Quest Powershell for Active Directory

Download Quest Powershell with admin guide.

Download Prerequisites

Microsft Powershell

DotNet Framework 3.5 SP1

For query purpose its does not require any kind of special permission.

See the below link also.

Before running any ps script put the below command.

Set-ExecutionPolicy Unrestricted

1. How to find group members for n number of groups

$groups=get-content groups.txt
 Foreach($group in $groups)
Get-QADGroupMember $group
 Get-qadgroup $group

**Need to create a file called groups.txt and put the entire groups names into that text file. Find the below screenshot.


2. Find memberof for n number of users with powershell

$users=get-content users.txt
 Foreach($user in $users)
get-Qadmemberof $user
 Get-qaduser $user

3. Extract the known attr for "n" number of users

$users= get-content users.txt
 foreach ($user in $users) {Get-QADuser $user -SerializeValues}

4. Find the E-MAILs of Users form an particular OU

get-QADuser -SearchRoot '' | select samaccountname,mail,memberof

5. Find the Display Name for n number of users
$users= get-content users.txt
foreach ($user in $users) {Get-QADuser $user -sizelimit 0 | Format-table displayname}

6. Find the Display Name,Canonicalname and Samaccountname  for n number of users

$users= get-content users.txt  
foreach ($user in $users) {Get-QADuser $user -sizelimit 0 | Format-table displayname,canonicalname,samaccountname}

7. Verify user is member of AD group 

if(Get-QADMemberOf 'domain\user' -Indirect -Name GroupName){
     "is member of"
     "not member of"

8. Get Password Expiration Date of All Users in Active Directory 
Get-QADUser -Name * | select givenName,sn,name,PasswordExpires
at the end you can add | Export-CSV c:\pass_exp.csv to export the results to file.
like: >Get-QADUser -Name * -sizelimit 0 | select givenName,sn,name,PasswordExpires | Export-CSV c:\pass_exp.csv

For 2008 R2 use this syntax

**Get-ADUser -Name * | select givenName,sn,name,PasswordExpires

**9. List the values of all properties of the user account. ** 

Get-QADUser <userlogon> -IncludeAllProperties -SerializeValues

10. Retrieve deleted user accounts with the name (RDN) of biz

C:\PS>Get-QADUser -Tombstone -Name 'biz*'

11. Find all objects for a OU

get-QADObject -Service '' -SearchRoot 'ou=test,dc=contoso,dc=com'

12.Restore a user account that was deleted from a particular container and had the name (RDN) of Bish B:

C:\PS> Get-QADUser -Tombstone -LastKnownParent '<DN of container>' –Name 'Bish B*' | Restore-QADDeletedObject

13. How to check the DACL

Get``-QADObject ``'cn=users,dc=contoso,dc=com' -SecurityMask Dacl | Get-QADPermission -Inherited -SchemaDefault

14. Checking the permission for an user/group

Get-QADObject 'cn=users,dc=contoso,dc=com' -SecurityMask Dacl | Get-QADPermission -Inherited -SchemaDefault | findstr / 'Groupname'

Group name is case sensitive.

15. Domain Controller Inventory

get-QADComputer -computerRole 'DomainController'| format-table -property computername,osname,osversion,osservicepack
get-QADComputer -computerRole 'DomainController' -IncludeAllProperties -SerializeValues | select cn,operatingSystem,msDS-isGC,msDS-isRODC,msds-sitename | Export-CSV c:\DCS.csv

16. Find the Disabled members from multiple GROUPS.

Get-Content c:\groups.txt | ForEach-Object { 
  Get-QADGroupMember $_ -Disabled 

See Also