Last month, in “Doubling Up Active Directory PowerShell Cmdlets,” I showed you how to start building useful PowerShell tools, such as the familiar one-liner that lets you find everyone who hasn't logged on in a certain number of days and disable their accounts. As I've said before, such one-liners use the "filter/hammer" approach, whereby you use one command ( search-adaccount) to filter out the users you want (people who haven’t logged on in so many days) and then perform some kind of task, which in this case was the disable-adaccount cmdlet. It took a fair amount of time to learn those first few PowerShell cmdlets, but much of that time was taken up by learning PowerShell itself, so we should be able to move along more quickly now.
Last time, I introduced you to disable-adaccount, a cmdlet that generally requires only one parameter: the name of the account to disable. (There are other parameters, but you generally won't need to know them for a while, if ever.) It's the same story for a bunch of other tools, including a few that will be pretty self-explanatory:
- Enable-adaccount—This command enables a disabled account.
- Unlock-adaccount—This command unlocks a locked account. (See, I told you PowerShell would get more intuitive with practice.)
- Clear-ADAccountExpiration—It's possible to put a characteristic on an Active Directory (AD) account that instructs it to expire on a certain date. This command clears that characteristic.
In case you're wondering, there’s no lock-account command. As before, you can use any of these commands in a one-off fashion, as in the following examples:
Of course, there's nothing wrong with using these "hammer" cmdlets on their own, but they become more interesting when they’re mated with a filter. For example, suppose some local glitch locked a bunch of accounts in the Librarians OU in bigfirm.com. You can unlock them all with
Or perhaps you’ve learned that some miscreant has set a bunch of account passwords to "never expire,” and until you get to the bottom of the matter you'd like to disable those accounts:
However, before you execute this command, you might want to pause and consider this column’s key phrase: "power tool." As with real power tools (e.g., band saws, nail guns), Windows power tools can do great good with little effort, but when you apply them inattentively, they can cause quite a bit of regret. Wording that one-liner differently, as in
would turn "just another day at the office" into a scene of weeping, rending of garments, and gnashing of teeth. So please heed my advice: Test your filters before attaching the hammers. More specifically, in our example, use caution and first type
without disable-adaccount. You might see that there are plenty of innocent accounts whose passwords never expire, and that what you really want is
For this reason, I make a habit of running just the "filter" command first. If the results are huge, I can manage them by piping the output of that into | out-gridview, PowerShell's nice "data grid" control that presents output in a spreadsheet-like manner.
Another way to add safety to a home-grown PowerShell power tool is to add -confirm. Pretty much every "hammer"-type command I've come across offers this parameter, so although get-aduser wouldn't have it, unlock-adaccount would. In the example above, the careful IT pro might choose to exercise a little caution the first time by adding these training wheels, as in
I said that - identity is the parameter you'll most usually employ, but the four "hammers" I’ve talked about share a few other parameters that you might need now and then. My examples have assumed that I'm logged on to PowerShell as a domain administrator, already possessing the power to shift the fates of a domain's denizens, but you can certainly imagine situations in which that might not be the case. In those situations, you’d just add the parameter - credential ( get-credential), which causes PowerShell to pop up a logon dialog box. I’ll show you more uses of get-credential as I dive deeper into AD administration. See you next time!