Using cmdlets is easier than you think
Managing Active Directory (AD) with Windows PowerShell is easier than you think -- and I want to prove it to you. Many IT pros think that they must become scripting experts whenever anyone mentions PowerShell. That couldn't be further from the truth. PowerShell is a management engine that you can work with in an interactive management console. It just so happens that you can take those interactive commands and throw them into a script to save typing, but you don't need to script to use PowerShell. You can handle the most common AD management tasks without writing a single script.
Learn more from "Searching and Managing Active Directory Groups with PowerShell" and "Managing AD in Bulk Using PowerShell."
To use PowerShell to manage AD, you need to meet a few requirements. I'm going to demonstrate how to use the AD cmdlets from a Windows 7 desktop. (You can also use the free AD cmdlets from Quest Software, in which case the syntax will vary slightly.)
To use the Microsoft cmdlets, you must have a Windows Server 2008 R2 domain controller (DC), or you can download and install the Active Directory Management Gateway Service on legacy DCs. Be sure to read the installation notes carefully; installation requires a DC reboot.
On the client side, download and install Remote Server Administration Tools (RSAT) for either Windows 7 or Windows 8. In Windows 7, you'll need to open Programs in Control Panel and select Turn Windows Features On or Off. Scroll down to Remote Server Administration Tools and expand Role Administration Tools. Select the appropriate check boxes under AD DS and AD LDS Tools, especially the check box for the Active Directory Module for Windows PowerShell, as shown in Figure 1. (In , all tools are selected by default.) Now we're ready to roll.
For the sake of simplicity, I've logged on with an account that has domain admin rights. Many of the cmdlets that I'll show allow you to specify alternative credentials. In any case, I recommend reading full cmdlet Help and examples for everything I'm going to show you.
Open a PowerShell session and import the module:
PS C:\> Import-Module ActiveDirectory
The import also creates a new PSDrive, but we won't be using it. However, you might want to see which commands are in the module:
PS C:\> get-command -module ActiveDirectory
The beauty of these commands is that if I can use a command for one AD object, I can use it for 10 or 100 or 1,000. Let's put some of these cmdlets to work.
Task 1: Reset a User Password
Let's start with a typical IT pro task: resetting a user's password. We can easily accomplish this by using the Set-ADAccountPassword cmdlet. The tricky part is that the new password must be specified as a secure string: a piece of text that's encrypted and stored in memory for the duration of your PowerShell session. So first, we'll create a variable with the new password:
PS C:\> $new=Read-Host "Enter the new password" -AsSecureString
Next, we'll enter the new password: