logon times reported by each Domain Controller for a user.
-SiteName <string>: Only query Domain Controllers from this nominated site only.
-Timeout <int>: Timeout in seconds if Domain Controller does not respond (between 1 and 20 seconds). Defaults to 3 seconds.
# Get last logon time for user 'rob' for all domain controllers in the current domain
Get-ADUserLastLogon -Identity rob
# Get last logon time for user 'rob' for domain controllers in the default-first-site-name only
Get-ADUserLastLogon -Identity rob -SiteName default-first-site-name
Return details of all sites in the current forest.
Get-ADSites [-CurrentSite] [<CommonParameters>]-CurrentSite: Switch to display the current site only.
# get all sites in the current forest
Get-ADSites
# get the current site the workstation belongs to
Get-ADSites -CurrentSite
Query all domain controllers and return the lockout status for each account. Exact match on Identity parameter unless a wildcard modifier '*' is included in the string.
Get-ADUserLockoutStatus [-Identity] <String> [-Timeout <Int32>] [<CommonParameters>]-Identity <string>: The user identity (samAccountName) to search for.
-Timeout <int>: Timeout in seconds if Domain Controller does not respond (between 1 and 20 seconds). Defaults to 3 seconds.
# Get last lockout status for user 'rob' for all domain controllers in the current domain
PS> Get-ADUserLockoutStatus -Identity rob
LogonID DisplayName LockoutStatus LockoutTime BadPwdCount LastBadPassword DomainController Site
------- ----------- ------------- ----------- ----------- --------------- ---------------- ----
Rob Rob Unlocked N/A 0 12/01/2021 6:38:26 AM WS001DC Default-First-Site-Name
Rob Rob Unlocked N/A 0 8/01/2021 12:58:12 PM WS002DC Default-First-Site-Name
Converts a integer timestamp (e.g. from LDIFDE or some AD CmdLets) to a date/time value.
Convert-ADTimestamp [-Value] <String> [<CommonParameters>]PS> Convert-ADTimestamp -Value 132306069444066678
Monday, 6 April 2020 8:35:44 AM