AD Related Cmdlets

Get all enabled users in a specific OU and use -searchscope option to prevent a recursive search
get-aduser -SearchBase “OU=Users,DC=corp,DC=local” -SearchScope OneLevel -filter * | where {$_.enabled -eq “True”} | select name | sort name

Get all members of a specific AD Group

Get Forest Functional Level

Get Domain Functional Level

List MemberOf details
GET-ADUSER -Identity username -Properties MemberOf | Select-Object MemberOf

List all domain controllers in a forest
(Get-ADForest).Domains | %{ Get-ADDomainController -Filter * -Server $_ }

Get a list of users created after a specific number of days, and sort the list by the created date

$date = [DateTime]::Today.AddDays(-365)
Get-ADUser -Filter  ‘whenCreated -ge $date’ -SearchBase “DC=domain,DC=Com” -properties * | sort -Property whenCreated | select Name, whenCreated, Canonicalname | ft -auto​

Run a GPUPDATE /FORCE to all members of a particular OU
Get-ADComputer –filter * -Searchbase “ou=Win8Client,dc=your-domain,dc=com” | foreach{ Invoke-GPUpdate –computer $ -force}

Disable Computer Objects in AD from a text list of computers:
get-content d:\textfile.txt | foreach-object {dsquery computer -name $_ | dsmod computer -disabled yes}

Get the last logon timestamp from a remote computer using WMI:
$wmi = Get-WmiObject -Class Win32_OperatingSystem -Computer “RemoteMachine”

Get the NIS Domain details for a single user:
Get-ADUser -Properties * | select SamAccountName,msSFU30NisDomain,unixHomeDirectory,loginShell,uidNumber,gidnumber,@{Label=’PrimaryGroupDN’;Expression={(Get-ADGroup -Filter {GIDNUMBER -eq $_.gidnumber}).DistinguishedName}}

Get the NIS Domain details for Groups in the your domain:
Get-ADGroup -SearchBase “dc=your-domain,dc=com” -Properties * | select SamAccountName,msSFU30NisDomain,unixHomeDirectory,loginShell,uidNumber,gidnumber,@{Label=’PrimaryGroupDN’;Expression={(Get-ADGroup -Filter {GIDNUMBER -eq $_.gidnumber}).DistinguishedName}}

List all the mail-enabled users, with their display name, first name, last name and primary email address in the forest and export the list to a tab delimited file:
Get-ADUser -Filter {EmailAddress -like “*”} -Properties * -server | select DisplayName, givenName, Surname, EmailAddress | Sort DisplayName | Export-csv -Delimiter “`t” -path c:\update\users3.txt

Locate all Windows 8.1 clients in the Computers container and move them to an OU (requires Import-Module ActiveDirectory):
Get-ADComputer -Filter {OperatingSystem -like “*Windows 8.1*”} -SearchBase “CN=Computers,DC=your-domain,dc=com” -Properties * | Move-ADObject -TargetPath “OU=Win8Clients,DC=your-domain,dc=com”

List all the operating systems of computer objects within the Computers container (requires Import-Module ActiveDirectory):
Get-ADComputer -Filter * -SearchBase “CN=Computers,DC=your-domain,dc=com” -Properties * |select-object name,OperatingSystem

Locate all computer Objects in a given OU and set Prevent from Accidental Deletion (requires Import-Module ActiveDirectory):
Get-ADObject -Filter {(ObjectClass -eq “computer”)} -SearchBase “OU=clients,DC=your-domain,DC=Com” | Set-ADObject -ProtectedFromAccidentalDeletion:$True

List stale computer records based on the last computer account change n days ago (requires Import-Module ActiveDirectory):
$date = [DateTime]::Today.AddDays(-365)
Get-ADComputer -Filter ‘PasswordLastSet -le $date’ -SearchBase “OU=Clients,DC=your-domain,DC=Com” -properties PasswordLastSet | sort -Property PasswordLastSet

If you want to Disable computer accounts that have not been logged on to in X days:
$then = (Get-Date).AddDays(-90) # The 90 is the number of days from today since the last logon.
Get-ADComputer -Property Name,lastLogonDate -Filter {lastLogonDate -lt $then} | Set-ADComputer -Enabled $false

Get the last time a computer object was logged on to and sort by the last logon date (requires Import-Module ActiveDirectory):
get-adcomputer -SearchBase “OU=Clients,DC=your-domain,DC=Com” -filter * -Properties * | sort lastLogonDate | FT name, lastLogonDate

Add a computer called “WK001″ to a security group called “RDPEnabled”:
ADD-ADGroupMember “RDPEnabled” –members “WK001$”

Disclaimer: provided “AS IS” with no warranties and confer no rights