top of page
Writer's pictureUzair Ansari

10 Powershell commands every Active Directory Administrator should know

Updated: Nov 5, 2021

The Active Directory module for Windows Powershell consists of group of commands that you can use use to manage your Active Directory environment. Right from creating the users, computers, Organizational units to automating stuffs like promoting a domain controller can be done using this module. In this post we are going to see some of the powershell commands which are not really related to management of Active directory but mostly these commands help us to retrieve certain details about our active directory environment. The information fetched using these commands can be useful for reporting or collecting AD data which can be useful in performing some automation.


You need to have RSAT package installed on your management desktop to have active directory module. It can be downloaded from here.


1) The very first thing what we will be doing is getting the Active directory forest details. We will use Get-ADForest command to achieve this.




Here, you will find useful details about AD forest like forest functional level in ForestMode property. You can then see the domain controller having schema master role in SchemaMaster property. The application partitions of the forest can be found in ApplicationPartitions property.


In the next command, you can see I have accessed sites property that lists all the Active Directory sites. You can use (Get-ADForest).sites command to list all the active directory sites. Next, I have accessed domains property. (Get-ADForest).domains will list out the parent domain and all the child domains that this forest has.



2) Next is Get-ADdomain command. You can get domain specific details using this command. The properties listed below derives lot of information about the domain.


You can get domain functional level details using DomainMode property. You can fetch domain wide FSMO roles details i.e, infrastructure master, PDC emulator, RID master using InfrastructureMaster, PDCEmulator and RIDMaster properties respectively.



3) You can directly run Get-ADForest and Get-ADDomain and select FSMO roles to view forest wide and domain wide FSMO roles.




4) Next useful command in active directory module is Get-ADDefaultDomainPasswordPolicy that will fetch default password policy. This will list out password settings such as Lockout duration, Maximum password age, password length, password history, etc.



5) The Get-ADRootDSE command returns various details. Details of functional levels, naming contexts and USN can be fetched using this command.




6) Next, important thing what an active directory administrator should be aware of is the number of domain controller present in the AD environment. The Get-ADDomainController -filter * will list all the domain controllers present in the domain. The result will contain lot of useful information about the domain controller like the DN, Domain, its invocation ID, object GUID, Operating system which is running on it, OS version, the AD site where the domain controller is logically present and many such settings.



7) Next, you can get active directory site details by running Get-ADReplicationSite command. Here, in this example you can see all the site that was created by ISTG or was created manually.


8) You can get AD site link details that connects different AD sites by running Get-ADReplicationSiteLink commands. This will list out site link details like the site link name, site link cost, replication frequency, etc.


9) The most important task for active directory administrators is to keep AD replication healthy. Its good to have a clear view of replication topology of your AD environment. With Get-ADReplicationConnection you can get list of connections that are present between domain controllers. Here, you can see two AD connections that exists. The command also displays information of source and destination domain controllers using ReplicateFromDirectoryServer and ReplicateToDirectoryServer properties.


10) Lastly, You need to have a way to find out active directory replication failures. You can use Get-ADReplicationFailure command to view failed AD replication for a specific DC. Here we can see replication failure information like total failure count of DC server, the replication partner with which the failure occurred and the last error.



Do share commands that you feel should be posted on this blog in the comments section.


If you liked this post, remember to like it and subscribe to my blog to get notified whenever there's a new blog post. Thank you!

Comments


bottom of page