This article will show you how to use a graphical menu to discover and administer your Active Directory Environment. It is a graphical menu I created for the administration of Active Directory Domain Services. It’s like sconfig, but much more powerful when it comes to automation in Active Directory Domain Services.
The latest version is 1.1 (May 2018). For all those who have downloaded my first release, I would strongly recommend taking a look at this update. It fixes bugs and adds new features like Onboarding, Offboarding and much more.
Version 1.1
The tool has undergone a major update since the march release with more options and a fresher look.
Active Directory Domain Services Section
What can we do with it? This is the question for this part. I wanna give you a foretaste. Here’s the menu of version 1.1.
The Subsections
1 – Forest | Domain | Sites Configuration
2 – List Domain Controller
Note that in this section you are also able to test the connectivity to your Domain Controller. It’s your choice 😉
3 – Replicate all Domain Controller
Tired of pressing replicate on all DC’s? You’ve come to the right place.
4 – Show Default Password Policy
It’s good to have an eye on your password settings…
5 – List Domain Admins
6 – List of Active GPOs
7 – List all Windows Clients (Client Operating System only)
8 – List all Windows Server
9 – List all Computers
10 – Run SystemInfo on Remote Computer
You are able to select a scope …
11 – Move Computer to OU
Don’t worry I will intercept wrong entries and save the user…
12 – List all Groups
13 – List Group Memberships
14 – List all enabled Users
15 – List User Properties
16 – User’s last Domain Logon
The forums are full of questions like “is the LastLogon attribute important, or LastLogonTimestamp or LastLogonDate…, when is it replicated … why is it so difficult to find the right logon date …”. I don’t care and contact every DC and ask for the LastLogon and take the latest…, surprise, surprise it always shows me the correct latest logon …
Don’t worry. I will take care if the user has never logged on.
17 – Show currently logged on User
This is a live query. The target host will be contacted with the quser command.
18 – Send Messages to users desktop
Cool, ha? One of my favorites … Make your choice to send it to all Windows Server …
19 – Find orphaned User or Computer Accounts
Who forgot to remove the computer or user account? You have to provide the computer or user account and a timespan.
20 – Configure Time-based-Group-Membership
This only works in a Windows Server 2016 Forest Mode. Don’t worry, the tool will first check the Forest Mode and if the feature is enabled. Provide User, Group and Timespan in days.
21 – Onboarding | Create New AD User (from existing)
Do you dream of creating a user based on an existing in a few seconds … to have more time for other tasks? Here we go.
22 – Offboarding | Disable AD User
When an employee leaves the company, he should be deactivated.
Ok, that’s it for now.
PowerShell Web Access
You are also able to run this in PowerShell Web Access:
If you haven’t installed PowerShell Web Access yet, here’s a walk through: Windows Server 2012/2016: Installing and Configuring PowerShell Web Access (PSWA)
The Script
I have decided not to present the entire code here. Too many lines of code. You can download the script here, it’s a psm1 file, a PowerShell script module file:
ad.psm1
Prerequisites and Notes:
- Tested in an Active Directory environment with Windows Server 2012/2016 Domain Controllers and Windows 7/8/10 clients
- WinRm must be enabled on all Client computers (WinRm is enabled on Windows Server 2012/2016 by default) manually (winrm qc) or by GPO. Take a look at my article: Enabling WinRM for Windows Client Operating Systems (Windows 10, Windows 8, Windows 7)
- Run the tool on a Domain Controller (You may run into troubles with RSAT)
- 0 and Enter (instead of Enter only) to go back to the main menu is due to the possible integration of PowerShell Web Access where pressing Enter only will not work
After downloading create a folder “AD” in C:\Program Files\Windows PowerShell\Modules and save the AD.psm1 file there.
It should be then available every time you start PowerShell and run the command ad.
Or as mentioned in PowerShell Web Access.
Have fun with it! I am very grateful for ideas for further functions.
Categories: PowerShell, Windows Server
My name is Patrick Gruenauer. From Austria.
SID-500.COM 
Firstly, great script. Thanks for all the effort.
I have found a potential bug. If you use option 16 and I query a specific user. The result is the user has never logged on. However, If I query stale users 19, that same user I queried is listed with a correct time stamp for last logon date.
LikeLike
wow thanks for share!!
it would be possible to add an option to get a list of all computers in the domain, and get CPU, RAM, HDD free, IP(show if is DHCP or fixed IP)
LikeLike
Hi, you can try the Systeminfo subsection.
LikeLike
Hi Patrick,
Great job !
Could I suggest some few remarks
When I edit AD.psm1 with VSCode, the ScriptAnalyzer report (by default) lot of errors. Some are only information, other are really error.
– Avoid using Alias in script (i.e. cls, where)
– $Null should be on the left side of equality comparisons
– Avoid naming your variable with the name of automatic variable (i.e : input)
– Variable name (i.e. $Line2) is assigned but not used.
– in line 574 replace : …”$user.name” has never … by …$($user.name) has never … I’m thinking this could resolve the PSAvoidUsingPositionalParameters message.
– Equality operator is -eq not = (line 895, 977)
– and many Information messages about Write-Host. Never mind, in this case, this script in only design to be used in interactive mode.
And now for my information : Why have you built your psm1 file in a single file ? A short .psm1 file, with one function, calling external .ps1 files (One .ps1 by block in the Switch statement) could be easier to maintain and document.
regards
LikeLike
Thank you for your feedback. First of all the most important is that it works. There are a lot of information when running analyzer, no script is perfect. I decided to go for one file instead of file chaining.
LikeLike
really a great job, thank you so much
LikeLike
Thank you!
LikeLike
Is there a way to enter a different domain you want the script to run on?
LikeLike
There is no option to change domain.
LikeLike
Ok, thanks for the quick response.
LikeLike
Do you know if possible to check, for example, who was the last user who logged on to each computer?
LikeLike
Sorry, no clue. You can try to save each login to a file, store all of them in the network to then search the files for logins
LikeLike
Hello, this script is amazing! I am just starting to learn PowerShell and have tried running scripts before without success. It is a learning process for sure. The part I mainly need is Number 6 – List All Computer, but I need to pull the serial number of each. How can I add this and where would I add it? Thank you!
LikeLike
Hi,
The serial number can be retrieved with Get-CimInstance win32_operatingsystem | Select-Object -Propery SerialNumber.
All the best,
P
LikeLike
Addition: The submenu Run SystemInfo … does exactly what you are looking for …
LikeLike
Patrick, great script thank you. Is there a way to export items to csv? Example #7 List Windows clients. Instead of write-host to output to screen just export to csv? Thanks again!
LikeLiked by 1 person
Yes just replace it. Cheers
LikeLike