glallen01/gist:5554334

## gistfile1.ps1
# Requires PowerShell 2.0 and Server 2008-R2 or later.

import-module ActiveDirectory

get-module ActiveDirectory |
select-object -expandproperty ExportedCmdlets |
format-list value

New-PSDrive -PSProvider ActiveDirectory -Server 10.4.4.1 -GlobalCatalog -Root "" -Credential "domain\tim" -Name OtherAD

# Create new user
$pw = convertto-securestring "Pa55wurD" -asplaintext -force
new-aduser -name "Justin McCarthy" -samaccountname "JustinM" -accountpassword $pw -enabled $true

# Reset password
$pw = convertto-securestring "Pa55wurD" -asplaintext -force
set-adaccountpassword JustinM -reset -newpassword $pw
set-adaccountpassword JustinM -reset -newpassword $(read-host -assecurestring)

# Change user attributes
set-aduser JustinM -Description "Engineering" -EmailAddress "justin@sans.org" -SmartcardLogonRequired $true
disable-adaccount "cn=Justin McCarthy,cn=users,dc=domain,dc=com"
enable-adaccount "domain.com/Users/JustinM"
unlock-adaccount JustinM
set-adaccountexpiration JustinM -datetime "12/25/2011 6:00 AM"
set-adaccountexpiration "domain.com/Users/JustinM" -timespan "3"
set-adaccountexpiration JustinM -timespan "12:00"
clear-adaccountexpiration JustinM

# Delete a user
remove-aduser "cn=Justin McCarthy,cn=users,dc=domain,dc=com"

# Manage computer accounts
new-adcomputer -samaccountname SERVER38
new-adcomputer -samaccountname SERVER39 -description "IIS 7.0" -path "ou=boston,ou=east_coast,dc=domain,dc=com"
set-adcomputer SERVER38 -OperatingSystem "Server 2008"
remove-adcomputer SERVER38

# Manage groups
new-adgroup "Sales" -groupscope global
new-adgroup "Sales" -groupscope global -path "ou=boston,ou=east_coast,dc=domain,dc=com"
add-adgroupmember "Sales" -member JustinM,Administrator
$members = get-adgroupmember "Sales"
get-adgroupmember "cn=Sales,ou=dallas,dc=domain,dc=com"
get-adprincipalgroupmembership JustinM
remove-adgroup "cn=Sales,ou=dallas,dc=domain,dc=com"

# Forest and domain objects
get-adforest "domain.com"
get-adforest -current localcomputer
get-adforest -current loggedonuser
get-addomain "domain.com"
get-addomain -current localcomputer
get-addomain -current loggedonuser

# Searching
$results = search-adaccount -accountdisabled
search-adaccount -passwordexpired
search-adaccount -passwordneverexpires
search-adaccount -passwordcannotchange
search-adaccounts -accountexpiring -timespan 7
search-adaccounts -passwordexpiring -timespan 7
search-adaccounts -accountinactive -timespan 180

# Searching with get-adobject
$results = get-adobject -filter {(objectclass -eq "computer")} -searchbase "ou=sales,dc=domain,dc=com"
$results = get-adobject -filter { (objectclass -eq "user") -and (objectcategory -eq "person") }
$results = get-adobject -filter { (name -like "r*") -and (objectclass -eq "user") -and (objectcategory -eq "person") } -searchbase "ou=sales,dc=domain,dc=com"

# To examine the properties of the Administrator account:
$admin = get-aduser Administrator -properties *
$admin | get-member
$admin | format-list *


# Search with get-aduser
get-aduser -filter { badpwdcount -gt 10 } -searchbase "ou=sales,dc=domain,dc=com"

$begin = get-date "June 1, 2011"
$end   = get-date "August 30, 2011"
get-aduser -filter { (lastlogontimestamp -gt $begin) -and
                     (lastlogontimestamp -lt $end)
                   }


$30daysago = $(get-date) - $(new-timespan -days 30)
get-adobject -filter { (objectclass -eq "organizationalunit")  and (whenCreated -gt $30daysago) }

get-aduser -filter { (PasswordNeverExpires -eq $true) -and (SmartCardLogonRequired -eq $false) }


# Password policies
get-addefaultdomainpasswordpolicy -current loggedonuser

$mydom = get-addomain -current loggedonuser
set-addefaultdomainpasswordpolicy -id $mydom -minpasswordlength 5

new-adfinegrainedpasswordpolicy -name "SalesGroupPwdPolicy" -Precedence 700 -LockoutThreshold 50  -LockoutDuration "0.00:10:00" -LockoutObservationWindow "0.00:10:00" -MaxPasswordAge "90.00:00:00" -MinPasswordAge "1.00:00:00" -MinPasswordLength 17 -PasswordHistoryCount 24

set-adfinegrainedpasswordpolicy -identity salesgrouppwdpolicy -maxpasswordage "120.00:00:00"

add-adfinegrainedpasswordpolicysubject -id SalesGroupPwdPolicy -subjects Sales,Susan,Jon,Aaron,Zach

get-adfinegrainedpasswordpolicy SalesGroupPwdPolicy

get-adfinegrainedpasswordpolicysubject -id SalesGroupPwdPolicy

remove-adfinegrainedpasswordpolicysubject -id SalesGroupPwdPolicy -subjects Zach

remove-adfinegrainedpasswordpolicy -identity SalesGroupPwdPolicy
	# Requires PowerShell 2.0 and Server 2008-R2 or later.

