From 3f08ba4add34e8ea492f2f537963855ffec8deaa Mon Sep 17 00:00:00 2001 From: "Steve DiAcetis (MSFT)" <52939067+SteveDiAcetis@users.noreply.github.com> Date: Fri, 28 Jun 2024 12:49:22 -0700 Subject: [PATCH 1/5] Update Get-WindowsReservedStorageState.md Fixing example, it fails with -Online. --- docset/winserver2022-ps/dism/Get-WindowsReservedStorageState.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docset/winserver2022-ps/dism/Get-WindowsReservedStorageState.md b/docset/winserver2022-ps/dism/Get-WindowsReservedStorageState.md index ed7c3ff534..d993d4eec0 100644 --- a/docset/winserver2022-ps/dism/Get-WindowsReservedStorageState.md +++ b/docset/winserver2022-ps/dism/Get-WindowsReservedStorageState.md @@ -24,7 +24,7 @@ Gets the current state of reserved storage. This command is supported with the o ### Example 1 ```powershell -PS C:\> Get-WindowsReservedStorageState -Online +PS C:\> Get-WindowsReservedStorageState ``` This command gets the Windows reserved storage state on the local host. From 0ef629c7553637806686ed131682ffcf51318971 Mon Sep 17 00:00:00 2001 From: "Steve DiAcetis (MSFT)" <52939067+SteveDiAcetis@users.noreply.github.com> Date: Mon, 1 Jul 2024 11:30:13 -0700 Subject: [PATCH 2/5] Update Get-WindowsReservedStorageState.md --- docset/winserver2022-ps/dism/Get-WindowsReservedStorageState.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docset/winserver2022-ps/dism/Get-WindowsReservedStorageState.md b/docset/winserver2022-ps/dism/Get-WindowsReservedStorageState.md index d993d4eec0..586d6c1108 100644 --- a/docset/winserver2022-ps/dism/Get-WindowsReservedStorageState.md +++ b/docset/winserver2022-ps/dism/Get-WindowsReservedStorageState.md @@ -18,7 +18,7 @@ Get-WindowsReservedStorageState [-LogPath ] [-ScratchDirectory ] ``` ## DESCRIPTION -Gets the current state of reserved storage. This command is supported with the online Windows image. +Gets the current state of reserved storage. This command is only supported with the online Windows image. ## EXAMPLES From 179d223386e9838e71a8a1dfc79fea1ae39498d6 Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Tue, 2 Jul 2024 15:27:35 -0700 Subject: [PATCH 3/5] Correct malformed metadata --- docset/winserver2016-ps/appx/Get-NonRemovableAppsPolicy.md | 3 ++- docset/winserver2016-ps/appx/Set-NonRemovableAppsPolicy.md | 3 ++- docset/winserver2019-ps/appx/Get-NonRemovableAppsPolicy.md | 3 ++- docset/winserver2019-ps/appx/Set-NonRemovableAppsPolicy.md | 3 ++- 4 files changed, 8 insertions(+), 4 deletions(-) diff --git a/docset/winserver2016-ps/appx/Get-NonRemovableAppsPolicy.md b/docset/winserver2016-ps/appx/Get-NonRemovableAppsPolicy.md index c485ad124b..536f7912dc 100644 --- a/docset/winserver2016-ps/appx/Get-NonRemovableAppsPolicy.md +++ b/docset/winserver2016-ps/appx/Get-NonRemovableAppsPolicy.md @@ -1,5 +1,6 @@ --- -audiencems.localizationpriority: ITPro +audience: ITPro +ms.localizationpriority: Low description: Use this topic to help prevent the uninstall of specific Windows apps with Windows PowerShell. external help file: Microsoft.Windows.Appx.PackageManager.Commands.dll-help.xml Module Name: Appx diff --git a/docset/winserver2016-ps/appx/Set-NonRemovableAppsPolicy.md b/docset/winserver2016-ps/appx/Set-NonRemovableAppsPolicy.md index 4d5de39176..d671ebb3ee 100644 --- a/docset/winserver2016-ps/appx/Set-NonRemovableAppsPolicy.md +++ b/docset/winserver2016-ps/appx/Set-NonRemovableAppsPolicy.md @@ -1,5 +1,6 @@ --- -audiencems.localizationpriority: ITPro +audience: ITPro +ms.localizationpriority: Low description: Use this topic to help prevent the uninstall of specific Windows apps with Windows PowerShell. external help file: Microsoft.Windows.Appx.PackageManager.Commands.dll-help.xml Module Name: Appx diff --git a/docset/winserver2019-ps/appx/Get-NonRemovableAppsPolicy.md b/docset/winserver2019-ps/appx/Get-NonRemovableAppsPolicy.md index d3190cccc2..8eb795743f 100644 --- a/docset/winserver2019-ps/appx/Get-NonRemovableAppsPolicy.md +++ b/docset/winserver2019-ps/appx/Get-NonRemovableAppsPolicy.md @@ -1,5 +1,6 @@ --- -audiencems.localizationpriority: ITPro +audience: ITPro +ms.localizationpriority: Low description: Use this topic to help prevent the uninstall of specific Windows apps with Windows PowerShell. external help file: Microsoft.Windows.Appx.PackageManager.Commands.dll-help.xml Module Name: Appx diff --git a/docset/winserver2019-ps/appx/Set-NonRemovableAppsPolicy.md b/docset/winserver2019-ps/appx/Set-NonRemovableAppsPolicy.md index c71cace1de..219553197c 100644 --- a/docset/winserver2019-ps/appx/Set-NonRemovableAppsPolicy.md +++ b/docset/winserver2019-ps/appx/Set-NonRemovableAppsPolicy.md @@ -1,5 +1,6 @@ --- -audiencems.localizationpriority: ITPro +audience: ITPro +ms.localizationpriority: Low description: Use this topic to help prevent the uninstall of specific Windows apps with Windows PowerShell. external help file: Microsoft.Windows.Appx.PackageManager.Commands.dll-help.xml Module Name: Appx From 0ec724605b4d62706c2763ff54f301ce9b742d95 Mon Sep 17 00:00:00 2001 From: Sean Wheeler Date: Tue, 2 Jul 2024 18:54:54 -0500 Subject: [PATCH 4/5] Fixes #1333 - Add about topic to ActiveDirectory (#3834) * Add about topic to ActiveDirectory * Update docfx.json to include about articles * Update docfx file glob * fix table --- docset/docfx.json | 64 ++-- .../activedirectory/About/About.md | 17 + .../About/about_ActiveDirectory_Filter.md | 351 ++++++++++++++++++ .../activedirectory/About/About.md | 17 + .../About/about_ActiveDirectory_Filter.md | 351 ++++++++++++++++++ .../activedirectory/About/About.md | 17 + .../About/about_ActiveDirectory_Filter.md | 351 ++++++++++++++++++ .../activedirectory/About/About.md | 17 + .../About/about_ActiveDirectory_Filter.md | 351 ++++++++++++++++++ .../activedirectory/About/About.md | 17 + .../About/about_ActiveDirectory_Filter.md | 351 ++++++++++++++++++ .../activedirectory/About/About.md | 17 + .../About/about_ActiveDirectory_Filter.md | 351 ++++++++++++++++++ 13 files changed, 2240 insertions(+), 32 deletions(-) create mode 100644 docset/winserver2012-ps/activedirectory/About/About.md create mode 100644 docset/winserver2012-ps/activedirectory/About/about_ActiveDirectory_Filter.md create mode 100644 docset/winserver2012r2-ps/activedirectory/About/About.md create mode 100644 docset/winserver2012r2-ps/activedirectory/About/about_ActiveDirectory_Filter.md create mode 100644 docset/winserver2016-ps/activedirectory/About/About.md create mode 100644 docset/winserver2016-ps/activedirectory/About/about_ActiveDirectory_Filter.md create mode 100644 docset/winserver2019-ps/activedirectory/About/About.md create mode 100644 docset/winserver2019-ps/activedirectory/About/about_ActiveDirectory_Filter.md create mode 100644 docset/winserver2022-ps/activedirectory/About/About.md create mode 100644 docset/winserver2022-ps/activedirectory/About/about_ActiveDirectory_Filter.md create mode 100644 docset/winserver2025-ps/activedirectory/About/About.md create mode 100644 docset/winserver2025-ps/activedirectory/About/about_ActiveDirectory_Filter.md diff --git a/docset/docfx.json b/docset/docfx.json index bcd6857d85..dc6f5e5683 100644 --- a/docset/docfx.json +++ b/docset/docfx.json @@ -1,44 +1,44 @@ { "build": { "content": [ - { "files": [ "toc.yml" ], "src": "bread", "dest": "windows/bread" }, + { "dest": "windows/bread", "files": [ "toc.yml" ], "src": "bread" }, - { "files": [ "**/*.md" ], "src": "docs-conceptual/winserver2025-ps", "version": "WindowsServer2025-ps", "dest": "windows" }, - { "files": [ "toc.yml" ], "src": "docs-conceptual/winserver2025-ps", "version": "WindowsServer2025-ps", "dest": "winserver2025-ps" }, - { "files": [ "**/*.yml" ], "exclude": [ "toc.yml" ], "src": "winserver2025-ps", "version": "WindowsServer2025-ps", "dest": "module" }, - { "files": [ "toc.yml" ], "src": "winserver2025-ps", "version": "WindowsServer2025-ps", "dest": "module/WindowsServer2025-ps" }, - - { "files": [ "**/*.md" ], "src": "docs-conceptual/winserver2022-ps", "version": "WindowsServer2022-ps", "dest": "windows" }, - { "files": [ "toc.yml" ], "src": "docs-conceptual/winserver2022-ps", "version": "WindowsServer2022-ps", "dest": "winserver2022-ps" }, - { "files": [ "**/*.yml" ], "exclude": [ "toc.yml" ], "src": "winserver2022-ps", "version": "WindowsServer2022-ps", "dest": "module" }, - { "files": [ "toc.yml" ], "src": "winserver2022-ps", "version": "WindowsServer2022-ps", "dest": "module/WindowsServer2022-ps" }, + { "dest": "windows", "files": [ "**/*.md" ], "src": "docs-conceptual/winserver2025-ps", "version": "WindowsServer2025-ps" }, + { "dest": "winserver2025-ps", "files": [ "toc.yml" ], "src": "docs-conceptual/winserver2025-ps", "version": "WindowsServer2025-ps" }, + { "dest": "module", "exclude": [ "toc.yml" ], "files": [ "**/*.yml", "**/About/*.md" ], "src": "winserver2025-ps", "version": "WindowsServer2025-ps" }, + { "dest": "module/WindowsServer2025-ps", "files": [ "toc.yml" ], "src": "winserver2025-ps", "version": "WindowsServer2025-ps" }, - { "files": [ "**/*.md" ], "src": "docs-conceptual/winserver2019-ps", "version": "WindowsServer2019-ps", "dest": "windows" }, - { "files": [ "toc.yml" ], "src": "docs-conceptual/winserver2019-ps", "version": "WindowsServer2019-ps", "dest": "winserver2019-ps" }, - { "files": [ "**/*.yml" ], "exclude": [ "toc.yml" ], "src": "winserver2019-ps", "version": "WindowsServer2019-ps", "dest": "module" }, - { "files": [ "toc.yml" ], "src": "winserver2019-ps", "version": "WindowsServer2019-ps", "dest": "module/WindowsServer2019-ps" }, + { "dest": "windows", "files": [ "**/*.md" ], "src": "docs-conceptual/winserver2022-ps", "version": "WindowsServer2022-ps" }, + { "dest": "winserver2022-ps", "files": [ "toc.yml" ], "src": "docs-conceptual/winserver2022-ps", "version": "WindowsServer2022-ps" }, + { "dest": "module", "exclude": [ "toc.yml" ], "files": [ "**/*.yml", "**/About/*.md" ], "src": "winserver2022-ps", "version": "WindowsServer2022-ps" }, + { "dest": "module/WindowsServer2022-ps", "files": [ "toc.yml" ], "src": "winserver2022-ps", "version": "WindowsServer2022-ps" }, - { "files": [ "**/*.md" ], "src": "docs-conceptual/winserver2016-ps", "version": "WindowsServer2016-ps", "dest": "windows" }, - { "files": [ "toc.yml" ], "src": "docs-conceptual/winserver2016-ps", "version": "WindowsServer2016-ps", "dest": "windows" }, - { "files": [ "**/*.yml" ], "exclude": [ "toc.yml" ], "src": "winserver2016-ps", "version": "WindowsServer2016-ps", "dest": "module" }, - { "files": [ "toc.yml" ], "src": "winserver2016-ps", "version": "WindowsServer2016-ps", "dest": "module/WindowsServer2016-ps" }, + { "dest": "windows", "files": [ "**/*.md" ], "src": "docs-conceptual/winserver2019-ps", "version": "WindowsServer2019-ps" }, + { "dest": "winserver2019-ps", "files": [ "toc.yml" ], "src": "docs-conceptual/winserver2019-ps", "version": "WindowsServer2019-ps" }, + { "dest": "module", "exclude": [ "toc.yml" ], "files": [ "**/*.yml", "**/About/*.md" ], "src": "winserver2019-ps", "version": "WindowsServer2019-ps" }, + { "dest": "module/WindowsServer2019-ps", "files": [ "toc.yml" ], "src": "winserver2019-ps", "version": "WindowsServer2019-ps" }, - { "files": [ "**/*.md" ], "src": "docs-conceptual/winserver2012-ps", "version": "winserver2012-ps", "dest": "windows" }, - { "files": [ "toc.yml" ], "src": "docs-conceptual/winserver2012-ps", "version": "winserver2012-ps", "dest": "winserver2012-ps" }, - { "files": [ "**/*.yml" ], "exclude": [ "toc.yml" ], "src": "winserver2012-ps", "version": "winserver2012-ps", "dest": "module" }, - { "files": [ "toc.yml" ], "src": "winserver2012-ps", "version": "winserver2012-ps", "dest": "module/winserver2012-ps" }, + { "dest": "windows", "files": [ "**/*.md" ], "src": "docs-conceptual/winserver2016-ps", "version": "WindowsServer2016-ps" }, + { "dest": "windows", "files": [ "toc.yml" ], "src": "docs-conceptual/winserver2016-ps", "version": "WindowsServer2016-ps" }, + { "dest": "module", "exclude": [ "toc.yml" ], "files": [ "**/*.yml", "**/About/*.md" ], "src": "winserver2016-ps", "version": "WindowsServer2016-ps" }, + { "dest": "module/WindowsServer2016-ps", "files": [ "toc.yml" ], "src": "winserver2016-ps", "version": "WindowsServer2016-ps" }, - { "files": [ "**/*.md" ], "src": "docs-conceptual/winserver2012r2-ps", "version": "winserver2012r2-ps", "dest": "windows" }, - { "files": [ "toc.yml" ], "src": "docs-conceptual/winserver2012r2-ps", "version": "winserver2012r2-ps", "dest": "winserver2012r2-ps" }, - { "files": [ "**/*.yml" ], "exclude": [ "toc.yml" ], "src": "winserver2012r2-ps", "version": "winserver2012r2-ps", "dest": "module" }, - { "files": [ "toc.yml" ], "src": "winserver2012r2-ps", "version": "winserver2012r2-ps", "dest": "module/winserver2012r2-ps" }, + { "dest": "windows", "files": [ "**/*.md" ], "src": "docs-conceptual/winserver2012-ps", "version": "winserver2012-ps" }, + { "dest": "winserver2012-ps", "files": [ "toc.yml" ], "src": "docs-conceptual/winserver2012-ps", "version": "winserver2012-ps" }, + { "dest": "module", "exclude": [ "toc.yml" ], "files": [ "**/*.yml", "**/About/*.md" ], "src": "winserver2012-ps", "version": "winserver2012-ps" }, + { "dest": "module/winserver2012-ps", "files": [ "toc.yml" ], "src": "winserver2012-ps", "version": "winserver2012-ps" }, - { "files": [ "**/*.md" ], "src": "docs-conceptual/mdop", "version": "win-mdop2-ps", "dest": "mdop" }, - { "files": [ "toc.yml" ], "src": "docs-conceptual/mdop", "version": "win-mdop2-ps", "dest": "mdop/win-mdop2-ps" }, - { "files": [ "**/*.yml" ], "exclude": [ "toc.yml" ], "src": "mdop", "version": "win-mdop2-ps", "dest": "module" }, - { "files": [ "toc.yml" ], "src": "mdop", "version": "win-mdop2-ps", "dest": "module/win-mdop2-ps" }, + { "dest": "windows", "files": [ "**/*.md" ], "src": "docs-conceptual/winserver2012r2-ps", "version": "winserver2012r2-ps" }, + { "dest": "winserver2012r2-ps", "files": [ "toc.yml" ], "src": "docs-conceptual/winserver2012r2-ps", "version": "winserver2012r2-ps" }, + { "dest": "module", "exclude": [ "toc.yml" ], "files": [ "**/*.yml", "**/About/*.md" ], "src": "winserver2012r2-ps", "version": "winserver2012r2-ps" }, + { "dest": "module/winserver2012r2-ps", "files": [ "toc.yml" ], "src": "winserver2012r2-ps", "version": "winserver2012r2-ps" }, - { "files": [ "**/*.md" ], "src": "virtual-directory-module", "dest": "module" } + { "dest": "mdop", "files": [ "**/*.md" ], "src": "docs-conceptual/mdop", "version": "win-mdop2-ps" }, + { "dest": "mdop/win-mdop2-ps", "files": [ "toc.yml" ], "src": "docs-conceptual/mdop", "version": "win-mdop2-ps" }, + { "dest": "module", "exclude": [ "toc.yml" ], "files": [ "**/*.yml" ], "src": "mdop", "version": "win-mdop2-ps" }, + { "dest": "module/win-mdop2-ps", "files": [ "toc.yml" ], "src": "mdop", "version": "win-mdop2-ps" }, + + { "dest": "module", "files": [ "**/*.md" ], "src": "virtual-directory-module" } ], "resource": [ { "files": [ "**/*.png", "**/*.jpg" ], "exclude": [ "**/obj/**", "**/includes/**" ] } @@ -91,7 +91,7 @@ "garycentric", "AngelaMotherofDragons", "dstrome", - "v-dihans", + "v-dihans", "sdwheeler", "Stacyrch140", "v-stsavell", diff --git a/docset/winserver2012-ps/activedirectory/About/About.md b/docset/winserver2012-ps/activedirectory/About/About.md new file mode 100644 index 0000000000..adc76085b9 --- /dev/null +++ b/docset/winserver2012-ps/activedirectory/About/About.md @@ -0,0 +1,17 @@ +--- +description: About articles for the ActiveDirectory module. +Help Version: 3.1.0.0 +Locale: en-US +ms.date: 04/22/2013 +title: About articles +--- +# About topics + +## Description + +About topics cover a range of concepts about PowerShell. + +## About Topics + +### [about_ActiveDirectory_Filter](about_ActiveDirectory_Filter.md) +Describes the syntax and behavior of the search filter supported by the Active Directory module for Windows PowerShell. diff --git a/docset/winserver2012-ps/activedirectory/About/about_ActiveDirectory_Filter.md b/docset/winserver2012-ps/activedirectory/About/about_ActiveDirectory_Filter.md new file mode 100644 index 0000000000..23a83c0a0a --- /dev/null +++ b/docset/winserver2012-ps/activedirectory/About/about_ActiveDirectory_Filter.md @@ -0,0 +1,351 @@ +--- +title: about_ActiveDirectory_Filter +ms.date: 04/22/2013 +description: Describes the syntax and behavior of the search filter supported by the Active Directory module for Windows PowerShell. +Locale: en-US +schema: 2.0.0 +--- + +# about_ActiveDirectory_Filter + +## SHORT DESCRIPTION + +Describes the syntax and behavior of the search filter supported by the Active +Directory module for Windows PowerShell. + +## LONG DESCRIPTION + +Most get-AD* Active Directory module cmdlets use the Filter parameter to search +for objects. The Filter parameter has been implemented to replace the function +of the LDAP Filter and adds support for PowerShell variables, rich data types, +improved error checking and an Active Directory extended form of the PowerShell +Expression Language. + + +- Support for LDAP Filter Syntax + + The LDAP filter syntax is supported through the **LDAPFilter** parameter. You + will find LDAP filter examples along with the new Active Directory module + filter examples in the Filter Examples section of this topic. + + +- Search Breadth and Depth + + The breadth and depth of your filter-driven search can be modified by two + Active Directory module cmdlet parameters: **SearchBase** and **SearchScope**. + + When within the context of the Active Directory provider, if the + **Searchbase** parameter is not specified, **SearchBase** will default to the + current path. When not running under the Active Directory provider, the + **SearchBase** will default to the server's **DefaultNamingContext**. + + The **SearchScope** parameter defaults to the value `Subtree`, of the + enumerated type **ADSearchScope**. + + For more information, see the **SearchBase** and **SearchScope** parameter + descriptions on any `Get-AD*` cmdlet. + +- Search Result Behavior + + The behavior of the Active Directory module when returning results of a + search is modified by two cmdlet parameters: **ResultPageSize** and + **ResultSetSize**. + + **ResultSetSize** controls the maximum number of returned objects. + + **ResultPageSize** specifies the maximum number of objects for each returned + page of information. + + See the **ResultPageSize** and **ResultSetSize** parameter descriptions on + any `Get-AD*` cmdlet for more information. + + +- Timeout Behavior + + The following statements specify timeout conditions within the Active + Directory module and describe what can be done about a timeout them. + + The default Active Directory module timeout for all operations is 2 + minutes. + + For search operation, the Active Directory module uses paging control + with a 2-minute timeout for each page search. + + > [!NOTE] + > Because a search may involve multiple server page requests the overall + > search time may exceed 2 minutes. + + A **TimeoutException** error indicates that a timeout has occurred. + + For a search operation, you can choose to use a smaller page size, set with + the **ResultPageSize** parameter, if you are getting a **TimeoutException** + error. + + If after trying these changes you are still getting a **TimeoutException** + error, consider optimizing your filter using the guidance in the + Optimizing Filters section of this topic. + + +- Optimizing Filters + + You can enhance the search filter behavior by using these guidelines. + + - Avoid using the **Recursive** parameter as it intensifies resource usage of + the search operation. + - Avoid using bitwise AND operators and bitwise OR operators. For more + information, see the Supported Operators section of this topic. + - Avoid using the logical NOT operator. + - Break down your search into multiple queries with narrower conditions. + + For a full description of filter syntax and usage, see the Filter Syntax + section of this topic. + + +## Filter Examples + +The following section shows many examples of filter use in common queries. + +### Example 1 - Get all entries: + +- LDAP Filter Equivalent: `(objectClass=*)` + +```powershell +Get-ADObject -Filter 'ObjectClass -like "*"' +``` + +### Example 2 - Get entries containing "bob" somewhere in the common name + +- LDAP Filter Equivalent: `(cn=*bob*)` + +```powershell +Get-ADObject -Filter 'CN -like "*bob*"' +``` + +### Example 3 - Get entries with a bad password count greater than five + +- LDAP Filter Equivalent: `(&(!badpwdcount<=5)(badpwdcount=*))` + +```powershell +Get-ADUser -Filter 'badpwdcount -ge 5' +``` + +### Example 4 - Get all users with an e-mail attribute + +- LDAP Filter Equivalent: `(&(objectClass=user)(email=*))` + +```powershell +Get-ADUser -filter 'email -like "*"' +``` + +-or- + +```powershell +Get-ADObject -filter 'email -like "*" -and ObjectClass -eq "user"' +``` + +### Example 5 - Get all user entries with an e-mail attribute and a surname equal to "smith": + +- LDAP Filter Equivalent: `(&(sn=smith)(objectClass=user)(email=*))` + +```powershell +Get-ADUser -Filter 'Email -like "*" -and SurName -eq "smith"' +``` + +-or- + +```powershell +Get-ADUser -Filter 'Email -like "*" -and sn -eq "smith"' +``` + + +### Example 6 - Get all user entries with a common name that starts with "andy" and users with a common name of "steve" or "margaret" + +- LDAP Filter Equivalent: `(&(objectClass=user) | (cn=andy*)(cn=steve)(cn=margaret))` + +```powershell +Get-ADUser -Filter 'CN -like "andy*" -or CN -eq "steve" -or CN -eq "margaret"' +``` + + +This example demonstrates a more complex logic and the use of precedence +control via parenthesis. + +```powershell +Get-ADObject -Filter 'objectClass -eq "user" -and (CN -like "andy*" -or CN -eq "steve" -or CN -eq "margaret")' +``` + +### Example 7 - Get all entries without an e-mail attribute + +- LDAP Filter Equivalent: `(!