PowerShell and QADUser 
A company called Quest provides an extra snap-In for PowerShell. The idea is for these Active Directory cmdlets to work alongside the native PowerShell commands. As a result we can examine users’ properties, and with care, change values and even reset their passwords.
Topics for PowerShell’s QADUser
- Example 1: Getting to know QADUser
- Example 2: List Users in a Named OU
- Example 3: Change the Value for the User’s Property with Set-QADUser
- Example 4: QAD Script to Change Passwords
- Example 5: Changing the Passwords with UserMustChangePassword
♣
Example 1: Getting to Know QADUser
# PowerShell QADUser cmdlets
Get-Command | Where {$_.name -Match "QADUser"}
Note 1: There is a rich seam of verbs that you can apply to QADUser. You can examine the user with ‘get’, then configure them with ‘set’, ‘enable’ or ‘unlock’. To facilitate a bulk import of users from a spreadsheet there is also, ‘new-QADUser’.
Objective: To Get Information About Active Directory Users
Let us assume that you have fulfilled the above pre-requisites, now there are just two things to do before my scripts will work:
a) Connect to Active Directory, best would be to logon at a domain controller in a test network. Remote connection works well, and you could try Virtual PC for your test network.
b) Find the variable $OU in my script(s); then amend its value to reflect your domain and your Organizational Unit. You many need a little extra work with Active Directory Users and Computers in creating an OU and a handful of users.
Example 2: List Users in a Named OU
The key command here is Get-QADUser.
# PowerShell script to list Active Directory users in a named OU
$OU = "YourDomName/YourOu"
Get-QADUser -SearchRoot $OU
Note 1: -SearchRoot is the parameter which connects to Active Directory.
Note 2: You did change the value of $OU – didn’t you? Also Remember that these QAD cmdlets don’t exist in the initial PowerShell install, they are only available after you successfully run: add-PSSnapin quest.activeroles.admanagement. If your script does not work refer back to the pre-requisites.
Note 3: DN, SID, GUID, UPN or Domain\UserName
Guy Recommends: SolarWinds’ Free Bulk Import Tool
Import users from a spreadsheet. Just provide a list of the users with their fields in the top row, and save as .csv file. Then launch this FREE utility and match your fields with AD’s attributes, click and import the users.
Optionally, you can provide the name of the OU where the new accounts will be born. Download your FREE bulk import tool.
If you need more comprehensive application analysis software,
Download a free trial of SAM (Server & Application Monitor)
Example 2a: How to Discover the Names of a User’s Properties
These QAD cmdlets are designed to fit seamlessly into PowerShell, for example we can apply our trusty interrogation techniques such as, Get-Help Get-QADUser.
# PowerShell script to list a User’s Properties
# Author: Guy Thomas
# Version 1.1 August 2008 tested on PowerShell v 1.0
Get-Help Get-QADUser
Note 1: I suggest you try my parallel learning technique, and match the user properties revealed by QADUser, with the property sheet that you see in Active Directory Users and Computers.
Note 2: PowerShell’s help tells us that you can connect to an individual user if you know their: Domain\UserName, DN (Distinguished name) or UPN (victim@yourdom.com).
Example 2b: How to List a User’s Property with Get-QADUser
As with many of my scripts, there are two learning threads in this example, a real-life objective (Listing user properties) and also learning PowerShell techniques (Piping and word-wrap).
Important Preparation: Change the value of $OU. "YourDomName/YourOu" is unlikely to work on your domain, so adjust this value. Any doubts of the name, consult your Active Directory Users and Computers.
# PowerShell script to list users and their DisplayNames
# Author: Guy Thomas
$OU = "YourDomName/YourOu"
Get-QADUser -SearchRoot $OU `
| Format-Table FirstName, LastName, DisplayName -auto
Note 1: The unusual backtick symbol (`) means, wrap the command to the next line.
Note 2: The pipe symbol (|) is PowerShell’s signature tune; it means push the output of the first clause (Get-QADUser) into this next command (Format-Table).
Challenges: If I were you I would take a timeout to add values to your user’s property sheet, e.g. LastName, or DisplayName.
The second part of my challenge is to put into practice what we learned with Get-Help QADUser, namely to add different fields from my example 2b, for example, Company or Office. Here is further advice on researching these LDAP properties.
Guy Recommends: A Free Trial of the Network Performance Monitor (NPM)
v11.5
SolarWinds’ Network Performance Monitor will help you discover what’s happening on your network. This utility will also guide you through troubleshooting; the dashboard will indicate whether the root cause is a broken link, faulty equipment or resource overload.
What I like best is the way NPM suggests solutions to network problems. Its also has the ability to monitor the health of individual VMware virtual machines. If you are interested in troubleshooting, and creating network maps, then I recommend that you try NPM now.
Download a free trial of Solarwinds’ Network Performance Monitor
Example 3: Change the Value for the User’s Property with Set-QADUser
My objectives here are twofold, firstly, to practice scripting Active Directory in a relatively harmless fashion. For instance, changing a user’s property called ‘DisplayName’ is less intrusive than changing their password.
