quest active directory powershell

Using Quest Active Directory Cmdlets for PowerShell


Almost 10 years ago Quest Software released a free set of cmdlets to simplify interaction with Active Directory. This set of cmdlets provides quite flexible options for administering Active Directory, managing AD objects, AD ACLs, password settings, and security.

Up to version 1.5.1 Quest Active Directory cmdlets were provided for free. Later, Dell acquired the Quest company and began selling licenses for the later versions. Later, the product was renamed to Active Roles and you can download it here: https://www.oneidentity.com/products/active-roles/. However, the majority of administrators know this PowerShell module as Quest Active Directory Cmdlets for Powershell.

Despite the fact that you can’t download the Active Roles module from the official website for free, it’s easy to find an archive with the old free version of QAD cmdlets (1.5.1) on the Internet – Quest_ActiveRolesManagementShellforActiveDirectoryx64_151.msi.

In this article we’ll take a look at the installation and usage of the Quest Active Directory module Cmdlets for Powershell to administer the AD domain.

To install this PoSh module on your computer, you must have .Net Framework 3.5 installed. Installing the module is quite simple – run the MSI file and follow the instructions of the installer.

quest active directory

After the installation is completed, you need to import the module into the PoSh session with the command:

Add-PSSnapin Quest.ActiveRoles.ADManagement

You can display the list of available cmdlets for the Quest module with the command:

get-command *qad*

quest ad powershell

An example of cmdlets from a module:

  • Get-QADUser
  • Set-QADUser
  • New-QADUser
  • New-QADGroup
  • Add-QADGroupMember
  • Remove-QADGroupMember
  • Connect-QADService
  • Disconnect-QADService
READ ALSO  Configure MMC Snap-ins on Fresh Windows 7 Install

First of all, let’s connect to the domain controller:

$pwd = read-host "Enter domain user password" -AsSecureString

Connect-QADService -service 'dc01.theitbros.com:389' -ConnectionAccount 'theitbros\user1' -ConnectionPassword $pwd

List the users and computers accounts in the domain:

Get-QADUser

Get-QADComputer

quest ad

You can get the information about a certain user and AD parameter. Format-List is required to display all the received properties:

Get-QADUser -Name JKelly -IncludeAllProperties | Format-List *

Let’s check if the user account is disabled:

(Get-QADUSer -Name "JKelly").AccountIsDisabled

You can also get a list of accounts in the group and save it to a csv file:

(Get-QADGroup "Domain Admins").members | Get-MemberName | Export-Csv "C:\PS\AdminGroupMembers.csv"

For example, create a new user account:

New-QADUser -name 'TJones' -ParentContainer 'OU=Users,OU=USA,DC=theitbros,DC=com' -UserPassword ‘P@ssw0rd!!’

Now let’s list the users who have not registered in the domain within 2 months and save the list to the HTML file:

$2months = (Get-Date).AddMonths(-2)
Get-QADUser -IncludedProperties LastLogon | where { $_.lastLogon -le
$2months} | Select DisplayName, LastLogon, AccountIsDisabled | ?{-not
$_.AccountIsDisabled} | ConvertTo-Html | Out-File c:\ps\inactiveusers.html

Accordingly, to disable, enable or unlock you can use: Disable-QADUser, Enable-QADUser and Unlock-QADUser. Cmdlets starting with Set are used to set and change parameters, they are often used in scripts.

Get-QADUser -Department Sales | Set-QADUser -ObjectAttributes @{"Department"="New Sales";"Description"="Sales dept"}

Disable all accounts that were not registered within 2 months:

Get-QADUser -IncludedProperties LastLogon | where { $_.lastLogon -le $2months} | where {-not $_.AccountIsDisabled} | Disable-QADUser

Of course, in Quest AD there is a big drawback: this module is not a part of the OS and is not supported by Microsoft, for its operation it is necessary to install the appropriate provider. These cmdlets were released by Quest before Microsoft had its own module for interacting with the AD – ActiveDirectory module for Windows PowerShell, which was introduced in Windows Server 2008 R2/Windows 7. Most of the functionality available in Quest AD cmdlets is now also available in the Active Directory module for Windows, so Quest AD cmdlets are used less and less.

READ ALSO  FSMO Role: RID Master

You may also like:

Installing Active Directory Snap-in on Windows 10 One of the main Active Directory domain management tools is the MMC snap-in Active Directory Users and Computers (ADUC). To work with ADUC snap-in in ...
FSMO Role: Infrastructure Master We continue the series of articles about FSMO roles in the Active Directory domain. This time, we will take a closer look at the FSMO role — Infrastru...
How to hide specific OU in Active Directory The first thing you see while opening Active Directory Users and Computers (ADUC) snap-in is AD containers (Organization Unit, OU), in which user acco...
Change Default OU permissions in Active Directory By default, each newly created organizational unit (OU) in the access list includes read permission for the group Authenticated Users (built-in group)...
Join Domain and Login over a VPN Connection This is a short tutorial on how to join a computer to a domain over a VPN connection. This was very useful for us this weekend. We had to reformat a c...

Add Your Comment