(email=*))` + +```powershell +Get-ADUser -Filter '-not Email -like "*"' +``` + +-or- + +```powershell +Get-ADUser -Filter 'Email -notlike "*"' +``` + +### Example 8 - Get all users who did not logon since January 1, 2007 + +- LDAP Filter Equivalent: `(&(lastlogon<=X)(objectClass=user))` where X is + number of 100-nanosecond slices since Jan 1st 1601 + +```powershell +$date = new-object System.DateTime -ArgumentList @(2007,1,1,0,0,0) +Get-ADUser -Filter '-not LastLogon -le $date' +``` + +### Example 9 - Get all users who have logged on in the last 5 days + +- LDAP Filter Equivalent: + + ``` + (&(lastLogon>=128812906535515110) + (objectClass=user)(!(objectClass=computer))) + ``` + +```powershell +$date = (get-date) - (new-timespan -days 5) +Get-ADUser -Filter 'lastLogon -gt $date' +``` + +### Example 10 - Search for group objects that have the ADS_GROUP_TYPE_SECURITY_ENABLED flag set + +- LDAP Filter Equivalent: + `(&(objectCategory=group)(groupType:1.2.840.113556.1.4.803:=2147483648))` + +The following example query string searches for group objects that have the +ADS_GROUP_TYPE_SECURITY_ENABLED flag set. Be aware that the decimal value of +ADS_GROUP_TYPE_SECURITY_ENABLED (0x80000000 = 2147483648) is used for the +comparison value. + +```powershell +Get-ADGroup -filter 'groupType -band 0x80000000' +``` + +### Example 11 - Search the ancestry of an object + +- LDAP Filter Equivalent: + `(memberof:1.2.840.113556.1.4.1941:=(cn=Group1,OU=groupsOU,DC=x)))` + +The LDAP_MATCHING_RULE_IN_CHAIN is a matching rule OID that is designed to +provide a method to look up the ancestry of an object. Many applications using +Active Directory and AD LDS usually work with hierarchical data, which is +ordered by parent-child relationships. Previously, applications performed +transitive group expansion to figure out group membership, which used a lot of +network bandwidth. Applications made multiple round-trips to figure out if an +object fell "in the chain" if a link were traversed through to the end. + +An example of such a query is one designed to check if a user, "user1" is a +member of group "group1". "user1" may not be a direct member of group1. It +could be a member of some other group, which is a member of "group1". + +You would set the base to the user DN and the scope to base, and use the query: + +```powershell +Get-ADUser -Filter 'memberOf -RecursiveMatch "CN=Administrators, CN=Builtin,DC=Fabrikam,DC=com"' -SearchBase "CN=Administrator,CN=Users,DC=Fabrikam,DC=com" +``` + +## Filter Syntax + +The following syntax descriptions use Backus-Naur form to show the PowerShell +Expression Language for the Filter parameter. + +```Syntax + ::= "{" "}" + + ::= | + | + + + ::= | + "(" ")" + + ::= "-eq" | "-le" | "-ge" | "-ne" | "-lt" | "-gt" | + "-approx" | "-bor" | "-band" | "-recursivematch" | "-like" | + "-notlike" + + ::= "-and" | "-or" + + ::= "-not" + + ::= | + +::= < this value will be compared to the object data for + attribute using the specified filter operator +``` + + +## Supported Operators + +The following table shows frequently used search filter operators. + +| Operator | Description | LDAP Equivalent | +| ----------------- | -------------------------------------- | -------------------------- | +| `-eq` | Equal to. Wildcards not supported. | = | +| `-ne` | Not equal to. Wildcards not supported. | !x = y | +| `-approx` | Approximately equal to | ~= | +| `-le` | Lexicographically less than | <= | +| | or equal to | | +| `-lt` | Lexicographically less than | !x >= y | +| `-ge` | Lexicographically greater | >= | +| | than or equal to | | +| `-gt` | Lexicographically greater than | !x <= y | +| | | | +| `-and` | AND | & | +| `-or` | OR | | +| `-not` | NOT | ! | +| `-bor` | Bitwise OR | :1.2.840.113556.1.4.804:= | +| `-band` | Bitwise AND | :1.2.840.113556.1.4.803:= | +| `-recursivematch` | Use LDAP_MATCHING_RULE_IN_CHAIN | :1.2.840.113556.1.4.1941:= | +| `-like` | Similar to `-eq` and supports | = | +| | wildcard comparison. The only | | +| | wildcard character supported is: `*` | | +| `-notlike` | Not like. Supports wild | !x = y | +| | card comparison. | | + +> [!NOTE] +> PowerShell wildcards, other than "*", such as "?" are not supported by the +> **Filter** parameter syntax. + +### Operator Precedence + +The following listing shows the precedence of operators for filters from +highest to lowest. + +- Highest precedence: `-eq`, `-ge`, `-le`, `-approx`, `-band`, `-bor`, + `-recursivematch`, `-ne`, `-like`, `-not`, `-and` +- Lowest precedence: `-or` + +### Special Characters + +The following escape sequence should be used for specifying special characters +in AD Filter STRING data, that is, data enclosed in double or single quotes. + +| ASCII Character | Escape sequence substitute | +| --------------- | --------------------------------------------------- | +| `"` | `` `" `` (This escape sequence is only required if | +| | STRING data is enclosed in double quotes.) | +| `'` | `''` (This escape sequence is only required if | +| | STRING data is enclosed in single quotes.) | +| NUL | `\00` (This is a standard LDAP escape sequence.) | +| `\` | `\5c` (This is a standard LDAP escape sequence.) | + +### LDAP Special Characters + +ADFilter parser will automatically convert all the below characters found in +STRING data, that is data enclosed in " " or ' ' to their LDAP escape sequence. +End users need not know about these LDAP escape sequence. + +| ASCII Character | Escape sequence substitute | +| --------------- | ----------------------------------------------- | +| `*` | `\2a` (Character `*` will only be converted in | +| | -eq and -ne comparisons Users should use | +| | -like and -notlike operators for wildcard | +| | comparison.) | +| `(` | `\28` | +| `)` | `\29` | +| `/` | `\2f` | diff --git a/docset/winserver2012r2-ps/activedirectory/About/About.md b/docset/winserver2012r2-ps/activedirectory/About/About.md new file mode 100644 index 0000000000..adc76085b9 --- /dev/null +++ b/docset/winserver2012r2-ps/activedirectory/About/About.md @@ -0,0 +1,17 @@ +--- +description: About articles for the ActiveDirectory module. +Help Version: 3.1.0.0 +Locale: en-US +ms.date: 04/22/2013 +title: About articles +--- +# About topics + +## Description + +About topics cover a range of concepts about PowerShell. + +## About Topics + +### [about_ActiveDirectory_Filter](about_ActiveDirectory_Filter.md) +Describes the syntax and behavior of the search filter supported by the Active Directory module for Windows PowerShell. diff --git a/docset/winserver2012r2-ps/activedirectory/About/about_ActiveDirectory_Filter.md b/docset/winserver2012r2-ps/activedirectory/About/about_ActiveDirectory_Filter.md new file mode 100644 index 0000000000..23a83c0a0a --- /dev/null +++ b/docset/winserver2012r2-ps/activedirectory/About/about_ActiveDirectory_Filter.md @@ -0,0 +1,351 @@ +--- +title: about_ActiveDirectory_Filter +ms.date: 04/22/2013 +description: Describes the syntax and behavior of the search filter supported by the Active Directory module for Windows PowerShell. +Locale: en-US +schema: 2.0.0 +--- + +# about_ActiveDirectory_Filter + +## SHORT DESCRIPTION + +Describes the syntax and behavior of the search filter supported by the Active +Directory module for Windows PowerShell. + +## LONG DESCRIPTION + +Most get-AD* Active Directory module cmdlets use the Filter parameter to search +for objects. The Filter parameter has been implemented to replace the function +of the LDAP Filter and adds support for PowerShell variables, rich data types, +improved error checking and an Active Directory extended form of the PowerShell +Expression Language. + + +- Support for LDAP Filter Syntax + + The LDAP filter syntax is supported through the **LDAPFilter** parameter. You + will find LDAP filter examples along with the new Active Directory module + filter examples in the Filter Examples section of this topic. + + +- Search Breadth and Depth + + The breadth and depth of your filter-driven search can be modified by two + Active Directory module cmdlet parameters: **SearchBase** and **SearchScope**. + + When within the context of the Active Directory provider, if the + **Searchbase** parameter is not specified, **SearchBase** will default to the + current path. When not running under the Active Directory provider, the + **SearchBase** will default to the server's **DefaultNamingContext**. + + The **SearchScope** parameter defaults to the value `Subtree`, of the + enumerated type **ADSearchScope**. + + For more information, see the **SearchBase** and **SearchScope** parameter + descriptions on any `Get-AD*` cmdlet. + +- Search Result Behavior + + The behavior of the Active Directory module when returning results of a + search is modified by two cmdlet parameters: **ResultPageSize** and + **ResultSetSize**. + + **ResultSetSize** controls the maximum number of returned objects. + + **ResultPageSize** specifies the maximum number of objects for each returned + page of information. + + See the **ResultPageSize** and **ResultSetSize** parameter descriptions on + any `Get-AD*` cmdlet for more information. + + +- Timeout Behavior + + The following statements specify timeout conditions within the Active + Directory module and describe what can be done about a timeout them. + + The default Active Directory module timeout for all operations is 2 + minutes. + + For search operation, the Active Directory module uses paging control + with a 2-minute timeout for each page search. + + > [!NOTE] + > Because a search may involve multiple server page requests the overall + > search time may exceed 2 minutes. + + A **TimeoutException** error indicates that a timeout has occurred. + + For a search operation, you can choose to use a smaller page size, set with + the **ResultPageSize** parameter, if you are getting a **TimeoutException** + error. + + If after trying these changes you are still getting a **TimeoutException** + error, consider optimizing your filter using the guidance in the + Optimizing Filters section of this topic. + + +- Optimizing Filters + + You can enhance the search filter behavior by using these guidelines. + + - Avoid using the **Recursive** parameter as it intensifies resource usage of + the search operation. + - Avoid using bitwise AND operators and bitwise OR operators. For more + information, see the Supported Operators section of this topic. + - Avoid using the logical NOT operator. + - Break down your search into multiple queries with narrower conditions. + + For a full description of filter syntax and usage, see the Filter Syntax + section of this topic. + + +## Filter Examples + +The following section shows many examples of filter use in common queries. + +### Example 1 - Get all entries: + +- LDAP Filter Equivalent: `(objectClass=*)` + +```powershell +Get-ADObject -Filter 'ObjectClass -like "*"' +``` + +### Example 2 - Get entries containing "bob" somewhere in the common name + +- LDAP Filter Equivalent: `(cn=*bob*)` + +```powershell +Get-ADObject -Filter 'CN -like "*bob*"' +``` + +### Example 3 - Get entries with a bad password count greater than five + +- LDAP Filter Equivalent: `(&(!badpwdcount<=5)(badpwdcount=*))` + +```powershell +Get-ADUser -Filter 'badpwdcount -ge 5' +``` + +### Example 4 - Get all users with an e-mail attribute + +- LDAP Filter Equivalent: `(&(objectClass=user)(email=*))` + +```powershell +Get-ADUser -filter 'email -like "*"' +``` + +-or- + +```powershell +Get-ADObject -filter 'email -like "*" -and ObjectClass -eq "user"' +``` + +### Example 5 - Get all user entries with an e-mail attribute and a surname equal to "smith": + +- LDAP Filter Equivalent: `(&(sn=smith)(objectClass=user)(email=*))` + +```powershell +Get-ADUser -Filter 'Email -like "*" -and SurName -eq "smith"' +``` + +-or- + +```powershell +Get-ADUser -Filter 'Email -like "*" -and sn -eq "smith"' +``` + + +### Example 6 - Get all user entries with a common name that starts with "andy" and users with a common name of "steve" or "margaret" + +- LDAP Filter Equivalent: `(&(objectClass=user) | (cn=andy*)(cn=steve)(cn=margaret))` + +```powershell +Get-ADUser -Filter 'CN -like "andy*" -or CN -eq "steve" -or CN -eq "margaret"' +``` + + +This example demonstrates a more complex logic and the use of precedence +control via parenthesis. + +```powershell +Get-ADObject -Filter 'objectClass -eq "user" -and (CN -like "andy*" -or CN -eq "steve" -or CN -eq "margaret")' +``` + +### Example 7 - Get all entries without an e-mail attribute + +- LDAP Filter Equivalent: `(!(email=*))` + +```powershell +Get-ADUser -Filter '-not Email -like "*"' +``` + +-or- + +```powershell +Get-ADUser -Filter 'Email -notlike "*"' +``` + +### Example 8 - Get all users who did not logon since January 1, 2007 + +- LDAP Filter Equivalent: `(&(lastlogon<=X)(objectClass=user))` where X is + number of 100-nanosecond slices since Jan 1st 1601 + +```powershell +$date = new-object System.DateTime -ArgumentList @(2007,1,1,0,0,0) +Get-ADUser -Filter '-not LastLogon -le $date' +``` + +### Example 9 - Get all users who have logged on in the last 5 days + +- LDAP Filter Equivalent: + + ``` + (&(lastLogon>=128812906535515110) + (objectClass=user)(!(objectClass=computer))) + ``` + +```powershell +$date = (get-date) - (new-timespan -days 5) +Get-ADUser -Filter 'lastLogon -gt $date' +``` + +### Example 10 - Search for group objects that have the ADS_GROUP_TYPE_SECURITY_ENABLED flag set + +- LDAP Filter Equivalent: + `(&(objectCategory=group)(groupType:1.2.840.113556.1.4.803:=2147483648))` + +The following example query string searches for group objects that have the +ADS_GROUP_TYPE_SECURITY_ENABLED flag set. Be aware that the decimal value of +ADS_GROUP_TYPE_SECURITY_ENABLED (0x80000000 = 2147483648) is used for the +comparison value. + +```powershell +Get-ADGroup -filter 'groupType -band 0x80000000' +``` + +### Example 11 - Search the ancestry of an object + +- LDAP Filter Equivalent: + `(memberof:1.2.840.113556.1.4.1941:=(cn=Group1,OU=groupsOU,DC=x)))` + +The LDAP_MATCHING_RULE_IN_CHAIN is a matching rule OID that is designed to +provide a method to look up the ancestry of an object. Many applications using +Active Directory and AD LDS usually work with hierarchical data, which is +ordered by parent-child relationships. Previously, applications performed +transitive group expansion to figure out group membership, which used a lot of +network bandwidth. Applications made multiple round-trips to figure out if an +object fell "in the chain" if a link were traversed through to the end. + +An example of such a query is one designed to check if a user, "user1" is a +member of group "group1". "user1" may not be a direct member of group1. It +could be a member of some other group, which is a member of "group1". + +You would set the base to the user DN and the scope to base, and use the query: + +```powershell +Get-ADUser -Filter 'memberOf -RecursiveMatch "CN=Administrators, CN=Builtin,DC=Fabrikam,DC=com"' -SearchBase "CN=Administrator,CN=Users,DC=Fabrikam,DC=com" +``` + +## Filter Syntax + +The following syntax descriptions use Backus-Naur form to show the PowerShell +Expression Language for the Filter parameter. + +```Syntax + ::= "{" "}" + + ::= | + | + + + ::= | + "(" ")" + + ::= "-eq" | "-le" | "-ge" | "-ne" | "-lt" | "-gt" | + "-approx" | "-bor" | "-band" | "-recursivematch" | "-like" | + "-notlike" + + ::= "-and" | "-or" + + ::= "-not" + + ::= | + +::= < this value will be compared to the object data for + attribute using the specified filter operator +``` + + +## Supported Operators + +The following table shows frequently used search filter operators. + +| Operator | Description | LDAP Equivalent | +| ----------------- | -------------------------------------- | -------------------------- | +| `-eq` | Equal to. Wildcards not supported. | = | +| `-ne` | Not equal to. Wildcards not supported. | !x = y | +| `-approx` | Approximately equal to | ~= | +| `-le` | Lexicographically less than | <= | +| | or equal to | | +| `-lt` | Lexicographically less than | !x >= y | +| `-ge` | Lexicographically greater | >= | +| | than or equal to | | +| `-gt` | Lexicographically greater than | !x <= y | +| | | | +| `-and` | AND | & | +| `-or` | OR | | +| `-not` | NOT | ! | +| `-bor` | Bitwise OR | :1.2.840.113556.1.4.804:= | +| `-band` | Bitwise AND | :1.2.840.113556.1.4.803:= | +| `-recursivematch` | Use LDAP_MATCHING_RULE_IN_CHAIN | :1.2.840.113556.1.4.1941:= | +| `-like` | Similar to `-eq` and supports | = | +| | wildcard comparison. The only | | +| | wildcard character supported is: `*` | | +| `-notlike` | Not like. Supports wild | !x = y | +| | card comparison. | | + +> [!NOTE] +> PowerShell wildcards, other than "*", such as "?" are not supported by the +> **Filter** parameter syntax. + +### Operator Precedence + +The following listing shows the precedence of operators for filters from +highest to lowest. + +- Highest precedence: `-eq`, `-ge`, `-le`, `-approx`, `-band`, `-bor`, + `-recursivematch`, `-ne`, `-like`, `-not`, `-and` +- Lowest precedence: `-or` + +### Special Characters + +The following escape sequence should be used for specifying special characters +in AD Filter STRING data, that is, data enclosed in double or single quotes. + +| ASCII Character | Escape sequence substitute | +| --------------- | --------------------------------------------------- | +| `"` | `` `" `` (This escape sequence is only required if | +| | STRING data is enclosed in double quotes.) | +| `'` | `''` (This escape sequence is only required if | +| | STRING data is enclosed in single quotes.) | +| NUL | `\00` (This is a standard LDAP escape sequence.) | +| `\` | `\5c` (This is a standard LDAP escape sequence.) | + +### LDAP Special Characters + +ADFilter parser will automatically convert all the below characters found in +STRING data, that is data enclosed in " " or ' ' to their LDAP escape sequence. +End users need not know about these LDAP escape sequence. + +| ASCII Character | Escape sequence substitute | +| --------------- | ----------------------------------------------- | +| `*` | `\2a` (Character `*` will only be converted in | +| | -eq and -ne comparisons Users should use | +| | -like and -notlike operators for wildcard | +| | comparison.) | +| `(` | `\28` | +| `)` | `\29` | +| `/` | `\2f` | diff --git a/docset/winserver2016-ps/activedirectory/About/About.md b/docset/winserver2016-ps/activedirectory/About/About.md new file mode 100644 index 0000000000..adc76085b9 --- /dev/null +++ b/docset/winserver2016-ps/activedirectory/About/About.md @@ -0,0 +1,17 @@ +--- +description: About articles for the ActiveDirectory module. +Help Version: 3.1.0.0 +Locale: en-US +ms.date: 04/22/2013 +title: About articles +--- +# About topics + +## Description + +About topics cover a range of concepts about PowerShell. + +## About Topics + +### [about_ActiveDirectory_Filter](about_ActiveDirectory_Filter.md) +Describes the syntax and behavior of the search filter supported by the Active Directory module for Windows PowerShell. diff --git a/docset/winserver2016-ps/activedirectory/About/about_ActiveDirectory_Filter.md b/docset/winserver2016-ps/activedirectory/About/about_ActiveDirectory_Filter.md new file mode 100644 index 0000000000..23a83c0a0a --- /dev/null +++ b/docset/winserver2016-ps/activedirectory/About/about_ActiveDirectory_Filter.md @@ -0,0 +1,351 @@ +--- +title: about_ActiveDirectory_Filter +ms.date: 04/22/2013 +description: Describes the syntax and behavior of the search filter supported by the Active Directory module for Windows PowerShell. +Locale: en-US +schema: 2.0.0 +--- + +# about_ActiveDirectory_Filter + +## SHORT DESCRIPTION + +Describes the syntax and behavior of the search filter supported by the Active +Directory module for Windows PowerShell. + +## LONG DESCRIPTION + +Most get-AD* Active Directory module cmdlets use the Filter parameter to search +for objects. The Filter parameter has been implemented to replace the function +of the LDAP Filter and adds support