Working with Active Directory using PowerShell ADSI adapter

Article
1/17/2024

Introduction

PowerShell is very useful for automating Active Directory. It allows to quickly and relatively easy automate mundane actions or perform same operations with many objects.

PowerShell provides very broad set of methods to work with Active Directory. There is some of them:

Microsoft Active Directory Module for Windows PowerShell
ADSI adapter
.Net Classes
Non Microsoft free extensions, such as Quest Active Directory Cmdlets or AD provider from PowerShell Community Extensions.

In this article provided examples of using ADSI adapter and .NET classes. This is not an easiest method, but sometimes you just need it. For example if you working in organization that uses old operating system for domain controllers (not 2008R2+), and you cannot install any additional software on controllers or servers, but need to work with Active Directory in your script.

Receiving an object representation of Active Directory object.

This method requires knowledge of object's [[LDAP Path Active Directory Distinguished and Relative Distinguished Names|LDAP path]].

001	$Object = [adsi]'LDAP://CN=Notebook1,OU=Computers,DC=consoso,DC=com'

Searching for an object in Active Directory.

001

002

003

004

$Searcher = New-Object DirectoryServices.DirectorySearcher

$Searcher.Filter = '(&(objectCategory=person)(anr=gusev))'

$Searcher.SearchRoot = 'LDAP://OU=Laptops,OU=Computers,DC=contoso,DC=com'

$Searcher.FindAll()

Filter property of the Searcher object uses standard LDAP query syntax. You can also use FindOne() method to receive just first found object.

Setting "Password never expire" attribute on user object

This property unlike many other properties of AD object are contained in bitmask attribute UserAccountControl (not related in any way with [[User Account Control]] feature of Windows). To set it you need to retrieve current value of this attribute and use binary OR operation (-bor) to calculate new value.

001

002

003

004

$User = [ADSI]"LDAP://cn=Gusev,ou=Users,ou=Lab,dc=contoso,dc=com"

$UAC = $User.UserAccountControl[0] -bor 65536

$User.Put("userAccountControl",$UAC)

$User.SetInfo()

Get direct AD group membership information

Members of the group are contained as Distinguished Names in Member array property of a group. To get objects representing the members one need to get contents of this property and create ADSI objects from them.

001

002

$Group = [ADSI]"LDAP://cn=Domain Admins,cn=Users,dc=Contoso,dc=Com"

$Members = $Group.Member | ForEach-Object {[ADSI]"LDAP://$_"}

Same way, groups in which AD object is directly included are contained in its MemberOf property.

001

002

$User = [ADSI]"LDAP://cn=Administrator,cn=Users,dc=Contoso,dc=Com"

$Groups = $User.MemberOf | ForEach-Object {[ADSI]"LDAP://$_"}

Get AD object class name

Primary class of AD object are contained in Class property, but there is also ObjectClass property that contains all classes to which object is belong.

PS C:\> $Object = [ADSI]"LDAP://cn=Administrator,cn=Users,dc=Contoso,dc=Com"
PS C:\> $Object.class
user
PS C:\> $Object.objectclass
top
person
organizationalPerson
user

Share via