	import-module ActiveDirectory

	get-module ActiveDirectory \|
	select-object -expandproperty ExportedCmdlets \|
	format-list value

	New-PSDrive -PSProvider ActiveDirectory -Server 10.4.4.1 -GlobalCatalog -Root "" -Credential "domain\tim" -Name OtherAD

	# Create new user
	$pw = convertto-securestring "Pa55wurD" -asplaintext -force
	new-aduser -name "Justin McCarthy" -samaccountname "JustinM" -accountpassword $pw -enabled $true

	# Reset password
	$pw = convertto-securestring "Pa55wurD" -asplaintext -force
	set-adaccountpassword JustinM -reset -newpassword $pw
	set-adaccountpassword JustinM -reset -newpassword $(read-host -assecurestring)

	# Change user attributes
	set-aduser JustinM -Description "Engineering" -EmailAddress "justin@sans.org" -SmartcardLogonRequired $true
	disable-adaccount "cn=Justin McCarthy,cn=users,dc=domain,dc=com"
	enable-adaccount "domain.com/Users/JustinM"
	unlock-adaccount JustinM
	set-adaccountexpiration JustinM -datetime "12/25/2011 6:00 AM"
	set-adaccountexpiration "domain.com/Users/JustinM" -timespan "3"
	set-adaccountexpiration JustinM -timespan "12:00"
	clear-adaccountexpiration JustinM

	# Delete a user
	remove-aduser "cn=Justin McCarthy,cn=users,dc=domain,dc=com"

	# Manage computer accounts
	new-adcomputer -samaccountname SERVER38
	new-adcomputer -samaccountname SERVER39 -description "IIS 7.0" -path "ou=boston,ou=east_coast,dc=domain,dc=com"
	set-adcomputer SERVER38 -OperatingSystem "Server 2008"
	remove-adcomputer SERVER38

	# Manage groups
	new-adgroup "Sales" -groupscope global
	new-adgroup "Sales" -groupscope global -path "ou=boston,ou=east_coast,dc=domain,dc=com"
	add-adgroupmember "Sales" -member JustinM,Administrator
	$members = get-adgroupmember "Sales"
	get-adgroupmember "cn=Sales,ou=dallas,dc=domain,dc=com"
	get-adprincipalgroupmembership JustinM
	remove-adgroup "cn=Sales,ou=dallas,dc=domain,dc=com"

	# Forest and domain objects
	get-adforest "domain.com"
	get-adforest -current localcomputer
	get-adforest -current loggedonuser
	get-addomain "domain.com"
	get-addomain -current localcomputer
	get-addomain -current loggedonuser

	# Searching
	$results = search-adaccount -accountdisabled
	search-adaccount -passwordexpired
	search-adaccount -passwordneverexpires
	search-adaccount -passwordcannotchange
	search-adaccounts -accountexpiring -timespan 7
	search-adaccounts -passwordexpiring -timespan 7
	search-adaccounts -accountinactive -timespan 180

	# Searching with get-adobject
	$results = get-adobject -filter {(objectclass -eq "computer")} -searchbase "ou=sales,dc=domain,dc=com"
	$results = get-adobject -filter { (objectclass -eq "user") -and (objectcategory -eq "person") }
	$results = get-adobject -filter { (name -like "r*") -and (objectclass -eq "user") -and (objectcategory -eq "person") } -searchbase "ou=sales,dc=domain,dc=com"

	# To examine the properties of the Administrator account:
	$admin = get-aduser Administrator -properties *
	$admin \| get-member
	$admin \| format-list *


	# Search with get-aduser
	get-aduser -filter { badpwdcount -gt 10 } -searchbase "ou=sales,dc=domain,dc=com"

	$begin = get-date "June 1, 2011"
	$end = get-date "August 30, 2011"
	get-aduser -filter { (lastlogontimestamp -gt $begin) -and
	(lastlogontimestamp -lt $end)
	}


	$30daysago = $(get-date) - $(new-timespan -days 30)
	get-adobject -filter { (objectclass -eq "organizationalunit") and (whenCreated -gt $30daysago) }

	get-aduser -filter { (PasswordNeverExpires -eq $true) -and (SmartCardLogonRequired -eq $false) }


	# Password policies
	get-addefaultdomainpasswordpolicy -current loggedonuser

	$mydom = get-addomain -current loggedonuser
	set-addefaultdomainpasswordpolicy -id $mydom -minpasswordlength 5

	new-adfinegrainedpasswordpolicy -name "SalesGroupPwdPolicy" -Precedence 700 -LockoutThreshold 50 -LockoutDuration "0.00:10:00" -LockoutObservationWindow "0.00:10:00" -MaxPasswordAge "90.00:00:00" -MinPasswordAge "1.00:00:00" -MinPasswordLength 17 -PasswordHistoryCount 24

	set-adfinegrainedpasswordpolicy -identity salesgrouppwdpolicy -maxpasswordage "120.00:00:00"

	add-adfinegrainedpasswordpolicysubject -id SalesGroupPwdPolicy -subjects Sales,Susan,Jon,Aaron,Zach

	get-adfinegrainedpasswordpolicy SalesGroupPwdPolicy

	get-adfinegrainedpasswordpolicysubject -id SalesGroupPwdPolicy

	remove-adfinegrainedpasswordpolicysubject -id SalesGroupPwdPolicy -subjects Zach

	remove-adfinegrainedpasswordpolicy -identity SalesGroupPwdPolicy