for PowerShell variables, rich data types, +improved error checking and an Active Directory extended form of the PowerShell +Expression Language. + + +- Support for LDAP Filter Syntax + + The LDAP filter syntax is supported through the **LDAPFilter** parameter. You + will find LDAP filter examples along with the new Active Directory module + filter examples in the Filter Examples section of this topic. + + +- Search Breadth and Depth + + The breadth and depth of your filter-driven search can be modified by two + Active Directory module cmdlet parameters: **SearchBase** and **SearchScope**. + + When within the context of the Active Directory provider, if the + **Searchbase** parameter is not specified, **SearchBase** will default to the + current path. When not running under the Active Directory provider, the + **SearchBase** will default to the server's **DefaultNamingContext**. + + The **SearchScope** parameter defaults to the value `Subtree`, of the + enumerated type **ADSearchScope**. + + For more information, see the **SearchBase** and **SearchScope** parameter + descriptions on any `Get-AD*` cmdlet. + +- Search Result Behavior + + The behavior of the Active Directory module when returning results of a + search is modified by two cmdlet parameters: **ResultPageSize** and + **ResultSetSize**. + + **ResultSetSize** controls the maximum number of returned objects. + + **ResultPageSize** specifies the maximum number of objects for each returned + page of information. + + See the **ResultPageSize** and **ResultSetSize** parameter descriptions on + any `Get-AD*` cmdlet for more information. + + +- Timeout Behavior + + The following statements specify timeout conditions within the Active + Directory module and describe what can be done about a timeout them. + + The default Active Directory module timeout for all operations is 2 + minutes. + + For search operation, the Active Directory module uses paging control + with a 2-minute timeout for each page search. + + > [!NOTE] + > Because a search may involve multiple server page requests the overall + > search time may exceed 2 minutes. + + A **TimeoutException** error indicates that a timeout has occurred. + + For a search operation, you can choose to use a smaller page size, set with + the **ResultPageSize** parameter, if you are getting a **TimeoutException** + error. + + If after trying these changes you are still getting a **TimeoutException** + error, consider optimizing your filter using the guidance in the + Optimizing Filters section of this topic. + + +- Optimizing Filters + + You can enhance the search filter behavior by using these guidelines. + + - Avoid using the **Recursive** parameter as it intensifies resource usage of + the search operation. + - Avoid using bitwise AND operators and bitwise OR operators. For more + information, see the Supported Operators section of this topic. + - Avoid using the logical NOT operator. + - Break down your search into multiple queries with narrower conditions. + + For a full description of filter syntax and usage, see the Filter Syntax + section of this topic. + + +## Filter Examples + +The following section shows many examples of filter use in common queries. + +### Example 1 - Get all entries: + +- LDAP Filter Equivalent: `(objectClass=*)` + +```powershell +Get-ADObject -Filter 'ObjectClass -like "*"' +``` + +### Example 2 - Get entries containing "bob" somewhere in the common name + +- LDAP Filter Equivalent: `(cn=*bob*)` + +```powershell +Get-ADObject -Filter 'CN -like "*bob*"' +``` + +### Example 3 - Get entries with a bad password count greater than five + +- LDAP Filter Equivalent: `(&(!badpwdcount<=5)(badpwdcount=*))` + +```powershell +Get-ADUser -Filter 'badpwdcount -ge 5' +``` + +### Example 4 - Get all users with an e-mail attribute + +- LDAP Filter Equivalent: `(&(objectClass=user)(email=*))` + +```powershell +Get-ADUser -filter 'email -like "*"' +``` + +-or- + +```powershell +Get-ADObject -filter 'email -like "*" -and ObjectClass -eq "user"' +``` + +### Example 5 - Get all user entries with an e-mail attribute and a surname equal to "smith": + +- LDAP Filter Equivalent: `(&(sn=smith)(objectClass=user)(email=*))` + +```powershell +Get-ADUser -Filter 'Email -like "*" -and SurName -eq "smith"' +``` + +-or- + +```powershell +Get-ADUser -Filter 'Email -like "*" -and sn -eq "smith"' +``` + + +### Example 6 - Get all user entries with a common name that starts with "andy" and users with a common name of "steve" or "margaret" + +- LDAP Filter Equivalent: `(&(objectClass=user) | (cn=andy*)(cn=steve)(cn=margaret))` + +```powershell +Get-ADUser -Filter 'CN -like "andy*" -or CN -eq "steve" -or CN -eq "margaret"' +``` + + +This example demonstrates a more complex logic and the use of precedence +control via parenthesis. + +```powershell +Get-ADObject -Filter 'objectClass -eq "user" -and (CN -like "andy*" -or CN -eq "steve" -or CN -eq "margaret")' +``` + +### Example 7 - Get all entries without an e-mail attribute + +- LDAP Filter Equivalent: `(!(email=*))` + +```powershell +Get-ADUser -Filter '-not Email -like "*"' +``` + +-or- + +```powershell +Get-ADUser -Filter 'Email -notlike "*"' +``` + +### Example 8 - Get all users who did not logon since January 1, 2007 + +- LDAP Filter Equivalent: `(&(lastlogon<=X)(objectClass=user))` where X is + number of 100-nanosecond slices since Jan 1st 1601 + +```powershell +$date = new-object System.DateTime -ArgumentList @(2007,1,1,0,0,0) +Get-ADUser -Filter '-not LastLogon -le $date' +``` + +### Example 9 - Get all users who have logged on in the last 5 days + +- LDAP Filter Equivalent: + + ``` + (&(lastLogon>=128812906535515110) + (objectClass=user)(!(objectClass=computer))) + ``` + +```powershell +$date = (get-date) - (new-timespan -days 5) +Get-ADUser -Filter 'lastLogon -gt $date' +``` + +### Example 10 - Search for group objects that have the ADS_GROUP_TYPE_SECURITY_ENABLED flag set + +- LDAP Filter Equivalent: + `(&(objectCategory=group)(groupType:1.2.840.113556.1.4.803:=2147483648))` + +The following example query string searches for group objects that have the +ADS_GROUP_TYPE_SECURITY_ENABLED flag set. Be aware that the decimal value of +ADS_GROUP_TYPE_SECURITY_ENABLED (0x80000000 = 2147483648) is used for the +comparison value. + +```powershell +Get-ADGroup -filter 'groupType -band 0x80000000' +``` + +### Example 11 - Search the ancestry of an object + +- LDAP Filter Equivalent: + `(memberof:1.2.840.113556.1.4.1941:=(cn=Group1,OU=groupsOU,DC=x)))` + +The LDAP_MATCHING_RULE_IN_CHAIN is a matching rule OID that is designed to +provide a method to look up the ancestry of an object. Many applications using +Active Directory and AD LDS usually work with hierarchical data, which is +ordered by parent-child relationships. Previously, applications performed +transitive group expansion to figure out group membership, which used a lot of +network bandwidth. Applications made multiple round-trips to figure out if an +object fell "in the chain" if a link were traversed through to the end. + +An example of such a query is one designed to check if a user, "user1" is a +member of group "group1". "user1" may not be a direct member of group1. It +could be a member of some other group, which is a member of "group1". + +You would set the base to the user DN and the scope to base, and use the query: + +```powershell +Get-ADUser -Filter 'memberOf -RecursiveMatch "CN=Administrators, CN=Builtin,DC=Fabrikam,DC=com"' -SearchBase "CN=Administrator,CN=Users,DC=Fabrikam,DC=com" +``` + +## Filter Syntax + +The following syntax descriptions use Backus-Naur form to show the PowerShell +Expression Language for the Filter parameter. + +```Syntax + ::= "{" "}" + + ::= | + | + + + ::= | + "(" ")" + + ::= "-eq" | "-le" | "-ge" | "-ne" | "-lt" | "-gt" | + "-approx" | "-bor" | "-band" | "-recursivematch" | "-like" | + "-notlike" + + ::= "-and" | "-or" + + ::= "-not" + + ::= | + +::= < this value will be compared to the object data for + attribute using the specified filter operator +``` + + +## Supported Operators + +The following table shows frequently used search filter operators. + +| Operator | Description | LDAP Equivalent | +| ----------------- | -------------------------------------- | -------------------------- | +| `-eq` | Equal to. Wildcards not supported. | = | +| `-ne` | Not equal to. Wildcards not supported. | !x = y | +| `-approx` | Approximately equal to | ~= | +| `-le` | Lexicographically less than | <= | +| | or equal to | | +| `-lt` | Lexicographically less than | !x >= y | +| `-ge` | Lexicographically greater | >= | +| | than or equal to | | +| `-gt` | Lexicographically greater than | !x <= y | +| | | | +| `-and` | AND | & | +| `-or` | OR | | +| `-not` | NOT | ! | +| `-bor` | Bitwise OR | :1.2.840.113556.1.4.804:= | +| `-band` | Bitwise AND | :1.2.840.113556.1.4.803:= | +| `-recursivematch` | Use LDAP_MATCHING_RULE_IN_CHAIN | :1.2.840.113556.1.4.1941:= | +| `-like` | Similar to `-eq` and supports | = | +| | wildcard comparison. The only | | +| | wildcard character supported is: `*` | | +| `-notlike` | Not like. Supports wild | !x = y | +| | card comparison. | | + +> [!NOTE] +> PowerShell wildcards, other than "*", such as "?" are not supported by the +> **Filter** parameter syntax. + +### Operator Precedence + +The following listing shows the precedence of operators for filters from +highest to lowest. + +- Highest precedence: `-eq`, `-ge`, `-le`, `-approx`, `-band`, `-bor`, + `-recursivematch`, `-ne`, `-like`, `-not`, `-and` +- Lowest precedence: `-or` + +### Special Characters + +The following escape sequence should be used for specifying special characters +in AD Filter STRING data, that is, data enclosed in double or single quotes. + +| ASCII Character | Escape sequence substitute | +| --------------- | --------------------------------------------------- | +| `"` | `` `" `` (This escape sequence is only required if | +| | STRING data is enclosed in double quotes.) | +| `'` | `''` (This escape sequence is only required if | +| | STRING data is enclosed in single quotes.) | +| NUL | `\00` (This is a standard LDAP escape sequence.) | +| `\` | `\5c` (This is a standard LDAP escape sequence.) | + +### LDAP Special Characters + +ADFilter parser will automatically convert all the below characters found in +STRING data, that is data enclosed in " " or ' ' to their LDAP escape sequence. +End users need not know about these LDAP escape sequence. + +| ASCII Character | Escape sequence substitute | +| --------------- | ----------------------------------------------- | +| `*` | `\2a` (Character `*` will only be converted in | +| | -eq and -ne comparisons Users should use | +| | -like and -notlike operators for wildcard | +| | comparison.) | +| `(` | `\28` | +| `)` | `\29` | +| `/` | `\2f` | diff --git a/docset/winserver2019-ps/activedirectory/About/About.md b/docset/winserver2019-ps/activedirectory/About/About.md new file mode 100644 index 0000000000..adc76085b9 --- /dev/null +++ b/docset/winserver2019-ps/activedirectory/About/About.md @@ -0,0 +1,17 @@ +--- +description: About articles for the ActiveDirectory module. +Help Version: 3.1.0.0 +Locale: en-US +ms.date: 04/22/2013 +title: About articles +--- +# About topics + +## Description + +About topics cover a range of concepts about PowerShell. + +## About Topics + +### [about_ActiveDirectory_Filter](about_ActiveDirectory_Filter.md) +Describes the syntax and behavior of the search filter supported by the Active Directory module for Windows PowerShell. diff --git a/docset/winserver2019-ps/activedirectory/About/about_ActiveDirectory_Filter.md b/docset/winserver2019-ps/activedirectory/About/about_ActiveDirectory_Filter.md new file mode 100644 index 0000000000..23a83c0a0a --- /dev/null +++ b/docset/winserver2019-ps/activedirectory/About/about_ActiveDirectory_Filter.md @@ -0,0 +1,351 @@ +--- +title: about_ActiveDirectory_Filter +ms.date: 04/22/2013 +description: Describes the syntax and behavior of the search filter supported by the Active Directory module for Windows PowerShell. +Locale: en-US +schema: 2.0.0 +--- + +# about_ActiveDirectory_Filter + +## SHORT DESCRIPTION + +Describes the syntax and behavior of the search filter supported by the Active +Directory module for Windows PowerShell. + +## LONG DESCRIPTION + +Most get-AD* Active Directory module cmdlets use the Filter parameter to search +for objects. The Filter parameter has been implemented to replace the function +of the LDAP Filter and adds support for PowerShell variables, rich data types, +improved error checking and an Active Directory extended form of the PowerShell +Expression Language. + + +- Support for LDAP Filter Syntax + + The LDAP filter syntax is supported through the **LDAPFilter** parameter. You + will find LDAP filter examples along with the new Active Directory module + filter examples in the Filter Examples section of this topic. + + +- Search Breadth and Depth + + The breadth and depth of your filter-driven search can be modified by two + Active Directory module cmdlet parameters: **SearchBase** and **SearchScope**. + + When within the context of the Active Directory provider, if the + **Searchbase** parameter is not specified, **SearchBase** will default to the + current path. When not running under the Active Directory provider, the + **SearchBase** will default to the server's **DefaultNamingContext**. + + The **SearchScope** parameter defaults to the value `Subtree`, of the + enumerated type **ADSearchScope**. + + For more information, see the **SearchBase** and **SearchScope** parameter + descriptions on any `Get-AD*` cmdlet. + +- Search Result Behavior + + The behavior of the Active Directory module when returning results of a + search is modified by two cmdlet parameters: **ResultPageSize** and + **ResultSetSize**. + + **ResultSetSize** controls the maximum number of returned objects. + + **ResultPageSize** specifies the maximum number of objects for each returned + page of information. + + See the **ResultPageSize** and **ResultSetSize** parameter descriptions on + any `Get-AD*` cmdlet for more information. + + +- Timeout Behavior + + The following statements specify timeout conditions within the Active + Directory module and describe what can be done about a timeout them. + + The default Active Directory module timeout for all operations is 2 + minutes. + + For search operation, the Active Directory module uses paging control + with a 2-minute timeout for each page search. + + > [!NOTE] + > Because a search may involve multiple server page requests the overall + > search time may exceed 2 minutes. + + A **TimeoutException** error indicates that a timeout has occurred. + + For a search operation, you can choose to use a smaller page size, set with + the **ResultPageSize** parameter, if you are getting a **TimeoutException** + error. + + If after trying these changes you are still getting a **TimeoutException** + error, consider optimizing your filter using the guidance in the + Optimizing Filters section of this topic. + + +- Optimizing Filters + + You can enhance the search filter behavior by using these guidelines. + + - Avoid using the **Recursive** parameter as it intensifies resource usage of + the search operation. + - Avoid using bitwise AND operators and bitwise OR operators. For more + information, see the Supported Operators section of this topic. + - Avoid using the logical NOT operator. + - Break down your search into multiple queries with narrower conditions. + + For a full description of filter syntax and usage, see the Filter Syntax + section of this topic. + + +## Filter Examples + +The following section shows many examples of filter use in common queries. + +### Example 1 - Get all entries: + +- LDAP Filter Equivalent: `(objectClass=*)` + +```powershell +Get-ADObject -Filter 'ObjectClass -like "*"' +``` + +### Example 2 - Get entries containing "bob" somewhere in the common name + +- LDAP Filter Equivalent: `(cn=*bob*)` + +```powershell +Get-ADObject -Filter 'CN -like "*bob*"' +``` + +### Example 3 - Get entries with a bad password count greater than five + +- LDAP Filter Equivalent: `(&(!badpwdcount<=5)(badpwdcount=*))` + +```powershell +Get-ADUser -Filter 'badpwdcount -ge 5' +``` + +### Example 4 - Get all users with an e-mail attribute + +- LDAP Filter Equivalent: `(&(objectClass=user)(email=*))` + +```powershell +Get-ADUser -filter 'email -like "*"' +``` + +-or- + +```powershell +Get-ADObject -filter 'email -like "*" -and ObjectClass -eq "user"' +``` + +### Example 5 - Get all user entries with an e-mail attribute and a surname equal to "smith": + +- LDAP Filter Equivalent: `(&(sn=smith)(objectClass=user)(email=*))` + +```powershell +Get-ADUser -Filter 'Email -like "*" -and SurName -eq "smith"' +``` + +-or- + +```powershell +Get-ADUser -Filter 'Email -like "*" -and sn -eq "smith"' +``` + + +### Example 6 - Get all user entries with a common name that starts with "andy" and users with a common name of "steve" or "margaret" + +- LDAP Filter Equivalent: `(&(objectClass=user) | (cn=andy*)(cn=steve)(cn=margaret))` + +```powershell +Get-ADUser -Filter 'CN -like "andy*" -or CN -eq "steve" -or CN -eq "margaret"' +``` + + +This example demonstrates a more complex logic and the use of precedence +control via parenthesis. + +```powershell +Get-ADObject -Filter 'objectClass -eq "user" -and (CN -like "andy*" -or CN -eq "steve" -or CN -eq "margaret")' +``` + +### Example 7 - Get all entries without an e-mail attribute + +- LDAP Filter Equivalent: `(!(email=*))` + +```powershell +Get-ADUser -Filter '-not Email -like "*"' +``` + +-or- + +```powershell +Get-ADUser -Filter 'Email -notlike "*"' +``` + +### Example 8 - Get all users who did not logon since January 1, 2007 + +- LDAP Filter Equivalent: `(&(lastlogon<=X)(objectClass=user))` where X is + number of 100-nanosecond slices since Jan 1st 1601 + +```powershell +$date = new-object System.DateTime -ArgumentList @(2007,1,1,0,0,0) +Get-ADUser -Filter '-not LastLogon -le $date' +``` + +### Example 9 - Get all users who have logged on in the last 5 days + +- LDAP Filter Equivalent: + + ``` + (&(lastLogon>=128812906535515110) + (objectClass=user)(!