quest active directory powershell

Using Quest Active Directory Cmdlets for PowerShell

Almost 10 years ago Quest Software released a free set of cmdlets to simplify interaction with Active Directory. This set of cmdlets provides quite flexible options for administering Active Directory, managing AD objects, AD ACLs, password settings, and security.

Up to version 1.5.1 Quest Active Directory cmdlets were provided for free. Later, Dell acquired the Quest company and began selling licenses for the later versions. Later, the product was renamed to Active Roles and you can download it here: However, the majority of administrators know this PowerShell module as Quest Active Directory Cmdlets for Powershell.

Despite the fact that you can’t download the Active Roles module from the official website for free, it’s easy to find an archive with the old free version of QAD cmdlets (1.5.1) on the Internet – Quest_ActiveRolesManagementShellforActiveDirectoryx64_151.msi.

In this article we’ll take a look at the installation and usage of the Quest Active Directory module Cmdlets for Powershell to administer the AD domain.

To install this PoSh module on your computer, you must have .Net Framework 3.5 installed. Installing the module is quite simple – run the MSI file and follow the instructions of the installer.

quest active directory

After the installation is completed, you need to import the module into the PoSh session with the command:

Add-PSSnapin Quest.ActiveRoles.ADManagement

You can display the list of available cmdlets for the Quest module with the command:

get-command *qad*

quest ad powershell

An example of cmdlets from a module:

  • Get-QADUser
  • Set-QADUser
  • New-QADUser
  • New-QADGroup
  • Add-QADGroupMember
  • Remove-QADGroupMember
  • Connect-QADService
  • Disconnect-QADService

First of all, let’s connect to the domain controller:

$pwd = read-host "Enter domain user password" -AsSecureString

Connect-QADService -service '' -ConnectionAccount 'theitbros\user1' -ConnectionPassword $pwd

List the users and computers accounts in the domain:



quest ad

You can get the information about a certain user and AD parameter. Format-List is required to display all the received properties:

Get-QADUser -Name JKelly -IncludeAllProperties | Format-List *

Let’s check if the user account is disabled:

(Get-QADUSer -Name "JKelly").AccountIsDisabled

You can also get a list of accounts in the group and save it to a csv file:

(Get-QADGroup "Domain Admins").members | Get-MemberName | Export-Csv "C:\PS\AdminGroupMembers.csv"

For example, create a new user account:

New-QADUser -name 'TJones' -ParentContainer 'OU=Users,OU=USA,DC=theitbros,DC=com' -UserPassword ‘P@ssw0rd!!’

Now let’s list the users who have not registered in the domain within 2 months and save the list to the HTML file:

$2months = (Get-Date).AddMonths(-2)
Get-QADUser -IncludedProperties LastLogon | where { $_.lastLogon -le
$2months} | Select DisplayName, LastLogon, AccountIsDisabled | ?{-not
$_.AccountIsDisabled} | ConvertTo-Html | Out-File c:\ps\inactiveusers.html

Accordingly, to disable, enable or unlock you can use: Disable-QADUser, Enable-QADUser and Unlock-QADUser. Cmdlets starting with Set are used to set and change parameters, they are often used in scripts.

Get-QADUser -Department Sales | Set-QADUser -ObjectAttributes @{"Department"="New Sales";"Description"="Sales dept"}

Disable all accounts that were not registered within 2 months:

Get-QADUser -IncludedProperties LastLogon | where { $_.lastLogon -le $2months} | where {-not $_.AccountIsDisabled} | Disable-QADUser

Of course, in Quest AD there is a big drawback: this module is not a part of the OS and is not supported by Microsoft, for its operation it is necessary to install the appropriate provider. These cmdlets were released by Quest before Microsoft had its own module for interacting with the AD – ActiveDirectory module for Windows PowerShell, which was introduced in Windows Server 2008 R2/Windows 7. Most of the functionality available in Quest AD cmdlets is now also available in the Active Directory module for Windows, so Quest AD cmdlets are used less and less.

You may also like:

AD Account Keeps Locking Out Sometimes there are situations when AD account keeps locking out, this happen when you try to log on to a domain computer and getting an error on the ...
Installing Active Directory Users and Computers MM... One of the main Active Directory domain management tools is the MMC snap-in Active Directory Users and Computers (ADUC). The ADUC snap-in is used to p...
Store BitLocker Recovery Keys using Active Directo... In corporate segment one of the advantages of BitLocker Drive Encryption technology is the ability to store the Bitlocker recovery keys for encrypted ...
How to transfer FSMO Roles From a Failed Domain Co... In case domain controller, which owns FSMO (Flexible Single Master Operation) roles, is fail (virus attack, fatal software problems or catastrophic ha...
Change Default OU permissions in Active Directory By default, each newly created organizational unit (OU) in the access list includes read permission for the group Authenticated Users (built-in group)...

Add Your Comment