Secondly, if we add a text string to displayName then we have a ‘handle’ to filter Active Directory. Just to emphasise that the benefit of having a known value for displayName is that we have an extra control to prevent a rogue script changing everybody’s password.
Important Preparation: As with example 2, you need to edit the this line:
$OU = "YourDomName/YourOu"
# PowerShell script to change a user’s properties with Set-QADUSER
$OU = "YourDomName/YourOu"
Get-QADUser -SearchRoot $OU `
| Set-QADUser -DisplayName "Supremo" `
| FT FirstName, LastName, DisplayName, company, office -auto
Note 1: Never miss a chance to learn a PowerShell verb; mostly we employ, ‘get’, but observe that here we also employ the more active ‘set‘.
Note 2: See how I reinforce the idea of piping (|); for example, the output of ‘set’ becomes the input of FT, which stands for Format-Table.
Timeout: Investigate -SearchScope
Before we are ready to experiment with the -SearchScope parameter, I invite you to create a child OU underneath "YourDomName/YourOu". Next, create few new test accounts in the child OU.
Amend this line of example 3: Get-QADUser -SearchRoot $OU -SearchScope ‘OneLevel’ `
Next try ‘SubTree’: Get-QADUser -SearchRoot $OU -SearchScope ‘SubTree’ `
Example 4: QAD Script to Change Passwords
Here is a script which sets the password for users. The variable $OU specifies the precise location of the user accounts targeted in your domain.
Be aware: This script has two safety catches. Firstly, it changes only users with a particular value for DisplayName; secondly I use the -whatIf parameter to test the output. If the script does as you wish, then remove the last line.
# PowerShell Set-QUADUser script to change users’ passwords
$OU = "cp2.mosel/PowerShell"
Get-QADUser -searchRoot $OU -searchScope ‘OneLevel’ | `
Where-Object {$_.displayName -Like "Supremo*"} | `
Set-QADUser -userPassword "Lapt00p$" `
-whatIf
Note 1: Set-QADUser has different properties from Get-QADUser, for example, ‘set’ has a property called -userPassword.
Note 2: As mentioned previously, this script has ‘where-Object’ clause which acts an extra check that you are changing the users with a particular displayName. Once you understand how this script works, you could remove the ‘where-Object’ clause.
Guy Recommends: SolarWinds Engineer’s Toolset v10
This Engineer’s Toolset v10 provides a comprehensive console of 50 utilities for troubleshooting computer problems. Guy says it helps me monitor what’s occurring on the network, and each tool teaches me more about how the underlying system operates.
There are so many good gadgets; it’s like having free rein of a sweetshop. Thankfully the utilities are displayed logically: monitoring, network discovery, diagnostic, and Cisco tools. Try the SolarWinds Engineer’s Toolset now!
Download your fully functional trial copy of the Engineer’s Toolset v10
Example 5: Changing the Passwords with UserMustChangePassword
Beware: This script has NO safety catch. If you prefer, you could begin by appending the -whatIf parameter to the last line, as in the the script above.
Preliminary step, investigate the parameters with the command:
Get-Help Set-QADUser.
Result of above research: UserMustChangePassword sounds interesting. Incidentally, this PowerShell parameters seem much friendlier than the equivalent pwdLastSet and userAccountControl of VBScript.
# PowerShell script to set a user’s passwords and force a change at logon
#
$OU = "cp2.mosel/PowerShell"
Get-QADUser -searchRoot $OU -searchScope ‘OneLevel’ `
Where-Object {$_.description -Like "Supremo*"} | `
Set-QADUser -userPassword "Lapt00p$" -userMustChangePassword 1
Note 2: Setting ‘userMustChangePassword 1’ looks easy, and seems logical enough. However, I only hit upon this value of numeric one after failing with = "Yes", True, and "1". You need just plain 1 with no speech marks, and no equals sign.
Note 3: Observe just how I just appended the -userMustChangePassword parameter. Did I use a comma? No. A semi-colon? No. Just straightforward userMustChangePassword 1.
Warning: If you are not sure of what’s happening here, I strongly recommend that you append -whatIf.
For those who know what they are doing it is possible to create a script which changes all Active Directory accounts. The secret is to persuade the script to start at the domainRoot/. The way you achieve this dangerous task is to shorten the line:
$OU = "YourDomName/YourOu", to
$OU = "YourDomName/".
The result would be a script which could ‘get’, or ‘set’ all the accounts.
Summary of PowerShell QADUser
There is a whole family of QADUser commands each preceded with a different verb. The two cmdlets that I feature on this page are ‘get’ and ‘set’. As for learning progression, research how to extract existing properties, then try ‘setting’ innocuous properties such as DisplayName. Once you have mastered the basics and stumbled upon the ‘WhatIf, then you can tackle real tasks such as changing users’ passwords.
If you like this page then please share it with your friends
See more PowerShell QAD Scripts
• PowerShell Home • Quest QAD • QADUser • QADGroup • QADComputer
• Export-CSV • Import CSV • QAD Password • Add-PSSnapin • Free Import User CSVDE Tool
• Get-AdUser -filter • Windows PowerShell • Windows PowerShell .Net
Please email me if you have a better example script. Also please report any factual mistakes, grammatical errors or broken links, I will be happy to correct the fault.