(objectClass=computer))) + ``` + +```powershell +$date = (get-date) - (new-timespan -days 5) +Get-ADUser -Filter 'lastLogon -gt $date' +``` + +### Example 10 - Search for group objects that have the ADS_GROUP_TYPE_SECURITY_ENABLED flag set + +- LDAP Filter Equivalent: + `(&(objectCategory=group)(groupType:1.2.840.113556.1.4.803:=2147483648))` + +The following example query string searches for group objects that have the +ADS_GROUP_TYPE_SECURITY_ENABLED flag set. Be aware that the decimal value of +ADS_GROUP_TYPE_SECURITY_ENABLED (0x80000000 = 2147483648) is used for the +comparison value. + +```powershell +Get-ADGroup -filter 'groupType -band 0x80000000' +``` + +### Example 11 - Search the ancestry of an object + +- LDAP Filter Equivalent: + `(memberof:1.2.840.113556.1.4.1941:=(cn=Group1,OU=groupsOU,DC=x)))` + +The LDAP_MATCHING_RULE_IN_CHAIN is a matching rule OID that is designed to +provide a method to look up the ancestry of an object. Many applications using +Active Directory and AD LDS usually work with hierarchical data, which is +ordered by parent-child relationships. Previously, applications performed +transitive group expansion to figure out group membership, which used a lot of +network bandwidth. Applications made multiple round-trips to figure out if an +object fell "in the chain" if a link were traversed through to the end. + +An example of such a query is one designed to check if a user, "user1" is a +member of group "group1". "user1" may not be a direct member of group1. It +could be a member of some other group, which is a member of "group1". + +You would set the base to the user DN and the scope to base, and use the query: + +```powershell +Get-ADUser -Filter 'memberOf -RecursiveMatch "CN=Administrators, CN=Builtin,DC=Fabrikam,DC=com"' -SearchBase "CN=Administrator,CN=Users,DC=Fabrikam,DC=com" +``` + +## Filter Syntax + +The following syntax descriptions use Backus-Naur form to show the PowerShell +Expression Language for the Filter parameter. + +```Syntax + ::= "{" "}" + + ::= | + | + + + ::= | + "(" ")" + + ::= "-eq" | "-le" | "-ge" | "-ne" | "-lt" | "-gt" | + "-approx" | "-bor" | "-band" | "-recursivematch" | "-like" | + "-notlike" + + ::= "-and" | "-or" + + ::= "-not" + + ::= | + +::= < this value will be compared to the object data for + attribute using the specified filter operator +``` + + +## Supported Operators + +The following table shows frequently used search filter operators. + +| Operator | Description | LDAP Equivalent | +| ----------------- | -------------------------------------- | -------------------------- | +| `-eq` | Equal to. Wildcards not supported. | = | +| `-ne` | Not equal to. Wildcards not supported. | !x = y | +| `-approx` | Approximately equal to | ~= | +| `-le` | Lexicographically less than | <= | +| | or equal to | | +| `-lt` | Lexicographically less than | !x >= y | +| `-ge` | Lexicographically greater | >= | +| | than or equal to | | +| `-gt` | Lexicographically greater than | !x <= y | +| | | | +| `-and` | AND | & | +| `-or` | OR | | +| `-not` | NOT | ! | +| `-bor` | Bitwise OR | :1.2.840.113556.1.4.804:= | +| `-band` | Bitwise AND | :1.2.840.113556.1.4.803:= | +| `-recursivematch` | Use LDAP_MATCHING_RULE_IN_CHAIN | :1.2.840.113556.1.4.1941:= | +| `-like` | Similar to `-eq` and supports | = | +| | wildcard comparison. The only | | +| | wildcard character supported is: `*` | | +| `-notlike` | Not like. Supports wild | !x = y | +| | card comparison. | | + +> [!NOTE] +> PowerShell wildcards, other than "*", such as "?" are not supported by the +> **Filter** parameter syntax. + +### Operator Precedence + +The following listing shows the precedence of operators for filters from +highest to lowest. + +- Highest precedence: `-eq`, `-ge`, `-le`, `-approx`, `-band`, `-bor`, + `-recursivematch`, `-ne`, `-like`, `-not`, `-and` +- Lowest precedence: `-or` + +### Special Characters + +The following escape sequence should be used for specifying special characters +in AD Filter STRING data, that is, data enclosed in double or single quotes. + +| ASCII Character | Escape sequence substitute | +| --------------- | --------------------------------------------------- | +| `"` | `` `" `` (This escape sequence is only required if | +| | STRING data is enclosed in double quotes.) | +| `'` | `''` (This escape sequence is only required if | +| | STRING data is enclosed in single quotes.) | +| NUL | `\00` (This is a standard LDAP escape sequence.) | +| `\` | `\5c` (This is a standard LDAP escape sequence.) | + +### LDAP Special Characters + +ADFilter parser will automatically convert all the below characters found in +STRING data, that is data enclosed in " " or ' ' to their LDAP escape sequence. +End users need not know about these LDAP escape sequence. + +| ASCII Character | Escape sequence substitute | +| --------------- | ----------------------------------------------- | +| `*` | `\2a` (Character `*` will only be converted in | +| | -eq and -ne comparisons Users should use | +| | -like and -notlike operators for wildcard | +| | comparison.) | +| `(` | `\28` | +| `)` | `\29` | +| `/` | `\2f` | diff --git a/docset/winserver2022-ps/activedirectory/About/About.md b/docset/winserver2022-ps/activedirectory/About/About.md new file mode 100644 index 0000000000..adc76085b9 --- /dev/null +++ b/docset/winserver2022-ps/activedirectory/About/About.md @@ -0,0 +1,17 @@ +--- +description: About articles for the ActiveDirectory module. +Help Version: 3.1.0.0 +Locale: en-US +ms.date: 04/22/2013 +title: About articles +--- +# About topics + +## Description + +About topics cover a range of concepts about PowerShell. + +## About Topics + +### [about_ActiveDirectory_Filter](about_ActiveDirectory_Filter.md) +Describes the syntax and behavior of the search filter supported by the Active Directory module for Windows PowerShell. diff --git a/docset/winserver2022-ps/activedirectory/About/about_ActiveDirectory_Filter.md b/docset/winserver2022-ps/activedirectory/About/about_ActiveDirectory_Filter.md new file mode 100644 index 0000000000..23a83c0a0a --- /dev/null +++ b/docset/winserver2022-ps/activedirectory/About/about_ActiveDirectory_Filter.md @@ -0,0 +1,351 @@ +--- +title: about_ActiveDirectory_Filter +ms.date: 04/22/2013 +description: Describes the syntax and behavior of the search filter supported by the Active Directory module for Windows PowerShell. +Locale: en-US +schema: 2.0.0 +--- + +# about_ActiveDirectory_Filter + +## SHORT DESCRIPTION + +Describes the syntax and behavior of the search filter supported by the Active +Directory module for Windows PowerShell. + +## LONG DESCRIPTION + +Most get-AD* Active Directory module cmdlets use the Filter parameter to search +for objects. The Filter parameter has been implemented to replace the function +of the LDAP Filter and adds support for PowerShell variables, rich data types, +improved error checking and an Active Directory extended form of the PowerShell +Expression Language. + + +- Support for LDAP Filter Syntax + + The LDAP filter syntax is supported through the **LDAPFilter** parameter. You + will find LDAP filter examples along with the new Active Directory module + filter examples in the Filter Examples section of this topic. + + +- Search Breadth and Depth + + The breadth and depth of your filter-driven search can be modified by two + Active Directory module cmdlet parameters: **SearchBase** and **SearchScope**. + + When within the context of the Active Directory provider, if the + **Searchbase** parameter is not specified, **SearchBase** will default to the + current path. When not running under the Active Directory provider, the + **SearchBase** will default to the server's **DefaultNamingContext**. + + The **SearchScope** parameter defaults to the value `Subtree`, of the + enumerated type **ADSearchScope**. + + For more information, see the **SearchBase** and **SearchScope** parameter + descriptions on any `Get-AD*` cmdlet. + +- Search Result Behavior + + The behavior of the Active Directory module when returning results of a + search is modified by two cmdlet parameters: **ResultPageSize** and + **ResultSetSize**. + + **ResultSetSize** controls the maximum number of returned objects. + + **ResultPageSize** specifies the maximum number of objects for each returned + page of information. + + See the **ResultPageSize** and **ResultSetSize** parameter descriptions on + any `Get-AD*` cmdlet for more information. + + +- Timeout Behavior + + The following statements specify timeout conditions within the Active + Directory module and describe what can be done about a timeout them. + + The default Active Directory module timeout for all operations is 2 + minutes. + + For search operation, the Active Directory module uses paging control + with a 2-minute timeout for each page search. + + > [!NOTE] + > Because a search may involve multiple server page requests the overall + > search time may exceed 2 minutes. + + A **TimeoutException** error indicates that a timeout has occurred. + + For a search operation, you can choose to use a smaller page size, set with + the **ResultPageSize** parameter, if you are getting a **TimeoutException** + error. + + If after trying these changes you are still getting a **TimeoutException** + error, consider optimizing your filter using the guidance in the + Optimizing Filters section of this topic. + + +- Optimizing Filters + + You can enhance the search filter behavior by using these guidelines. + + - Avoid using the **Recursive** parameter as it intensifies resource usage of + the search operation. + - Avoid using bitwise AND operators and bitwise OR operators. For more + information, see the Supported Operators section of this topic. + - Avoid using the logical NOT operator. + - Break down your search into multiple queries with narrower conditions. + + For a full description of filter syntax and usage, see the Filter Syntax + section of this topic. + + +## Filter Examples + +The following section shows many examples of filter use in common queries. + +### Example 1 - Get all entries: + +- LDAP Filter Equivalent: `(objectClass=*)` + +```powershell +Get-ADObject -Filter 'ObjectClass -like "*"' +``` + +### Example 2 - Get entries containing "bob" somewhere in the common name + +- LDAP Filter Equivalent: `(cn=*bob*)` + +```powershell +Get-ADObject -Filter 'CN -like "*bob*"' +``` + +### Example 3 - Get entries with a bad password count greater than five + +- LDAP Filter Equivalent: `(&(!badpwdcount<=5)(badpwdcount=*))` + +```powershell +Get-ADUser -Filter 'badpwdcount -ge 5' +``` + +### Example 4 - Get all users with an e-mail attribute + +- LDAP Filter Equivalent: `(&(objectClass=user)(email=*))` + +```powershell +Get-ADUser -filter 'email -like "*"' +``` + +-or- + +```powershell +Get-ADObject -filter 'email -like "*" -and ObjectClass -eq "user"' +``` + +### Example 5 - Get all user entries with an e-mail attribute and a surname equal to "smith": + +- LDAP Filter Equivalent: `(&(sn=smith)(objectClass=user)(email=*))` + +```powershell +Get-ADUser -Filter 'Email -like "*" -and SurName -eq "smith"' +``` + +-or- + +```powershell +Get-ADUser -Filter 'Email -like "*" -and sn -eq "smith"' +``` + + +### Example 6 - Get all user entries with a common name that starts with "andy" and users with a common name of "steve" or "margaret" + +- LDAP Filter Equivalent: `(&(objectClass=user) | (cn=andy*)(cn=steve)(cn=margaret))` + +```powershell +Get-ADUser -Filter 'CN -like "andy*" -or CN -eq "steve" -or CN -eq "margaret"' +``` + + +This example demonstrates a more complex logic and the use of precedence +control via parenthesis. + +```powershell +Get-ADObject -Filter 'objectClass -eq "user" -and (CN -like "andy*" -or CN -eq "steve" -or CN -eq "margaret")' +``` + +### Example 7 - Get all entries without an e-mail attribute + +- LDAP Filter Equivalent: `(!(email=*))` + +```powershell +Get-ADUser -Filter '-not Email -like "*"' +``` + +-or- + +```powershell +Get-ADUser -Filter 'Email -notlike "*"' +``` + +### Example 8 - Get all users who did not logon since January 1, 2007 + +- LDAP Filter Equivalent: `(&(lastlogon<=X)(objectClass=user))` where X is + number of 100-nanosecond slices since Jan 1st 1601 + +```powershell +$date = new-object System.DateTime -ArgumentList @(2007,1,1,0,0,0) +Get-ADUser -Filter '-not LastLogon -le $date' +``` + +### Example 9 - Get all users who have logged on in the last 5 days + +- LDAP Filter Equivalent: + + ``` + (&(lastLogon>=128812906535515110) + (objectClass=user)(!(objectClass=computer))) + ``` + +```powershell +$date = (get-date) - (new-timespan -days 5) +Get-ADUser -Filter 'lastLogon -gt $date' +``` + +### Example 10 - Search for group objects that have the ADS_GROUP_TYPE_SECURITY_ENABLED flag set + +- LDAP Filter Equivalent: + `(&(objectCategory=group)(groupType:1.2.840.113556.1.4.803:=2147483648))` + +The following example query string searches for group objects that have the +ADS_GROUP_TYPE_SECURITY_ENABLED flag set. Be aware that the decimal value of +ADS_GROUP_TYPE_SECURITY_ENABLED (0x80000000 = 2147483648) is used for the +comparison value. + +```powershell +Get-ADGroup -filter 'groupType -band 0x80000000' +``` + +### Example 11 - Search the ancestry of an object + +- LDAP Filter Equivalent: + `(memberof:1.2.840.113556.1.4.1941:=(cn=Group1,OU=groupsOU,DC=x)))` + +The LDAP_MATCHING_RULE_IN_CHAIN is a matching rule OID that is designed to +provide a method to look up the ancestry of an object. Many applications using +Active Directory and AD LDS usually work with hierarchical data, which is +ordered by parent-child relationships. Previously, applications performed +transitive group expansion to figure out group membership, which used a lot of +network bandwidth. Applications made multiple round-trips to figure out if an +object fell "in the chain" if a link were traversed through to the end. + +An example of such a query is one designed to check if a user, "user1" is a +member of group "group1". "user1" may not be a direct member of group1. It +could be a member of some other group, which is a member of "group1". + +You would set the base to the user DN and the scope to base, and use the query: + +```powershell +Get-ADUser -Filter 'memberOf -RecursiveMatch "CN=Administrators, CN=Builtin,DC=Fabrikam,DC=com"' -SearchBase "CN=Administrator,CN=Users,DC=Fabrikam,DC=com" +``` + +## Filter Syntax + +The following syntax descriptions use Backus-Naur form to show the PowerShell +Expression Language for the Filter parameter. + +```Syntax + ::= "{" "}" + + ::= | + | + + + ::= | + "(" ")" + + ::= "-eq" | "-le" | "-ge" | "-ne" | "-lt" | "-gt" | + "-approx" | "-bor" | "-band" | "-recursivematch" | "-like" | + "-notlike" + + ::= "-and" | "-or" + + ::= "-not" + + ::= | + +::= < this value will be compared to the object data for + attribute using the specified filter operator +``` + + +## Supported Operators + +The following table shows frequently used search filter operators. + +| Operator | Description | LDAP Equivalent | +| ----------------- | -------------------------------------- | -------------------------- | +| `-eq` | Equal to. Wildcards not supported. | = | +| `-ne` | Not equal to. Wildcards not supported. | !x = y | +| `-approx` | Approximately equal to | ~= | +| `-le` | Lexicographically less than | <= | +| | or equal to | | +| `-lt` | Lexicographically less than | !x >= y | +| `-ge` | Lexicographically greater | >= | +| | than or equal to | | +| `-gt` | Lexicographically greater than | !x <= y | +| | | | +| `-and` | AND | & | +| `-or` | OR | | +| `-not` | NOT | ! | +| `-bor` | Bitwise OR | :1.2.840.113556.1.4.804:= | +| `-band` | Bitwise AND | :1.2.840.113556.1.4.803:= | +| `-recursivematch` | Use LDAP_MATCHING_RULE_IN_CHAIN | :1.2.840.113556.1.4.1941:= | +| `-like` | Similar to `-eq` and supports | = | +| | wildcard comparison. The only | | +| | wildcard character supported is: `*` | | +| `-notlike` | Not like. Supports wild | !x = y | +| | card comparison. | | + +> [!NOTE] +> PowerShell wildcards, other than "*", such as "?" are not supported by the +> **Filter** parameter syntax. + +### Operator Precedence + +The following listing shows the precedence of operators for filters from +highest to lowest. + +- Highest precedence: `-eq`, `-ge`, `-le`, `-approx`, `-band`, `-bor`, + `-recursivematch`, `-ne`, `-like`, `-not`, `-and` +- Lowest precedence: `-or` + +### Special Characters + +The following escape sequence should be used for specifying special characters +in AD Filter STRING data, that is, data enclosed in double or single quotes. + +| ASCII Character | Escape sequence substitute | +| --------------- | --------------------------------------------------- | +| `"` | `` `" `` (This escape sequence is only required if | +| | STRING data is enclosed in double quotes.) | +| `'` | `''` (This escape sequence is only required if | +| | STRING data is enclosed in single quotes.) | +| NUL | `\00` (This is a standard LDAP escape sequence.) | +| `\` | `\5c` (This is a standard LDAP escape sequence.) | + +### LDAP Special Characters + +ADFilter parser will automatically convert all the below characters found in +STRING data, that is data enclosed in " " or ' ' to their LDAP escape sequence. +End users need not know about these LDAP escape sequence. + +| ASCII Character | Escape sequence substitute | +| --------------- | ----------------------------------------------- | +| `*` | `\2a` (Character `*` will only be converted in | +| | -eq and -ne comparisons Users should use | +| | -like and -notlike operators for wildcard | +| | comparison.) | +| `(` | `\28` | +| `)` | `\29` | +| `/` | `\2f` | diff --git a/docset/winserver2025-ps/activedirectory/About/About.md b/docset/winserver2025-ps/activedirectory/About/About.md new file mode 100644 index 0000000000..adc76085b9 --- /dev/null +++ b/docset/winserver2025-ps/activedirectory/About/About.md @@ -0,0 +1,17 @@ +--- +description: About articles for the ActiveDirectory module. +Help Version: 3.1.0.0 +Locale: en-US +ms.date: 04/22/2013 +title: About articles +--- +# About topics + +## Description + +About topics cover a range of concepts about PowerShell. + +## About Topics + +### [about_ActiveDirectory_Filter](about_ActiveDirectory_Filter.md) +Describes the syntax and behavior of the search filter supported by the Active Directory module for Windows PowerShell. diff --git a/docset/winserver2025-ps/activedirectory/About/about_ActiveDirectory_Filter.md b/docset/winserver2025-ps/activedirectory/About/about_ActiveDirectory_Filter.md new file mode 100644 index 0000000000..23a83c0a0a --- /dev/null +++ b/docset/winserver2025-ps/activedirectory/About/about_ActiveDirectory_Filter.md @@ -0,0 +1,351 @@ +--- +title: about_ActiveDirectory_Filter +ms.date: 04/22/2013 +description: Describes the syntax and behavior of the search filter supported by the Active Directory module for Windows PowerShell. +Locale: en-US +schema: 2.0.0 +--- + +# about_ActiveDirectory_Filter + +## SHORT DESCRIPTION + +Describes the syntax and behavior of the search filter supported by the Active +Directory module for Windows PowerShell. + +## LONG DESCRIPTION + +Most get-AD* Active Directory module cmdlets use the Filter parameter to search +for objects. The Filter parameter has been implemented to replace the function +of the LDAP Filter and adds support for PowerShell variables, rich data types, +improved error checking and an Active Directory extended form of the PowerShell +Expression Language. + + +- Support for LDAP Filter Syntax + + The LDAP filter syntax is supported through the **LDAPFilter** parameter. You + will find LDAP filter examples along with the new Active Directory module + filter examples in the Filter Examples section of this topic. + + +- Search Breadth and Depth + + The breadth and depth of your filter-driven search can be modified by two + Active Directory module cmdlet parameters: **SearchBase** and **SearchScope**. + + When within the context of the Active Directory provider, if the + **Searchbase** parameter is not specified, **SearchBase** will default to the + current path. When not running under the Active Directory provider, the + **SearchBase** will default to the server's **DefaultNamingContext**. + + The **SearchScope** parameter defaults to the value `Subtree`, of the + enumerated type **ADSearchScope**. + + For more information, see the **SearchBase** and **SearchScope** parameter + descriptions on any `Get-AD*` cmdlet. + +- Search Result Behavior + + The behavior of the Active Directory module when returning results of a + search is modified by two cmdlet parameters: **ResultPageSize** and + **ResultSetSize**. + + **ResultSetSize** controls the maximum number of returned objects. + + **ResultPageSize** specifies the maximum number of objects for each returned + page of information. + + See the **ResultPageSize** and **ResultSetSize** parameter descriptions on + any `Get-AD*` cmdlet for more information. + + +- Timeout Behavior + + The following statements specify timeout conditions within the Active + Directory module and describe what can be done about a timeout them. + + The default Active Directory module timeout for all operations is 2 + minutes. + + For search operation, the Active Directory module uses paging control + with a 2-minute timeout for each page search. + + > [!NOTE] + > Because a search may involve multiple server page requests the overall + > search time may exceed 2 minutes. + + A **TimeoutException** error indicates that a timeout has occurred. + + For a search operation, you can choose to use a smaller page size, set with + the **ResultPageSize** parameter, if you are getting a **TimeoutException** + error. + + If after trying these changes you are still getting a **TimeoutException** + error, consider optimizing your filter using the guidance in the + Optimizing Filters section of this topic. + + +- Optimizing Filters + + You can enhance the search filter behavior by using these guidelines. + + - Avoid using the **Recursive** parameter as it intensifies resource usage of + the search operation. + - Avoid using bitwise AND operators and bitwise OR operators. For more + information, see the Supported Operators section of this topic. + - Avoid using the logical NOT operator. + - Break down your search into multiple queries with narrower conditions. + + For a full description of filter syntax and usage, see the Filter Syntax + section of this topic. + + +## Filter Examples + +The following section shows many examples of filter use in common queries. + +### Example 1 - Get all entries: + +- LDAP Filter Equivalent: `(objectClass=*)` + +```powershell +Get-ADObject -Filter 'ObjectClass -like "*"' +``` + +### Example 2 - Get entries containing "bob" somewhere in the common name + +- LDAP Filter Equivalent: `(cn=*bob*)` + +```powershell +Get-ADObject -Filter 'CN -like "*bob*"' +``` + +### Example 3 - Get entries with a bad password count greater than five + +- LDAP Filter Equivalent: `(&(!badpwdcount<=5)(badpwdcount=*))` + +```powershell +Get-ADUser -Filter 'badpwdcount -ge 5' +``` + +### Example 4 - Get all users with an e-mail attribute + +- LDAP Filter Equivalent: `(&(objectClass=user)(email=*))` + +```powershell +Get-ADUser -filter 'email -like "*"' +``` + +-or- + +```powershell +Get-ADObject -filter 'email -like "*" -and ObjectClass -eq "user"' +``` + +### Example 5 - Get all user entries with an e-mail attribute and a surname equal to "smith": + +- LDAP Filter Equivalent: `(&(sn=smith)(objectClass=user)(email=*))` + +```powershell +Get-ADUser -Filter 'Email -like "*" -and SurName -eq "smith"' +``` + +-or- + +```powershell +Get-ADUser -Filter 'Email -like "*" -and sn -eq "smith"' +``` + + +### Example 6 - Get all user entries with a common name that starts with "andy" and users with a common name of "steve" or "margaret" + +- LDAP Filter Equivalent: `(&(objectClass=user) | (cn=andy*)(cn=steve)(cn=margaret))` + +```powershell +Get-ADUser -Filter 'CN -like "andy*" -or CN -eq "steve" -or CN -eq "margaret"' +``` + + +This example demonstrates a more complex logic and the use of precedence +control via parenthesis. + +```powershell +Get-ADObject -Filter 'objectClass -eq "user" -and (CN -like "andy*" -or CN -eq "steve" -or CN -eq "margaret")' +``` + +### Example 7 - Get all entries without an e-mail attribute + +- LDAP Filter Equivalent: `(!