The Active Directory (AD) module may be installed as part of the RSAT feature on a Windows 7 / 2008 R2 server (or
by default, with the AD DS or AD LDS server roles.) Once installed, load the Active Directory module
with Import-Module ActiveDirectory or click Start, Administrative Tools, Active Directory Module for Windows PowerShell.
Disable-adAccount Disable an Active Directory account. Enable-adAccount Enable an Active Directory account. Search-adAccount Get AD user, computer, and service accounts. Unlock-adAccount Unlock an AD account. Get-adAccountAuthorizationGroup Get the groups in which an account is a direct or indirect member. Set-adAccountControl Modify user account control (UAC) values for an AD account. Clear-adAccountExpiration Clear the expiration date for an AD account. Set-adAccountExpiration Set the expiration date for an AD account. Set-adAccountPassword Modify the password of an AD account. Get-adAccountResultantPasswordReplicationPolicy Resultant password replication policy for an AD account. c Get-adComputer Get one or more AD computers. New-adComputer Create a new AD computer. Remove-adComputer Remove an AD computer. Set-adComputer Modify an AD computer. Add-adComputerServiceAccount Add one or more service accounts to an AD computer. Get-adComputerServiceAccount Get the service accounts that are hosted by an AD computer. Remove-adComputerServiceAccount Remove one or more service accounts from a computer. d Get-adDefaultDomainPasswordPolicy Get the default password policy for an AD domain. Set-adDefaultDomainPasswordPolicy Modify the default password policy for an AD domain. Move-adDirectoryServer Move a domain controller in AD DS to a new site. Move-adDirectoryServerOperationMasterRole Move the operation master (FSMO) roles to an AD domain controller. Get-adDomain Get an AD domain. Set-adDomain Modify an AD domain. Get-adDomainController Get one or more AD domain controllers. Add-adDomainControllerPasswordReplicationPolicy Add users, computers, and groups to the Allowed List or the Denied List of the read-only domain controller (RODC) Password Replication Policy (PRP). Get-adDomainControllerPasswordReplicationPolicy RODC PRP Allowed/Denied List. Remove-adDomainControllerPasswordReplicationPolicy RODC PRP Allowed/Denied List. Get-adDomainControllerPasswordReplicationPolicyUsage Get the resultant password policy of the specified AD Account on the specified RODC. Set-adDomainMode Set the domain functional level for an AD domain. f Get-adFineGrainedPasswordPolicy Get one or more AD fine-grained password policies. New-adFineGrainedPasswordPolicy Create a new AD fine-grained policy. Remove-adFineGrainedPasswordPolicy Remove an AD fine-grained password policy. Set-adFineGrainedPasswordPolicy Modify an AD fine-grained password policy. Add-adFineGrainedPasswordPolicySubject Apply a fine-grained password policy to one more users and groups. Get-adFineGrainedPasswordPolicySubject Get the users and groups to which a fine-grained policy is applied. Remove-adFineGrainedPasswordPolicySubject Remove one or more users from a fine-grained policy. Get-adForest Get an AD forest. Set-adForest Modify an AD forest. Set-adForestMode Set the forest mode for an AD forest. g Get-adGroup Get one or more AD groups. New-adGroup Create an AD group. Remove-adGroup Remove an AD group. Set-adGroup Modify an AD group. Add-adGroupMember Add one or more members to an AD group. Get-adGroupMember Get the members of an AD group. Remove-adGroupMember Remove one or more members from an AD group. o Get-adObject Get one or more AD objects. Move-adObject Move an AD object or a container of objects to a different container or domain. New-adObject Create an AD object. Remove-adObject Remove an AD object. Rename-adObject Change the name of an AD object. Restore-adObject Restore an AD object. Set-adObject Modify an AD object. Disable-adOptionalFeature Disable an AD optional feature. Enable-adOptionalFeature Enable an AD optional feature. Get-adOptionalFeature Get one or more AD optional features. Get-adOrganizationalUnit Get one or more AD OUs. New-adOrganizationalUnit Create a new AD OU. Remove-adOrganizationalUnit Remove an AD OU. Set-adOrganizationalUnit Modify an AD OU. p Add-adPrincipalGroupMembership Add a member to one or more AD groups. Get-adPrincipalGroupMembership Get the AD groups that have a specified user, computer, or group. Remove-adPrincipalGroupMembership Remove a member from one or more AD groups. r Get-adRootDSE Get the root of a domain controller information tree. s Get-adServiceAccount Get one or more AD service accounts. Install-adServiceAccount Install an AD service account on a computer. New-adServiceAccount Create a new AD service account. Remove-adServiceAccount Remove an AD service account. Set-adServiceAccount Modify an AD service account. Uninstall-adServiceAccount UnInstall an AD service account from a computer. Reset-adServiceAccountPassword Reset the service account password for a computer. u Get-adUser Get one or more AD users. New-adUser Create a new AD user. Remove-adUser Remove an AD user. Set-adUser Modify an AD user. Get-adUserResultantPasswordPolicy Get the resultant password policy for a user.
To use the cmdlets above under Windows XP run a remote session to a Windows7/2008 machine.
If your machine is joined to a domain then a default PSDrive named AD: is created. Use all the regular file system commands to navigate this:
PS C:\> cd AD:
PS AD:\> dir
To use the AD module to manage an Active Directory domain, the Windows Server 2008 R2 Active Directory Web Services (ADWS) service must be installed on at least one domain controller in the domain. To list all the Active Directory cmdlets installed, type Get-Command *-AD*
Quest Active Directory cmdlets
Group Policy Cmdlets - GPO / Permissions / Inheritance
TechNet - Active Directory Module for Windows PowerShell