(email=*))` + +```powershell +Get-ADUser -Filter '-not Email -like "*"' +``` + +-or- + +```powershell +Get-ADUser -Filter 'Email -notlike "*"' +``` + +### Example 8 - Get all users who did not logon since January 1, 2007 + +- LDAP Filter Equivalent: `(&(lastlogon<=X)(objectClass=user))` where X is + number of 100-nanosecond slices since Jan 1st 1601 + +```powershell +$date = new-object System.DateTime -ArgumentList @(2007,1,1,0,0,0) +Get-ADUser -Filter '-not LastLogon -le $date' +``` + +### Example 9 - Get all users who have logged on in the last 5 days + +- LDAP Filter Equivalent: + + ``` + (&(lastLogon>=128812906535515110) + (objectClass=user)(!(objectClass=computer))) + ``` + +```powershell +$date = (get-date) - (new-timespan -days 5) +Get-ADUser -Filter 'lastLogon -gt $date' +``` + +### Example 10 - Search for group objects that have the ADS_GROUP_TYPE_SECURITY_ENABLED flag set + +- LDAP Filter Equivalent: + `(&(objectCategory=group)(groupType:1.2.840.113556.1.4.803:=2147483648))` + +The following example query string searches for group objects that have the +ADS_GROUP_TYPE_SECURITY_ENABLED flag set. Be aware that the decimal value of +ADS_GROUP_TYPE_SECURITY_ENABLED (0x80000000 = 2147483648) is used for the +comparison value. + +```powershell +Get-ADGroup -filter 'groupType -band 0x80000000' +``` + +### Example 11 - Search the ancestry of an object + +- LDAP Filter Equivalent: + `(memberof:1.2.840.113556.1.4.1941:=(cn=Group1,OU=groupsOU,DC=x)))` + +The LDAP_MATCHING_RULE_IN_CHAIN is a matching rule OID that is designed to +provide a method to look up the ancestry of an object. Many applications using +Active Directory and AD LDS usually work with hierarchical data, which is +ordered by parent-child relationships. Previously, applications performed +transitive group expansion to figure out group membership, which used a lot of +network bandwidth. Applications made multiple round-trips to figure out if an +object fell "in the chain" if a link were traversed through to the end. + +An example of such a query is one designed to check if a user, "user1" is a +member of group "group1". "user1" may not be a direct member of group1. It +could be a member of some other group, which is a member of "group1". + +You would set the base to the user DN and the scope to base, and use the query: + +```powershell +Get-ADUser -Filter 'memberOf -RecursiveMatch "CN=Administrators, CN=Builtin,DC=Fabrikam,DC=com"' -SearchBase "CN=Administrator,CN=Users,DC=Fabrikam,DC=com" +``` + +## Filter Syntax + +The following syntax descriptions use Backus-Naur form to show the PowerShell +Expression Language for the Filter parameter. + +```Syntax + ::= "{" "}" + + ::= | + | + + + ::= | + "(" ")" + + ::= "-eq" | "-le" | "-ge" | "-ne" | "-lt" | "-gt" | + "-approx" | "-bor" | "-band" | "-recursivematch" | "-like" | + "-notlike" + + ::= "-and" | "-or" + + ::= "-not" + + ::= | + +::= < this value will be compared to the object data for + attribute using the specified filter operator +``` + + +## Supported Operators + +The following table shows frequently used search filter operators. + +| Operator | Description | LDAP Equivalent | +| ----------------- | -------------------------------------- | -------------------------- | +| `-eq` | Equal to. Wildcards not supported. | = | +| `-ne` | Not equal to. Wildcards not supported. | !x = y | +| `-approx` | Approximately equal to | ~= | +| `-le` | Lexicographically less than | <= | +| | or equal to | | +| `-lt` | Lexicographically less than | !x >= y | +| `-ge` | Lexicographically greater | >= | +| | than or equal to | | +| `-gt` | Lexicographically greater than | !x <= y | +| | | | +| `-and` | AND | & | +| `-or` | OR | | +| `-not` | NOT | ! | +| `-bor` | Bitwise OR | :1.2.840.113556.1.4.804:= | +| `-band` | Bitwise AND | :1.2.840.113556.1.4.803:= | +| `-recursivematch` | Use LDAP_MATCHING_RULE_IN_CHAIN | :1.2.840.113556.1.4.1941:= | +| `-like` | Similar to `-eq` and supports | = | +| | wildcard comparison. The only | | +| | wildcard character supported is: `*` | | +| `-notlike` | Not like. Supports wild | !x = y | +| | card comparison. | | + +> [!NOTE] +> PowerShell wildcards, other than "*", such as "?" are not supported by the +> **Filter** parameter syntax. + +### Operator Precedence + +The following listing shows the precedence of operators for filters from +highest to lowest. + +- Highest precedence: `-eq`, `-ge`, `-le`, `-approx`, `-band`, `-bor`, + `-recursivematch`, `-ne`, `-like`, `-not`, `-and` +- Lowest precedence: `-or` + +### Special Characters + +The following escape sequence should be used for specifying special characters +in AD Filter STRING data, that is, data enclosed in double or single quotes. + +| ASCII Character | Escape sequence substitute | +| --------------- | --------------------------------------------------- | +| `"` | `` `" `` (This escape sequence is only required if | +| | STRING data is enclosed in double quotes.) | +| `'` | `''` (This escape sequence is only required if | +| | STRING data is enclosed in single quotes.) | +| NUL | `\00` (This is a standard LDAP escape sequence.) | +| `\` | `\5c` (This is a standard LDAP escape sequence.) | + +### LDAP Special Characters + +ADFilter parser will automatically convert all the below characters found in +STRING data, that is data enclosed in " " or ' ' to their LDAP escape sequence. +End users need not know about these LDAP escape sequence. + +| ASCII Character | Escape sequence substitute | +| --------------- | ----------------------------------------------- | +| `*` | `\2a` (Character `*` will only be converted in | +| | -eq and -ne comparisons Users should use | +| | -like and -notlike operators for wildcard | +| | comparison.) | +| `(` | `\28` | +| `)` | `\29` | +| `/` | `\2f` | From 44c9a4efbf6c320c493a23716aa26e088c2ca72e Mon Sep 17 00:00:00 2001 From: Sean Wheeler Date: Wed, 3 Jul 2024 10:23:59 -0500 Subject: [PATCH 5/5] Add about topics for ActiveDirectory (#3837) * Add about topics for ActiveDirectory * fix link --- .../activedirectory/About/About.md | 11 +- .../About/about_ActiveDirectory.md | 81 +++ .../About/about_ActiveDirectory_Identity.md | 196 ++++++ .../about_ActiveDirectory_ObjectModel.md | 595 ++++++++++++++++++ .../activedirectory/About/About.md | 11 +- .../About/about_ActiveDirectory.md | 81 +++ .../About/about_ActiveDirectory_Identity.md | 196 ++++++ .../about_ActiveDirectory_ObjectModel.md | 595 ++++++++++++++++++ .../activedirectory/About/About.md | 11 +- .../About/about_ActiveDirectory.md | 81 +++ .../About/about_ActiveDirectory_Identity.md | 196 ++++++ .../about_ActiveDirectory_ObjectModel.md | 595 ++++++++++++++++++ .../activedirectory/About/About.md | 11 +- .../About/about_ActiveDirectory.md | 81 +++ .../About/about_ActiveDirectory_Identity.md | 196 ++++++ .../about_ActiveDirectory_ObjectModel.md | 595 ++++++++++++++++++ .../activedirectory/About/About.md | 11 +- .../About/about_ActiveDirectory.md | 81 +++ .../About/about_ActiveDirectory_Identity.md | 196 ++++++ .../about_ActiveDirectory_ObjectModel.md | 595 ++++++++++++++++++ .../activedirectory/About/About.md | 11 +- .../About/about_ActiveDirectory.md | 81 +++ .../About/about_ActiveDirectory_Identity.md | 196 ++++++ .../about_ActiveDirectory_ObjectModel.md | 595 ++++++++++++++++++ 24 files changed, 5292 insertions(+), 6 deletions(-) create mode 100644 docset/winserver2012-ps/activedirectory/About/about_ActiveDirectory.md create mode 100644 docset/winserver2012-ps/activedirectory/About/about_ActiveDirectory_Identity.md create mode 100644 docset/winserver2012-ps/activedirectory/About/about_ActiveDirectory_ObjectModel.md create mode 100644 docset/winserver2012r2-ps/activedirectory/About/about_ActiveDirectory.md create mode 100644 docset/winserver2012r2-ps/activedirectory/About/about_ActiveDirectory_Identity.md create mode 100644 docset/winserver2012r2-ps/activedirectory/About/about_ActiveDirectory_ObjectModel.md create mode 100644 docset/winserver2016-ps/activedirectory/About/about_ActiveDirectory.md create mode 100644 docset/winserver2016-ps/activedirectory/About/about_ActiveDirectory_Identity.md create mode 100644 docset/winserver2016-ps/activedirectory/About/about_ActiveDirectory_ObjectModel.md create mode 100644 docset/winserver2019-ps/activedirectory/About/about_ActiveDirectory.md create mode 100644 docset/winserver2019-ps/activedirectory/About/about_ActiveDirectory_Identity.md create mode 100644 docset/winserver2019-ps/activedirectory/About/about_ActiveDirectory_ObjectModel.md create mode 100644 docset/winserver2022-ps/activedirectory/About/about_ActiveDirectory.md create mode 100644 docset/winserver2022-ps/activedirectory/About/about_ActiveDirectory_Identity.md create mode 100644 docset/winserver2022-ps/activedirectory/About/about_ActiveDirectory_ObjectModel.md create mode 100644 docset/winserver2025-ps/activedirectory/About/about_ActiveDirectory.md create mode 100644 docset/winserver2025-ps/activedirectory/About/about_ActiveDirectory_Identity.md create mode 100644 docset/winserver2025-ps/activedirectory/About/about_ActiveDirectory_ObjectModel.md diff --git a/docset/winserver2012-ps/activedirectory/About/About.md b/docset/winserver2012-ps/activedirectory/About/About.md index adc76085b9..449df28850 100644 --- a/docset/winserver2012-ps/activedirectory/About/About.md +++ b/docset/winserver2012-ps/activedirectory/About/About.md @@ -2,7 +2,7 @@ description: About articles for the ActiveDirectory module. Help Version: 3.1.0.0 Locale: en-US -ms.date: 04/22/2013 +ms.date: 07/03/2024 title: About articles --- # About topics @@ -13,5 +13,14 @@ About topics cover a range of concepts about PowerShell. ## About Topics +### [about_ActiveDirectory](about_ActiveDirectory.md) +The Active Directory module is a command line interface for managing Active Directory. + ### [about_ActiveDirectory_Filter](about_ActiveDirectory_Filter.md) Describes the syntax and behavior of the search filter supported by the Active Directory module for Windows PowerShell. + +### [about_ActiveDirectory_Identity](about_ActiveDirectory_Identity.md) +The Active Directory module for Windows PowerShell objects have a range of identifying attributes that are used for search and retrieval. + +### [about_ActiveDirectory_ObjectModel](about_ActiveDirectory_ObjectModel.md) +Describes the object model of the Active Directory module for Windows PowerShell. diff --git a/docset/winserver2012-ps/activedirectory/About/about_ActiveDirectory.md b/docset/winserver2012-ps/activedirectory/About/about_ActiveDirectory.md new file mode 100644 index 0000000000..1b7183dcd2 --- /dev/null +++ b/docset/winserver2012-ps/activedirectory/About/about_ActiveDirectory.md @@ -0,0 +1,81 @@ +--- +title: about_ActiveDirectory +ms.date: 04/22/2013 +description: The Active Directory module is a command line interface for managing Active Directory. +Locale: en-US +schema: 2.0.0 +--- + +# about_ActiveDirectory + +## SHORT DESCRIPTION + +The Active Directory module is a command line interface for managing Active +Directory. + +## LONG DESCRIPTION + +The Active Directory module for Windows PowerShell is for IT Professionals who +are administering and interfacing with Active Directory. The Active Directory +module provides an efficient way to complete many administrative, +configuration, and diagnostic tasks across Active Directory Domain Services (AD +DS) and Active Directory Lightweight Directory Services (AD LDS) instances in +their environments. The Active Directory module includes a set of Windows +PowerShell cmdlets and a provider. The provider exposes the Active Directory +database through a hierarchical navigation system, which is very similar to the +file system. As with drives in a file system, such as C:, you can connect +Windows PowerShell drives to Active Directory domains and AD LDS, as well as +Active Directory snapshots. + +### Coverage of Active Directory Module Cmdlets + +Create, Read, Update, and Delete actions are supported for Active Directory +objects by cmdlets such as `New-ADUser`, `Get-ADOrganizationalUnit`, +`Set-ADComputer`, and `Remove-ADUser`. + +Account and Password Policy Management are supported by cmdlets such as +`Enable-ADAccount`, `Unlock-ADAccount`, `New-ADServiceAccount`, +`Set-ADAccountControl`, and `Remove-ADFineGrainedPasswordPolicy`. + +Domain and Forest Management is supported by cmdlets such as `Get-ADForest`, +`Set-ADForest`, `Set-ADForestMode`, `Enable-ADOptionalFeature`, +`Get-ADDomainController`, and `Get-ADDomain`. + +### Listing the Active Directory Module Cmdlets + +To get a list of all of the Active Directory module cmdlets, run + +```powershell +Get-Command -Module ActiveDirectory +``` + +### Getting Started + +Getting started with the Active Directory module for Windows PowerShell is as +easy as clicking the following shortcut: + +Run the following command in any Windows PowerShell prompt to import the Active +Directory module: + +```powershell +Import-Module ActiveDirectory +``` + +### Overview and Conceptual Topics + +The first two of these topics offer a high level overview of the Active +Directory module and the Active Directory Provider. + +- For a brief introduction to the Active Directory provider for Windows + PowerShell, see [ActiveDirectory](/powershell/module/activedirectory). +- The following topics are conceptual support topics for the Active Directory + module cmdlets. + - For an introduction to the **Identity** parameter, which is used by the + Active Directory module cmdlets to identify objects in the directory, see + [about_ActiveDirectory_Identity](about_ActiveDirectory_Identity.md). + - For an introduction to the **Filter** parameter which is used by Active + Directory module cmdlets to search for objects in the directory, see + [about_ActiveDirectory_Filter](about_ActiveDirectory_Filter.md). + - For an introduction to the .NET Framework-based object model implemented by + the Active Directory module, see + [about_ActiveDirectory_ObjectModel](about_ActiveDirectory_ObjectModel.md). diff --git a/docset/winserver2012-ps/activedirectory/About/about_ActiveDirectory_Identity.md b/docset/winserver2012-ps/activedirectory/About/about_ActiveDirectory_Identity.md new file mode 100644 index 0000000000..c007277b19 --- /dev/null +++ b/docset/winserver2012-ps/activedirectory/About/about_ActiveDirectory_Identity.md @@ -0,0 +1,196 @@ +--- +title: about_ActiveDirectory_Identity +ms.date: 04/22/2013 +description: This article lists the identifying attributes that are used for search and retrieval supported by the Active Directory module for Windows PowerShell. +Locale: en-US +schema: 2.0.0 +--- + +# about_ActiveDirectory_Identity + +## SHORT DESCRIPTION + +The Active Directory module for Windows PowerShell objects have a range of +identifying attributes that are used for search and retrieval. + +## LONG DESCRIPTION + +In order to identify the objects in Active Directory, each object has +attributes that can be used as identifiers. In the Active Directory module, the +value of the identity of an object can be passed using the Identity parameter. +Each object type has its own set of possible types and values for use by the +Identity parameter. See the detailed description of the Identity parameter of +the given cmdlet for more information about its usage. + +When searching with the Active Directory module cmdlets, the value of the +Identity parameter, along with the values of the Server and Partition +parameters, is used to uniquely identify a single object. The Server parameter +is used to locate which server to connect with. The Partition parameter further +narrows the search to a specific partition. The Identity parameter then +resolves to a single unique object in the partition. + +Note that using the Security Accounts Manager (SAM) Account Name +(**sAMAccountName**) when targeting a global catalog port, you will not find a +user in a different domain if you are using the Identity parameter + +If more than one object is found using identity resolution, the Active +Directory module throws an error. + +For more information about the Server and Partition parameters, see the help +topics for the individual cmdlets where they are used, such as `Get-ADUser`, by +typing: + +```powershell +Get-Help Get-ADUser +``` + +### Objects and Identities + +Each object has a list of attributes that can be used as an identity for that +object. Additionally, if the object inherits from another object, then the +parent object's identities can also be used as the child object's identities. +For more information on the Active Directory object hierarchy, see +[about_ActiveDirectory_ObjectModel](about_ActiveDirectory_ObjectModel.md). + +> [!NOTE] +> For Active Directory Provider cmdlets, only an object's 'Distinguished Name' +> or 'Relative Distinguished Name' can be used as the identity. For a list of +> Active Directory Provider cmdlets, see ActiveDirectory. + +### Identity Attributes + +The following is a list of identity attributes by object type. + +- ADAccount + - Distinguished Name + - GUID (objectGUID) + - Security Identifier (objectSid) + - SAM Account Name (sAMAccountName) + +- ADComputer + - Distinguished Name + - GUID (objectGUID) + - Security Identifier (objectSid) + - Security Accounts Manager Account Name (sAMAccountName) + +- ADDirectoryServer + - Name of the server object (name) + - For AD LDS instances the syntax of a name is `$` + - For other Active Directory instances, use the value of the name property. + - Distinguished Name of the NTDS Settings object + - Distinguished Name of the server object that represents the directory + server. + - GUID (objectGUID) of server object under the configuration partition. + - GUID (objectGUID) of NTDS settings object under the configuration partition + +- ADDomain + - Distinguished Name + - GUID + - Security Identifier + - DNS domain name + - NetBIOS domain name + +- ADDomainController + - GUID (objectGUID) + - IPV4Address + - Global IPV6Address + - DNS Host Name (dNSHostName) + - Name of the server object + - Distinguished Name of the NTDS Settings object + - Distinguished Name of the server object that represents the domain controller + - GUID of NTDS settings object under the configuration partition + - GUID of server object under the configuration partition + - Distinguished Name of the computer object that represents the domain controller. + +- ADFineGrainedPasswordPolicy + - Distinguished Name + - GUID (objectGUID) + - Name (name) + +- ADForest + - Fully qualified domain name + - DNS host name + - NetBIOS name + +- ADGroup + - Distinguished Name + - GUID (objectGUID) + - Security Identifier (objectSid) + - Security Accounts Manager (SAM) Account Name (sAMAccountName) + +- ADObject + - Distinguished Name + - GUID (objectGUID) + +- ADOptionalFeature + - Distinguished Name + - Name (name) + - Feature GUID (featureGUID) + - GUID (objectGUID) + +- ADOrganizationalUnit + - Distinguished Name + - GUID (objectGUID) + +- ADPrincipal + - Distinguished Name + - GUID (objectGUID) + - Security Identifier (objectSid) + - SAM Account Name (sAMAccountName) + +- ADServiceAccount + - Distinguished Name + - GUID (objectGUID) + - Security Identifier (objectSid) + - SAM Account Name (sAMAccountName) + +- ADUser + - Distinguished Name + - GUID (objectGUID) + - Security Identifier (objectSid) + - SAM User Name (sAMUserName) + + +### Identities Formats + +Active Directory module objects have a range of identity attributes. Below is a +list of these, their types and formats. + +- Distinguished Name + - Example: CN=SaraDavis,CN=Europe,CN=Users, DC=corp,DC=contoso,DC=com + +- DNS domain name + - Example: redmond.corp.contoso.com + +- DNS Host Name (dNSHostName) + - Example: corp-DC01.corp.contoso.com + +- Feature GUID (featureGUID) + - Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 + +- Fully qualified domain name + - Example: corp.contoso.com + +- Global IPV6Address + - Example: 2001:4898:0:fff:200:5efe:157.59.132.61 + +- GUID (objectGUID) + - Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 + +- IPV4Address + - Example:157.59.132.61 + +- NetBIOS domain name + - Example: redmond + +- Name of the server object + - Example: corp-DC01$ + +- SAM Account Name (sAMAccountName) + - Example: saradavisreports + +- Security Identifier (objectSid) + - Example: S-1-5-21-3165297888-301567370-576410423-1103 + +- Name + - Example: Recycle Bin Feature diff --git a/docset/winserver2012-ps/activedirectory/About/about_ActiveDirectory_ObjectModel.md b/docset/winserver2012-ps/activedirectory/About/about_ActiveDirectory_ObjectModel.md new file mode 100644 index 0000000000..8535a97464 --- /dev/null +++ b/docset/winserver2012-ps/activedirectory/About/about_ActiveDirectory_ObjectModel.md @@ -0,0 +1,595 @@ +--- +title: about_ActiveDirectory_ObjectModel +ms.date: 04/22/2013 +description: Describes the object model of the Active Directory module for Windows PowerShell. +Locale: en-US +schema: 2.0.0 +--- + +# about_ActiveDirectory_ObjectModel + +## SHORT DESCRIPTION +Describes the object model of the Active Directory module for Windows +PowerShell. + +## LONG DESCRIPTION + +This topic explains the Active Directory module classes and their properties +used to model actual Active Directory attributes. It also outlines the class +hierarchy constructed from its Active Directory counterpart. The object model +establishes a data foundation for all the operations supported by Active +Directory module cmdlets. + +### Class Hierarchy + +The following list shows the class hierarchy defined in the Active Directory +module object model, with class inheritance implied by indentation. This +inheritance model allows for Active Directory cmdlets to accept a range of +object types as input. This means, for example, that the cmdlet +Get-ADPrincipalGroupMembership can accept as input any of the following +objects: ADGroup, ADAccount, ADComputer, ADServiceAccount or ADUser. This works +because of the inheritance model and guarantees that an ADUser object has all +of the properties of an ADPrincipal object. + +``` +ADEntity + ADRootDSE + ADObject + ADFineGrainedPasswordPolicy + ADOptionalFeature + ADOrganizationalUnit + ADPartition + ADDomain + ADPrincipal + ADAccount + ADComputer + ADServiceAccount + ADUser + ADGroup + ADDefaultDomainPasswordPolicy + ADForest + ADDirectoryServer + ADDomainController +``` + +### Active Directory Module Classes + +The following listing shows every Active Directory module class from the class +hierarchy listing. Each class defines a set of properties, some of which are +LDAP attributes that are retrieved by default and some are new properties +created specifically for the Active Directory module. These new properties are +derived from one or more LDAP attributes as outlined in the class listings. + + +- ADEntity - The base level class from which all other classes are derived. + - ADRootDSE - Represents the rootDSE and is derived from ADEntity. An + ADRootDSE may contain the following properties in addition to those + inherited from its parent. + - ConfigurationNamingContext - A property of type System.String, derived + from the directory attribute ConfigurationNamingContext + - CurrentTime - A property of type System.DateTime, derived from the + directory attribute CurrentTime + - DefaultNamingContext - A property of type System.String, derived from the + directory attribute DefaultNamingContext + - DnsHostName - A property of type System.String, derived from the + directory attribute DnsHostName + - DomainControllerFunctionality - A property of type + ADDomainControllerMode, derived from the directory attribute + DomainControllerFunctionality + - DomainFunctionality - A property of type ADDomainMode, derived from the + directory attribute DomainFunctionality + - DsServiceName - A property of type System.String, derived from the + directory attribute DsServiceName + - ForestFunctionality - A property of type ADForestMode, derived from the + directory attribute ForestFunctionality + - GlobalCatalogReady - A property of type System.Boolean, derived from the + directory attribute GlobalCatalogReady + - HighestCommittedUSN - A property of type System.Long, derived from the + directory attribute HighestCommittedUSN + - LdapServiceName - A property of type System.String, derived from the + directory attribute LdapServiceName + - NamingContexts - A property of type System.String, derived from the + directory attribute NamingContexts + - RootDomainNamingContext - A property of type System.String, derived from + the directory attribute RootDomainNamingContext + - SchemaNamingContext - A property of type System.String, derived from the + directory attribute SchemaNamingContext + - ServerName - A property of type System.String, derived from the directory + attribute ServerName + - SubschemaSubentry - A property of type ADObject, derived from the + directory attribute SubschemaSubentry + - SupportedCapabilities - A property of type ADObjectIdentifier, derived + from the directory attribute SupportedCapabilities + - SupportedControl - A property of type ADObjectIdentifier, derived from + the directory attribute SupportedControl + - SupportedLDAPPolicies - A property of type System.String, derived from + the directory attribute SupportedLDAPPolicies + - SupportedLDAPVersion - A property of type System.Int, derived from the + directory attribute SupportedLDAPVersion + - SupportedRootDSEOperations - A property of type + ADPropertyValueCollection, derived from the directory attribute + SupportedRootDSEOperations + - SupportedSASLMechanisms - A property of type System.String, derived from + the directory attribute SupportedSASLMechanisms + - Syncronized - A property of type System.Boolean, derived from the + directory attribute IsSynchronized. + - ADObject - Represents any object in Active Directory and is derived from + ADEntity. An ADObject may contain the following properties in addition to + those inherited from its parent. + - CanonicalName - A property of type System.String, derived from the + directory attribute: canonicalName + - CN - A property of type System.String, derived from the directory + attribute: cn + - Created - A property of type System.DateTime, derived from the directory + attribute: createTimeStamp + - Deleted - A property of type System.Boolean, derived from the directory + attribute: isDeleted + - Description - A property of type System.String, derived from the + directory attribute: description + - DisplayName - A property of type System.String, derived from the + directory attribute: displayName + - DistinguishedName - A property of type System.String, derived from the + directory attribute: distinguishedName + - LastKnownParent - A property of type System.String, derived from the + directory attribute: lastKnownParent + - Modified - A property of type System.DateTime, derived from the directory + attribute: modifyTimeStamp + - Name - A property of type System.String, derived from the directory + attribute: name + - ObjectCategory - A property of type System.String, derived from the + directory attribute: objectCategory + - ObjectClass - A property of type System.String, derived from the + directory attribute: objectClass + - ObjectGUID - A property of type System.Guid, derived from the directory + attribute: objectGUID + - ProtectedFromAccidentalDeletion - A property of type System.Boolean, + derived from the directory attributes: nTSecurityDescriptor, + sdRightsEffective, instanceType, isDeleted + - ADFineGrainedPasswordPolicy Represents a fine grained password policy + object; that is, an AD object of type msDS-PasswordSettings in AD DS and + is derived from ADObject. This class is not supported by AD LDS. An + ADFineGrainedPasswordPolicy may contain the following properties in + addition to those inherited from its parent. + - AppliesTo - A property of type System.String, derived from the + directory attribute: msDS-PSOAppliesTo + - ComplexityEnabled - A property of type System.Boolean, derived from the + directory attribute: msDS-PasswordComplexityEnabled + - LockoutDuration - A property of type System.TimeSpan, derived from the + directory attribute: msDS-LockoutDuration + - LockoutObservationWindow - A property of type System.TimeSpan, derived + from the directory attribute: msDS-LockoutObservationWindow + - LockoutThreshold - A property of type System.Int32, derived from the + directory attribute: msDS-LockoutThreshold + - MaxPasswordAge - A property of type System.TimeSpan, derived from the + directory attribute: msDS-MaximumPasswordAge + - MinPasswordAge - A property of type System.TimeSpan, derived from the + directory attribute: msDS-MinimumPasswordAge + - MinPasswordLength - A property of type System.Int32, derived from the + directory attribute: msDS-MinimumPasswordLength + - PasswordHistoryCount - A property of type System.Int32, derived from + the directory attribute: msDS-PasswordHistoryLength + - Precedence - A property of type System.Int32, derived from the + directory attribute: msDS-PasswordSettingsPrecedence + - ReversibleEncryptionEnabled - A property of type System.Boolean, + derived from the directory attribute: + msDS-PasswordReversibleEncryptionEnabled + - ADOptionalFeature Represents an optional feature, an Active Directory + object of type msDS-OptionalFeature, and is derived from ADObject. An + ADOptionalFeaturemay contain the following properties in addition to + those inherited from its parent. + - EnabledScopes - A property of type System.String, derived from the + directory attribute: msDS-EnabledFeatureBL + - FeatureGUID - A property of type System.Guid, derived from the + directory attribute: msDS-OptionalFeatureGUID + - FeatureScope - A property of type System.Int32, derived from the + directory attribute: msDS-OptionalFeatureFlags + - IsDisableable - A property of type System.Boolean, derived from the + directory attribute: msDS-OptionalFeatureFlags + - RequiredDomainMode - A property of type + Microsoft.ActiveDirectory.Management.ADDomainMode, derived from the + directory attribute: msDS-RequiredDomainBehaviorVersion + - RequiredForestMode - A property of type + Microsoft.ActiveDirectory.Management.ADForestMode, derived from the + directory attribute: msDS-RequiredForestBehaviorVersion + - ADOrganizationalUnit Represents an organizationalUnit (OU) object and is + derived from ADObject. An ADOrganizationalUnit may contain the following + properties in addition to those inherited from its parent. + - City - A property of type System.String, derived from the directory + attribute: l + - Country - A property of type System.String, derived from the directory + attribute: c + - LinkedGroupPolicyObjects - A property of type System.String, derived + from the directory attribute: gpLink. This property is not supported on + AD LDS. + - ManagedBy - A property of type System.String, derived from the + directory attribute: managedBy + - PostalCode - A property of type System.String, derived from the + directory attribute: postalCode + - State - A property of type System.String, derived from the directory + attribute: st + - StreetAddress - A property of type System.String, derived from the + directory attribute: street + - ADPartition - Represents a naming context, Configuration, Schema, Domain + or Application Partition(ND NC) and is derived from ADObject. This class + is not supported by AD LDS. An ADPartition may contain the following + properties in addition to those inherited from its parent. + - DeletedObjectsContainer - A property of type System.String, derived + from the directory attribute: DeletedObjectsContainer + - DNSRoot - A property of type System.String, derived from the directory + attribute: DNSRoot + - LostAndFoundContainer - A property of type System.String, derived from + the directory attribute: LostAndFoundContainer + - QuotasContainer - A property of type System.String, derived from the + directory attribute: QuotasContainer + - ReadOnlyReplicaDirectoryServers - A property of type System.String, + derived from the directory attribute: ReadOnlyReplicaDirectoryServers + - ReplicaDirectoryServers - A property of type System.String, derived + from the directory attribute: ReplicaDirectoryServers + - SubordinateReferences - A property of type System.String, derived from + the directory attribute: SubordinateReferences + - ADDomain - Represents a domain in AD DS or an instance in AD LDS; for + example, an Active Directory object of type domainDNS and is derived + from ADPartition. This class is not supported by AD LDS. An ADDomain + may contain the following properties in addition to those inherited + from its parent. + - AllowedDNSSuffixes - A property of type System.String, derived from + the directory attribute: msDS-AllowedDNSSuffixes + - ChildDomains - A property of type System.String, derived from the + directory attribute: ChildDomains + - ComputersContainer - A property of type System.String, derived from + the directory attribute: ComputersContainer + - DomainControllersContainer - A property of type System.String, + derived from the directory attribute: DomainControllersContainer + - DomainMode - A property of type System.Int32, derived from the + directory attribute: msDS-Behavior-Version + - DomainSID - A property of type + System.Security.Principal.SecurityIdentifier, derived from the + directory attribute: objectSid + - ForeignSecurityPrincipalsContainer - A property of type + System.String, derived from the directory attribute: + ForeignSecurityPrincipalsContainer + - Forest - A property of type System.String, derived from the directory + attribute: Forest + - InfrastructureMaster - A property of type System.String, derived from + the directory attribute: InfrastructureMaster + - LastLogonReplicationInterval - A property of type System.TimeSpan, + derived from the directory attribute: msDS-LogonTimeSyncInterval + - LinkedGroupPolicyObjects - A property of type System.String, derived + from the directory attribute: LinkedGroupPolicyObjects + - ManagedBy - A property of type System.String, derived from the + directory attribute: managedBy + - NetBIOSName - A property of type System.String, derived from the + directory attribute: NetBIOSName + - ParentDomain - A property of type System.String, derived from the + directory attribute: ParentDomain + - PDCEmulator - A property of type System.String, derived from the + directory attribute: PDCEmulator + - RIDMaster - A property of type System.String, derived from the + directory attribute: RIDMaster + - SystemsContainer - A property of type System.String, derived from the + directory attribute: SystemsContainer + - UsersContainer - A property of type System.String, derived from the + directory attribute: UsersContainer + - ADPrincipal - Represents a security principal, which is an Active + Directory object of type user, computer, group or iNetOrgPerson and is + derived from ADObject. An ADPrincipal may contain the following + properties in addition to those inherited from its parent. + - HomePage - A property of type System.String, derived from the + directory attribute: wWWHomePage + - MemberOf - A property of type System.String, derived from the + directory attribute: memberOf + - SamAccountName - A property of type System.String, derived from the + directory attribute: sAMAccountName. This property is not supported + for AD LDS. + - SID - A property of type + System.Security.Principal.SecurityIdentifier, derived from the + directory attribute: objectSid + - SIDHistory - A property of type + System.Security.Principal.SecurityIdentifier, derived from the + directory attribute: sIDHistory. This property is not supported for + AD LDS. + - ADAccount - Represents a security account; that is, an Active + Directory object of type user, computer or iNetOrgPerson and is + derived from ADPrincipal. An ADAccount may contain the following + properties in addition to those inherited from its parent. + - AccountExpirationDate - A property of type System.DateTime, derived + from the directory attribute: accountExpires + - AccountLockoutTime - A property of type System.DateTime, derived + from the directory attribute: lockoutTime + - AccountNotDelegated - A property of type System.Boolean, derived + from the directory attributes: userAccountControl, + msDS-User-Account-Control-Computed. This property is not supported + by AD LDS. + - AllowReversiblePasswordEncryption - A property of type + System.Boolean, for AD DS it is derived from the directory + attribute: userAccountControl; for AD LDS it is derived from the + directory attribute: ms-DS-UserEncryptedTextPasswordAllowed + - BadLogonCount - A property of type System.Int32, derived from the + directory attribute: badPwdCount + - CannotChangePassword - A property of type System.Boolean, derived + from the directory attribute: nTSecurityDescriptor + - Certificates - A property of type + System.Security.Cryptography.X509Certificates.X509Certificate, + derived from the directory attribute: userCertificate + - DoesNotRequirePreAuth - A property of type System.Boolean, derived + from the directory attributes: userAccountControl, + msDS-User-Account-Control-Computed. This property is not supported + by AD LDS. + - Enabled - A property of type System.Boolean, for AD DS it is + derived from the directory attributes: userAccountControl, + msDS-User-Account-Control-Computed; for AD LDS it is derived from + the directory attribute msDS-UserAccountDisabled + - HomedirRequired - A property of type System.Boolean, derived from + the directory attributes: userAccountControl, + msDS-User-Account-Control-Computed. This property is not supported + by AD LDS. + - LastBadPasswordAttempt - A property of type System.DateTime, + derived from the directory attribute: badPasswordTime + - LastLogonDate - A property of type System.DateTime, derived from + the directory attribute: lastLogonTimestamp + - LockedOut - A property of type System.Boolean, for AD DS it is + derived from the directory attributes: userAccountControl, + msDS-User-Account-Control-Computed, lockoutTime; for AD LDS it is + derived from the directory attribute msDS-UserAccountDisabled + - MNSLogonAccount - A property of type System.Boolean, derived from + the directory attributes: userAccountControl, + msDS-User-Account-Control-Computed. This property is not supported + by AD LDS. + - PasswordExpired - A property of type System.Boolean, for AD DS it + is derived from the directory attributes: userAccountControl, + msDS-User-Account-Control-Computed; for AD LDS it is derived from + the directory attribute msDS-UserPasswordExpired + - PasswordLastSet - A property of type System.DateTime, derived from + the directory attribute: pwdLastSet + - PasswordNeverExpires - A property of type System.Boolean, for AD + LDS it is derived from the directory attributes: + userAccountControl, msDS-User-Account-Control-Computed; for AD LDS + it is derived from the directory attribute: + msDS-UserDontExpirePassword + - PasswordNotRequired - A property of type System.Boolean, for AD DS + it is derived from the directory attributes: userAccountControl, + msDS-User-Account-Control-Computed; for AD LDS it is derived from + the directory attribute: ms-DS-UserPasswordNotRequired + - PrimaryGroup - A property of type System.String, derived from the + directory attributes: primaryGroupID, objectSid. This property is + not supported by AD LDS. + - ServicePrincipalNames - A property of type System.String, derived + from the directory attribute: servicePrincipalName. This property + is not supported by AD LDS. + - TrustedForDelegation - A property of type System.Boolean, derived + from the directory attributes: userAccountControl, + msDS-User-Account-Control-Computed. This property is not supported + by AD LDS. + - TrustedToAuthForDelegation - A property of type System.Boolean, + derived from the directory attributes: userAccountControl, + msDS-User-Account-Control-Computed. This property is not supported + by AD LDS. + - UseDESKeyOnly - A property of type System.Boolean, derived from the + directory attributes: userAccountControl, + msDS-User-Account-Control-Computed. This property is not supported + by AD LDS. + - UserPrincipalName - A property of type System.String, derived from + the directory attribute: userPrincipalName + - ADComputer - Represents a computer and is derived from ADAccount. + An ADComputer may contain the following properties in addition to + those inherited from its parent. + - DNSHostName - A property of type System.String, derived from the + directory attribute: dNSHostName + - IPv4Address - A property of type System.String, derived from the + directory attribute: dNSHostName + - IPv6Address - A property of type System.String, derived from the + directory attribute: dNSHostName + - Location - A property of type System.String, derived from the + directory attribute: location + - ManagedBy - A property of type System.String, derived from the + directory attribute: managedBy + - OperatingSystem - A property of type System.String, derived from + the directory attribute: operatingSystem + - OperatingSystemHotfix - A property of type System.String, derived + from the directory attribute: operatingSystemHotfix + - OperatingSystemServicePack - A property of type System.String, + derived from the directory attribute: operatingSystemServicePack + - OperatingSystemVersion - A property of type System.String, + derived from the directory attribute: operatingSystemVersion + - ServiceAccount - A property of type System.String, derived from + the directory attribute: msDS-HostServiceAccount + - ADServiceAccount - Represents a managed service account; that is, + an Active Directory object of type msDS-ManagerdServiceAccount and + is derived from ADAccount. This class is not supported by AD LDS. + An ADServiceAccount may contain the following properties in + addition to those inherited from its parent. + - HostComputers - A property of type System.String, derived from + the directory attribute: msDS-HostServiceAccountBL + - ADUser - Represents a user (or iNetOrgPerson) and is derived from + ADAccount. An ADUser may contain the following properties in + addition to those inherited from its parent. + - City - A property of type System.String, derived from the + directory attribute: l + - Company - A property of type System.String, derived from the + directory attribute: company + - Country - A property of type System.String, derived from the + directory attribute: c + - Department - A property of type System.String, derived from the + directory attribute: department + - Division - A property of type System.String, derived from the + directory attribute: division + - EmailAddress - A property of type System.String, derived from the + directory attribute: mail + - EmployeeID - A property of type System.String, derived from the + directory attribute: employeeID + - EmployeeNumber - A property of type System.String, derived from + the directory attribute: employeeNumber + - Fax - A property of type System.String, derived from the + directory attribute: facsimileTelephoneNumber + - GivenName - A property of type System.String, derived from the + directory attribute: givenName + - HomeDirectory - A property of type System.String, derived from + the directory attribute: homeDirectory. This property is not + supported by AD LDS. + - HomeDrive - A property of type System.String, derived from the + directory attribute: homeDrive. This property is not supported by + AD LDS. + - HomePhone - A property of type System.String, derived from the + directory attribute: homePhone + - Initials - A property of type System.String, derived from the + directory attribute: initials + - LogonWorkstations - A property of type System.String, derived + from the directory attribute: userWorkstations. This property is + not supported by AD LDS. + - Manager - A property of type System.String, derived from the + directory attribute: manager + - MobilePhone - A property of type System.String, derived from the + directory attribute: mobile + - Office - A property of type System.String, derived from the + directory attribute: physicalDeliveryOfficeName + - OfficePhone - A property of type System.String, derived from the + directory attribute: telephoneNumber + - Organization - A property of type System.String, derived from the + directory attribute: o + - OtherName - A property of type System.String, derived from the + directory attribute: middleName + - POBox - A property of type System.String, derived from the + directory attribute: postOfficeBox + - PostalCode - A property of type System.String, derived from the + directory attribute: postalCode + - ProfilePath - A property of type System.String, derived from the + directory attribute: profilePath. This property is not supported + by AD LDS. + - ScriptPath - A property of type System.String, derived from the + directory attribute: scriptPath. This property is not supported + by AD LDS. + - SmartcardLogonRequired - A property of type System.Boolean, + derived from the directory attributes: userAccountControl, + msDS-User-Account-Control-Computed. This property is not + supported by AD LDS. + - State - A property of type System.String, derived from the + directory attribute: st + - StreetAddress - A property of type System.String, derived from + the directory attribute: streetAddress + - Surname - A property of type System.String, derived from the + directory attribute: sn + - Title - A property of type System.String, derived from the + directory attribute: title + - ADGroup -Represents a group and is derived from ADPrincipal. An + ADGroup may contain the following properties in addition to those + inherited from its parent. + - GroupCategory - A property of type + Microsoft.ActiveDirectory.Management.ADGroupCategory, derived from + the directory attribute: groupType + - GroupScope - A property of type + Microsoft.ActiveDirectory.Management.ADGroupScope, derived from the + directory attribute: groupType + - ManagedBy - A property of type System.String, derived from the + directory attribute: managedBy + - Members - A property of type System.String, derived from the + directory attribute: member + - ADDefaultDomainPasswordPolicy - Represents the domain-wide password policy + of an Active Directory domain and is derived from ADEntity. This class is + not supported by AD LDS. An ADDefaultDomainPasswordPolicy may contain the + following properties in addition to those inherited from its parent. + - ComplexityEnabled - A property of type System.Boolean, derived from the + directory attribute: pwdProperties + - DistinguishedName - A property of type System.String, derived from the + directory attribute: distinguishedName + - LockoutDuration - A property of type System.TimeSpan, derived from the + directory attribute: lockoutDuration + - LockoutObservationWindow - A property of type System.TimeSpan, derived + from the directory attribute: lockoutObservationWindow + - LockoutThreshold - A property of type System.Int32, derived from the + directory attribute: lockoutThreshold + - MaxPasswordAge - A property of type System.TimeSpan, derived from the + directory attribute: maxPwdAge + - MinPasswordAge - A property of type System.TimeSpan, derived from the + directory attribute: minPwdAge + - MinPasswordLength - A property of type System.Int32, derived from the + directory attribute: minPwdLength + - PasswordHistoryCount - A property of type System.Int32, derived from the + directory attribute: pwdHistoryLength + - ReversibleEncryptionEnabled - A property of type System.Boolean, derived + from the directory attribute: pwdProperties + - ADForest - Represents a Active Directory forest in AD DS or a Configuration + Set in AD LDS and is derived from ADEntity. This class is not supported by + AD LDS. An ADForest may contain the following properties in addition to + those inherited from its parent. + - ApplicationPartitions - A property of type System.String, derived from + the directory attribute: ApplicationPartitions + - CrossForestReferences - A property of type System.String, derived from + the directory attribute: CrossForestReferences + - DomainNamingMaster - A property of type System.String, derived from the + directory attribute: DomainNamingMaster + - Domains - A property of type System.String, derived from the directory + attribute: Domains + - ForestMode - A property of type System.Int32, derived from the directory + attribute: msDS-Behavior-Version + - GlobalCatalogs - A property of type System.String, derived from the + directory attribute: GlobalCatalogs + - Name - A property of type System.String, derived from the directory + attribute: name + - PartitionContainerName - A property of type System.String, derived from + the directory attribute: distinguishedName + - RootDomain - A property of type System.String, derived from the directory + attribute: RootDomain + - SchemaMaster - A property of type System.String, derived from the + directory attribute: SchemaMaster + - Sites - A property of type System.String, derived from the directory + attribute: Sites + - SPNSuffixes - A property of type System.String, derived from the + directory attribute: msDS-SPNSuffixes + - UPNSuffixes - A property of type System.String, derived from the + directory attribute: uPNSuffixes + - ADDirectoryServer - Represents a directory server used as either a domain + controller or an AD LDS instance and is derived from ADEntity. An + ADDirectoryServer may contain the following properties in addition to those + inherited from its parent. + - DefaultPartition - A property of type System.String, derived from the + directory attribute: DefaultPartition + - HostName - A property of type System.String, derived from the directory + attribute: HostName + - InvocationId - A property of type System.Guid, derived from the directory + attribute: InvocationId + - IPv4Address - A property of type System.String, derived from the + directory attribute: HostName + - IPv6Address - A property of type System.String, derived from the + directory attribute: HostName + - LdapPort - A property of type System.Int32, derived from the directory + attribute: LdapPort + - Name - A property of type System.String, derived from the directory + attribute: Name + - NTDSSettingsObjectDN - A property of type System.String, derived from the + directory attribute: NTDSSettingsObjectDN + - OperationMasterRoles - A property of type + Microsoft.ActiveDirectory.Management.ADOperationMasterRole, derived from + the directory attribute: OperationMasterRole + - Partitions - A property of type System.String, derived from the directory + attribute: Partitions + - ServerObjectDN - A property of type System.String, derived from the + directory attribute: ServerObjectDN + - ServerObjectGuid - A property of type System.Guid, derived from the + directory attribute: ServerObjectGuid + - Site - A property of type System.String, derived from the directory + attribute: Site + - SslPort - A property of type System.Int32, derived from the directory + attribute: SslPort + - ADDomainController - Represents a domain controller in AD DS and is + derived from ADDirectoryServer. An ADDomainController may contain the + following properties in addition to those inherited from its parent. + - ComputerObjectDN - A property of type System.String, derived from the + directory attribute: ComputerDN + - Domain - A property of type System.String, derived from the directory + attribute: Domain + - Enabled - A property of type System.Boolean, derived from the directory + attribute: Enabled + - Forest - A property of type System.String, derived from the directory + attribute: Forest + - IsGlobalCatalog - A property of type System.Boolean, derived from the + directory attribute: IsGlobalCatalog + - IsReadOnly - A property of type System.Boolean, derived from the + directory attribute: IsReadOnly + - OperatingSystem - A property of type System.String, derived from the + directory attribute: OSName + - OperatingSystemHotfix - A property of type System.String, derived from + the directory attribute: OSHotFix + - OperatingSystemServicePack - A property of type System.String, derived + from the directory attribute: OSServicepack + - OperatingSystemVersion - A property of type System.String, derived from + the directory attribute: OSVersion diff --git a/docset/winserver2012r2-ps/activedirectory/About/About.md b/docset/winserver2012r2-ps/activedirectory/About/About.md index adc76085b9..449df28850 100644 --- a/docset/winserver2012r2-ps/activedirectory/About/About.md +++ b/docset/winserver2012r2-ps/activedirectory/About/About.md @@ -2,7 +2,7 @@ description: About articles for the ActiveDirectory module. Help Version: 3.1.0.0 Locale: en-US -ms.date: 04/22/2013 +ms.date: 07/03/2024 title: About articles --- # About topics @@ -13,5 +13,14 @@ About topics cover a range of concepts about PowerShell. ## About Topics +### [about_ActiveDirectory](about_ActiveDirectory.md) +The Active Directory module is a command line interface for managing Active Directory. + ### [about_ActiveDirectory_Filter](about_ActiveDirectory_Filter.md) Describes the syntax and behavior of the search filter supported by the Active Directory module for Windows PowerShell. + +### [about_ActiveDirectory_Identity](about_ActiveDirectory_Identity.md) +The Active Directory module for Windows PowerShell objects have a range of identifying attributes that are used for search and retrieval. + +### [about_ActiveDirectory_ObjectModel](about_ActiveDirectory_ObjectModel.md) +Describes the object model of the Active Directory module for Windows PowerShell. diff --git a/docset/winserver2012r2-ps/activedirectory/About/about_ActiveDirectory.md b/docset/winserver2012r2-ps/activedirectory/About/about_ActiveDirectory.md new file mode 100644 index 0000000000..1b7183dcd2 --- /dev/null +++ b/docset/winserver2012r2-ps/activedirectory/About/about_ActiveDirectory.md @@ -0,0 +1,81 @@ +--- +title: about_ActiveDirectory +ms.date: 04/22/2013 +description: The Active Directory module is a command line interface for managing Active Directory. +Locale: en-US +schema: 2.0.0 +--- + +# about_ActiveDirectory + +## SHORT DESCRIPTION + +The Active Directory module is a command line interface for managing Active +Directory. + +## LONG DESCRIPTION + +The Active Directory module for Windows PowerShell is for IT Professionals who +are administering and interfacing with Active Directory. The Active Directory +module provides an efficient way to complete many administrative, +configuration, and diagnostic tasks across Active Directory Domain Services (AD +DS) and Active Directory Lightweight Directory Services (AD LDS) instances in +their environments. The Active Directory module includes a set of Windows +PowerShell cmdlets and a provider. The provider exposes the Active Directory +database through a hierarchical navigation system, which is very similar to the +file system. As with drives in a file system, such as C:, you can connect +Windows PowerShell drives to Active Directory domains and AD LDS, as well as +Active Directory snapshots. + +### Coverage of Active Directory Module Cmdlets + +Create, Read, Update, and Delete actions are supported for Active Directory +objects by cmdlets such as `New-ADUser`, `Get-ADOrganizationalUnit`, +`Set-ADComputer`, and `Remove-ADUser`. + +Account and Password Policy Management are supported by cmdlets such as +`Enable-ADAccount`, `Unlock-ADAccount`, `New-ADServiceAccount`, +`Set-ADAccountControl`, and `Remove-ADFineGrainedPasswordPolicy`. + +Domain and Forest Management is supported by cmdlets such as `Get-ADForest`, +`Set-ADForest`, `Set-ADForestMode`, `Enable-ADOptionalFeature`, +`Get-ADDomainController`, and `Get-ADDomain`. + +### Listing the Active Directory Module Cmdlets + +To get a list of all of the Active Directory module cmdlets, run + +```powershell +Get-Command -Module ActiveDirectory +``` + +### Getting Started + +Getting started with the Active Directory module for Windows PowerShell is as +easy as clicking the following shortcut: + +Run the following command in any Windows PowerShell prompt to import the Active +Directory module: + +```powershell +Import-Module ActiveDirectory +``` + +### Overview and Conceptual Topics + +The first two of these topics offer a high level overview of the Active +Directory module and the Active Directory Provider. + +- For a brief introduction to the Active Directory provider for Windows + PowerShell, see [ActiveDirectory](/powershell/module/activedirectory). +- The following topics are conceptual support topics for the Active Directory + module cmdlets. + - For an introduction to the **Identity** parameter, which is used by the + Active Directory module cmdlets to identify objects in the directory, see + [about_ActiveDirectory_Identity](about_ActiveDirectory_Identity.md). + - For an introduction to the **Filter** parameter which is used by Active + Directory module cmdlets to search for objects in the directory, see + [about_ActiveDirectory_Filter](about_ActiveDirectory_Filter.md). + - For an introduction to the .NET Framework-based object model implemented by + the Active Directory module, see + [about_ActiveDirectory_ObjectModel](about_ActiveDirectory_ObjectModel.md). diff --git a/docset/winserver2012r2-ps/activedirectory/About/about_ActiveDirectory_Identity.md b/docset/winserver2012r2-ps/activedirectory/About/about_ActiveDirectory_Identity.md new file mode 100644 index 0000000000..c007277b19 --- /dev/null +++ b/docset/winserver2012r2-ps/activedirectory/About/about_ActiveDirectory_Identity.md @@ -0,0 +1,196 @@ +--- +title: about_ActiveDirectory_Identity +ms.date: 04/22/2013 +description: This article lists the identifying attributes that are used for search and retrieval supported by the Active Directory module for Windows PowerShell. +Locale: en-US +schema: 2.0.0 +--- + +# about_ActiveDirectory_Identity + +## SHORT DESCRIPTION + +The Active Directory module for Windows PowerShell objects have a range of +identifying attributes that are used for search and retrieval. + +## LONG DESCRIPTION + +In order to identify the objects in Active Directory, each object has +attributes that can be used as identifiers. In the Active Directory module, the +value of the identity of an object can be passed using the Identity parameter. +Each object type has its own set of possible types and values for use by the +Identity parameter. See the detailed description of the Identity parameter of +the given cmdlet for more information about its usage. + +When searching with the Active Directory module cmdlets, the value of the +Identity parameter, along with the values of the Server and Partition +parameters, is used to uniquely identify a single object. The Server parameter +is used to locate which server to connect with. The Partition parameter further +narrows the search to a specific partition. The Identity parameter then +resolves to a single unique object in the partition. + +Note that using the Security Accounts Manager (SAM) Account Name +(**sAMAccountName**) when targeting a global catalog port, you will not find a +user in a different domain if you are using the Identity parameter + +If more than one object is found using identity resolution, the Active +Directory module throws an error. + +For more information about the Server and Partition parameters, see the help +topics for the individual cmdlets where they are used, such as `Get-ADUser`, by +typing: + +```powershell +Get-Help Get-ADUser +``` + +### Objects and Identities + +Each object has a list of attributes that can be used as an identity for that +object. Additionally, if the object inherits from another object, then the +parent object's identities can also be used as the child object's identities. +For more information on the Active Directory object hierarchy, see +[about_ActiveDirectory_ObjectModel](about_ActiveDirectory_ObjectModel.md). + +> [!NOTE] +> For Active Directory Provider cmdlets, only an object's 'Distinguished Name' +> or 'Relative Distinguished Name' can be used as the identity. For a list of +> Active Directory Provider cmdlets, see ActiveDirectory. + +### Identity Attributes + +The following is a list of identity attributes by object type. + +- ADAccount + - Distinguished Name + - GUID (objectGUID) + - Security Identifier (objectSid) + - SAM Account Name (sAMAccountName) + +- ADComputer + - Distinguished Name + - GUID (objectGUID) + - Security Identifier (objectSid) + - Security Accounts Manager Account Name (sAMAccountName) + +- ADDirectoryServer + - Name of the server object (name) + - For AD LDS instances the syntax of a name is `$` + - For other Active Directory instances, use the value of the name property. + - Distinguished Name of the NTDS Settings object + - Distinguished Name of the server object that represents the directory + server. + - GUID (objectGUID) of server object under the configuration partition. + - GUID (objectGUID) of NTDS settings object under the configuration partition + +- ADDomain + - Distinguished Name + - GUID + - Security Identifier + - DNS domain name + - NetBIOS domain name + +- ADDomainController + - GUID (objectGUID) + - IPV4Address + - Global IPV6Address + - DNS Host Name (dNSHostName) + - Name of the server object + - Distinguished Name of the NTDS Settings object + - Distinguished Name of the server object that represents the domain controller + - GUID of NTDS settings object under the configuration partition + - GUID of server object under the configuration partition + - Distinguished Name of the computer object that represents the domain controller. + +- ADFineGrainedPasswordPolicy + - Distinguished Name + - GUID (objectGUID) + - Name (name) + +- ADForest + - Fully qualified domain name + - DNS host name + - NetBIOS name + +- ADGroup + - Distinguished Name + - GUID (objectGUID) + - Security Identifier (objectSid) + - Security Accounts Manager (SAM) Account Name (sAMAccountName) + +- ADObject + - Distinguished Name + - GUID (objectGUID) + +- ADOptionalFeature + - Distinguished Name + - Name (name) + - Feature GUID (featureGUID) + - GUID (objectGUID) + +- ADOrganizationalUnit + - Distinguished Name + - GUID (objectGUID) + +- ADPrincipal + - Distinguished Name + - GUID (objectGUID) + - Security Identifier (objectSid) + - SAM Account Name (sAMAccountName) + +- ADServiceAccount + - Distinguished Name + - GUID (objectGUID) + - Security Identifier (objectSid) + - SAM Account Name (sAMAccountName) + +- ADUser + - Distinguished Name + - GUID (objectGUID) + - Security Identifier (objectSid) + - SAM User Name (sAMUserName) + + +### Identities Formats + +Active Directory module objects have a range of identity attributes. Below is a +list of these, their types and formats. + +- Distinguished Name + - Example: CN=SaraDavis,CN=Europe,CN=Users, DC=corp,DC=contoso,DC=com + +- DNS domain name + - Example: redmond.corp.contoso.com + +- DNS Host Name (dNSHostName) + - Example: corp-DC01.corp.contoso.com + +- Feature GUID (featureGUID) + - Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 + +- Fully qualified domain name + - Example: corp.contoso.com + +- Global IPV6Address + - Example: 2001:4898:0:fff:200:5efe:157.59.132.61 + +- GUID (objectGUID) + - Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 + +- IPV4Address + - Example:157.59.132.61 + +- NetBIOS domain name + - Example: redmond + +- Name of the server object + - Example: corp-DC01$ + +- SAM Account Name (sAMAccountName) + - Example: saradavisreports + +- Security Identifier (objectSid) + - Example: S-1-5-21-3165297888-301567370-576410423-1103 + +- Name + - Example: Recycle Bin Feature diff --git a/docset/winserver2012r2-ps/activedirectory/About/about_ActiveDirectory_ObjectModel.md b/docset/winserver2012r2-ps/activedirectory/About/about_ActiveDirectory_ObjectModel.md new file mode 100644 index 0000000000..8535a97464 --- /dev/null +++ b/docset/winserver2012r2-ps/activedirectory/About/about_ActiveDirectory_ObjectModel.md @@ -0,0 +1,595 @@ +--- +title: about_ActiveDirectory_ObjectModel +ms.date: 04/22/2013 +description: Describes the object model of the Active Directory module for Windows PowerShell. +Locale: en-US +schema: 2.0.0 +--- + +# about_ActiveDirectory_ObjectModel + +## SHORT DESCRIPTION +Describes the object model of the Active Directory module for Windows +PowerShell. + +## LONG DESCRIPTION + +This topic explains the Active Directory module classes and their properties +used to model actual Active Directory attributes. It also outlines the class +hierarchy constructed from its Active Directory counterpart. The object model +establishes a data foundation for all the operations supported by Active +Directory module cmdlets. + +### Class Hierarchy + +The following list shows the class hierarchy defined in the Active Directory +module object model, with class inheritance implied by indentation. This +inheritance model allows for Active Directory cmdlets to accept a range of +object types as input. This means, for example, that the cmdlet +Get-ADPrincipalGroupMembership can accept as input any of the following +objects: ADGroup, ADAccount, ADComputer, ADServiceAccount or ADUser. This works +because of the inheritance model and guarantees that an ADUser object has all +of the properties of an ADPrincipal object. + +``` +ADEntity + ADRootDSE + ADObject + ADFineGrainedPasswordPolicy + ADOptionalFeature + ADOrganizationalUnit + ADPartition + ADDomain + ADPrincipal + ADAccount + ADComputer + ADServiceAccount + ADUser + ADGroup + ADDefaultDomainPasswordPolicy + ADForest + ADDirectoryServer + ADDomainController +``` + +### Active Directory Module Classes + +The following listing shows every Active Directory module class from the class +hierarchy listing. Each class defines a set of properties, some of which are +LDAP attributes that are retrieved by default and some are new properties +created specifically for the Active Directory module. These new properties are +derived from one or more LDAP attributes as outlined in the class listings. + + +- ADEntity - The base level class from which all other classes are derived. + - ADRootDSE - Represents the rootDSE and is derived from ADEntity. An + ADRootDSE may contain the following properties in addition to those + inherited from its parent. + - ConfigurationNamingContext - A property of type System.String, derived + from the directory attribute ConfigurationNamingContext + - CurrentTime - A property of type System.DateTime, derived from the + directory attribute CurrentTime + - DefaultNamingContext - A property of type System.String, derived from the + directory attribute DefaultNamingContext + - DnsHostName - A property of type System.String, derived from the + directory attribute DnsHostName + - DomainControllerFunctionality - A property of type + ADDomainControllerMode, derived from the directory attribute + DomainControllerFunctionality + - DomainFunctionality - A property of type ADDomainMode, derived from the + directory attribute DomainFunctionality + - DsServiceName - A property of type System.String, derived from the + directory attribute DsServiceName + - ForestFunctionality - A property of type ADForestMode, derived from the + directory attribute ForestFunctionality + - GlobalCatalogReady - A property of type System.Boolean, derived from the + directory attribute GlobalCatalogReady + - HighestCommittedUSN - A property of type System.Long, derived from the + directory attribute HighestCommittedUSN + - LdapServiceName - A property of type System.String, derived from the + directory attribute LdapServiceName + - NamingContexts - A property of type System.String, derived from the + directory attribute NamingContexts + - RootDomainNamingContext - A property of type System.String, derived from + the directory attribute RootDomainNamingContext + - SchemaNamingContext - A property of type System.String, derived from the + directory attribute SchemaNamingContext + - ServerName - A property of type System.String, derived from the directory + attribute ServerName + - SubschemaSubentry - A property of type ADObject, derived from the + directory attribute SubschemaSubentry + - SupportedCapabilities - A property of type ADObjectIdentifier, derived + from the directory attribute SupportedCapabilities + - SupportedControl - A property of type ADObjectIdentifier, derived from + the directory attribute SupportedControl + - SupportedLDAPPolicies - A property of type System.String, derived from + the directory attribute SupportedLDAPPolicies + - SupportedLDAPVersion - A property of type System.Int, derived from the + directory attribute SupportedLDAPVersion + - SupportedRootDSEOperations - A property of type + ADPropertyValueCollection, derived from the directory attribute + SupportedRootDSEOperations + - SupportedSASLMechanisms - A property of type System.String, derived from + the directory attribute SupportedSASLMechanisms + - Syncronized - A property of type System.Boolean, derived from the + directory attribute IsSynchronized. + - ADObject - Represents any object in Active Directory and is derived from + ADEntity. An ADObject may contain the following properties in addition to + those inherited from its parent. + - CanonicalName - A property of type System.String, derived from the + directory attribute: canonicalName + - CN - A property of type System.String, derived from the directory + attribute: cn + - Created - A property of type System.DateTime, derived from the directory + attribute: createTimeStamp + - Deleted - A property of type System.Boolean, derived from the directory + attribute: isDeleted + - Description - A property of type System.String, derived from the + directory attribute: description + - DisplayName - A property of type System.String, derived from the + directory attribute: displayName + - DistinguishedName - A property of type System.String, derived from the + directory attribute: distinguishedName + - LastKnownParent - A property of type System.String, derived from the + directory attribute: lastKnownParent + - Modified - A property of type System.DateTime, derived from the directory + attribute: modifyTimeStamp + - Name - A property of type System.String, derived from the directory + attribute: name + - ObjectCategory - A property of type System.String, derived from the + directory attribute: objectCategory + - ObjectClass - A property of type System.String, derived from the + directory attribute: objectClass + - ObjectGUID - A property of type System.Guid, derived from the directory + attribute: objectGUID + - ProtectedFromAccidentalDeletion - A property of type System.Boolean, + derived from the directory attributes: nTSecurityDescriptor, + sdRightsEffective, instanceType, isDeleted + - ADFineGrainedPasswordPolicy Represents a fine grained password policy + object; that is, an AD object of type msDS-PasswordSettings in AD DS and + is derived from ADObject. This class is not supported by AD LDS. An + ADFineGrainedPasswordPolicy may contain the following properties in + addition to those inherited from its parent. + - AppliesTo - A property of type System.String, derived from the + directory attribute: msDS-PSOAppliesTo + - ComplexityEnabled - A property of type System.Boolean, derived from the + directory attribute: msDS-PasswordComplexityEnabled + - LockoutDuration - A property of type System.TimeSpan, derived from the + directory attribute: msDS-LockoutDuration + - LockoutObservationWindow - A property of type System.TimeSpan, derived + from the directory attribute: msDS-LockoutObservationWindow + - LockoutThreshold - A property of type System.Int32, derived from the + directory attribute: msDS-LockoutThreshold + - MaxPasswordAge - A property of type System.TimeSpan, derived from the + directory attribute: msDS-MaximumPasswordAge + - MinPasswordAge - A property of type System.TimeSpan, derived from the + directory attribute: msDS-MinimumPasswordAge + - MinPasswordLength - A property of type System.Int32, derived from the + directory attribute: msDS-MinimumPasswordLength + - PasswordHistoryCount - A property of type System.Int32, derived from + the directory attribute: msDS-PasswordHistoryLength + - Precedence - A property of type System.Int32, derived from the + directory attribute: msDS-PasswordSettingsPrecedence + - ReversibleEncryptionEnabled - A property of type System.Boolean, + derived from the directory attribute: + msDS-PasswordReversibleEncryptionEnabled + - ADOptionalFeature Represents an optional feature, an Active Directory + object of type msDS-OptionalFeature, and is derived from ADObject. An + ADOptionalFeaturemay contain the following properties in addition to + those inherited from its parent. + - EnabledScopes - A property of type System.String, derived from the + directory attribute: msDS-EnabledFeatureBL + - FeatureGUID - A property of type System.Guid, derived from the + directory attribute: msDS-OptionalFeatureGUID + - FeatureScope - A property of type System.Int32, derived from the + directory attribute: msDS-OptionalFeatureFlags + - IsDisableable - A property of type System.Boolean, derived from the + directory attribute: msDS-OptionalFeatureFlags + - RequiredDomainMode - A property of type + Microsoft.ActiveDirectory.Management.ADDomainMode, derived from the + directory attribute: msDS-RequiredDomainBehaviorVersion + - RequiredForestMode - A property of type + Microsoft.ActiveDirectory.Management.ADForestMode, derived from the + directory attribute: msDS-RequiredForestBehaviorVersion + - ADOrganizationalUnit Represents an organizationalUnit (OU) object and is + derived from ADObject. An ADOrganizationalUnit may contain the following + properties in addition to those inherited from its parent. + - City - A property of type System.String, derived from the directory + attribute: l + - Country - A property of type System.String, derived from the directory + attribute: c + - LinkedGroupPolicyObjects - A property of type System.String, derived + from the directory attribute: gpLink. This property is not supported on + AD LDS. + - ManagedBy - A property of type System.String, derived from the + directory attribute: managedBy + - PostalCode - A property of type System.String, derived from the + directory attribute: postalCode + - State - A property of type System.String, derived from the directory + attribute: st + - StreetAddress - A property of type System.String, derived from the + directory attribute: street + - ADPartition - Represents a naming context, Configuration, Schema, Domain + or Application Partition(ND NC) and is derived from ADObject. This class + is not supported by AD LDS. An ADPartition may contain the following + properties in addition to those inherited from its parent. + - DeletedObjectsContainer - A property of type System.String, derived + from the directory attribute: DeletedObjectsContainer + - DNSRoot - A property of type System.String, derived from the directory + attribute: DNSRoot + - LostAndFoundContainer - A property of type System.String, derived from + the directory attribute: LostAndFoundContainer + - QuotasContainer - A property of type System.String, derived from the + directory attribute: QuotasContainer + - ReadOnlyReplicaDirectoryServers - A property of type System.String, + derived from the directory attribute: ReadOnlyReplicaDirectoryServers + - ReplicaDirectoryServers - A property of type System.String, derived + from the directory attribute: ReplicaDirectoryServers + - SubordinateReferences - A property of type System.String, derived from + the directory attribute: SubordinateReferences + - ADDomain - Represents a domain in AD DS or an instance in AD LDS; for + example, an Active Directory object of type domainDNS and is derived + from ADPartition. This class is not supported by AD LDS. An ADDomain + may contain the following properties in addition to those inherited + from its parent. + - AllowedDNSSuffixes - A property of type System.String, derived from + the directory attribute: msDS-AllowedDNSSuffixes + - ChildDomains - A property of type System.String, derived from the + directory attribute: ChildDomains + - ComputersContainer - A property of type System.String, derived from + the directory attribute: ComputersContainer + - DomainControllersContainer - A property of type System.String, + derived from the directory attribute: DomainControllersContainer + - DomainMode - A property of type System.Int32, derived from the + directory attribute: msDS-Behavior-Version + - DomainSID - A property of type + System.Security.Principal.SecurityIdentifier, derived from the + directory attribute: objectSid + - ForeignSecurityPrincipalsContainer - A property of type + System.String, derived from the directory attribute: + ForeignSecurityPrincipalsContainer + - Forest - A property of type System.String, derived from the directory + attribute: Forest + - InfrastructureMaster - A property of type System.String, derived from + the directory attribute: InfrastructureMaster + - LastLogonReplicationInterval - A property of type System.TimeSpan, + derived from the directory attribute: msDS-LogonTimeSyncInterval + - LinkedGroupPolicyObjects - A property of type System.String, derived + from the directory attribute: LinkedGroupPolicyObjects + - ManagedBy - A property of type System.String, derived from the + directory attribute: managedBy + - NetBIOSName - A property of type System.String, derived from the + directory attribute: NetBIOSName + - ParentDomain - A property of type System.String, derived from the + directory attribute: ParentDomain + - PDCEmulator - A property of type System.String, derived from the + directory attribute: PDCEmulator + - RIDMaster - A property of type System.String, derived from the + directory attribute: RIDMaster + - SystemsContainer - A property of type System.String, derived from the + directory attribute: SystemsContainer + - UsersContainer - A property of type System.String, derived from the + directory attribute: UsersContainer + - ADPrincipal - Represents a security principal, which is an Active + Directory object of type user, computer, group or iNetOrgPerson and is + derived from ADObject. An ADPrincipal may contain the following + properties in addition to those inherited from its parent. + - HomePage - A property of type System.String, derived from the + directory attribute: wWWHomePage + - MemberOf - A property of type System.String, derived from the + directory attribute: memberOf + - SamAccountName - A property of type System.String, derived from the + directory attribute: sAMAccountName. This property is not supported + for AD LDS. + - SID - A property of type + System.Security.Principal.SecurityIdentifier, derived from the + directory attribute: objectSid + - SIDHistory - A property of type + System.Security.Principal.SecurityIdentifier, derived from the + directory attribute: sIDHistory. This property is not supported for + AD LDS. + - ADAccount - Represents a security account; that is, an Active + Directory object of type user, computer or iNetOrgPerson and is + derived from ADPrincipal. An ADAccount may contain the following + properties in addition to those inherited from its parent. + - AccountExpirationDate - A property of type System.DateTime, derived + from the directory attribute: accountExpires + - AccountLockoutTime - A property of type System.DateTime, derived + from the directory attribute: lockoutTime + - AccountNotDelegated - A property of type System.Boolean, derived + from the directory attributes: userAccountControl, + msDS-User-Account-Control-Computed. This property is not supported + by AD LDS. + - AllowReversiblePasswordEncryption - A property of type + System.Boolean, for AD DS it is derived from the directory + attribute: userAccountControl; for AD LDS it is derived from the + directory attribute: ms-DS-UserEncryptedTextPasswordAllowed + - BadLogonCount - A property of type System.Int32, derived from the + directory attribute: badPwdCount + - CannotChangePassword - A property of type System.Boolean, derived + from the directory attribute: nTSecurityDescriptor + - Certificates - A property of type + System.Security.Cryptography.X509Certificates.X509Certificate, + derived from the directory attribute: userCertificate + - DoesNotRequirePreAuth - A property of type System.Boolean, derived + from the directory attributes: userAccountControl, + msDS-User-Account-Control-Computed. This property is not supported + by AD LDS. + - Enabled - A property of type System.Boolean, for AD DS it is + derived from the directory attributes: userAccountControl, + msDS-User-Account-Control-Computed; for AD LDS it is derived from + the directory attribute msDS-UserAccountDisabled + - HomedirRequired - A property of type System.Boolean, derived from + the directory attributes: userAccountControl, + msDS-User-Account-Control-Computed. This property is not supported + by AD LDS. + - LastBadPasswordAttempt - A property of type System.DateTime, + derived from the directory attribute: badPasswordTime + - LastLogonDate - A property of type System.DateTime, derived from + the directory attribute: lastLogonTimestamp + - LockedOut - A property of type System.Boolean, for AD DS it is + derived from the directory attributes: userAccountControl, + msDS-User-Account-Control-Computed, lockoutTime; for AD LDS it is + derived from the directory attribute msDS-UserAccountDisabled + - MNSLogonAccount - A property of type System.Boolean, derived from + the directory attributes: userAccountControl, + msDS-User-Account-Control-Computed. This property is not supported + by AD LDS. + - PasswordExpired - A property of type System.Boolean, for AD DS it + is derived from the directory attributes: userAccountControl, + msDS-User-Account-Control-Computed; for AD LDS it is derived from + the directory attribute msDS-UserPasswordExpired + - PasswordLastSet - A property of type System.DateTime, derived from + the directory attribute: pwdLastSet + - PasswordNeverExpires - A property of type System.Boolean, for AD + LDS it is derived from the directory attributes: + userAccountControl, msDS-User-Account-Control-Computed; for AD LDS + it is derived from the directory attribute: + msDS-UserDontExpirePassword + - PasswordNotRequired - A property of type System.Boolean, for AD DS + it is derived from the directory attributes: userAccountControl, + msDS-User-Account-Control-Computed; for AD LDS it is derived from + the directory attribute: ms-DS-UserPasswordNotRequired + - PrimaryGroup - A property of type System.String, derived from the + directory attributes: primaryGroupID, objectSid. This property is + not supported by AD LDS. + - ServicePrincipalNames - A property of type System.String, derived + from the directory attribute: servicePrincipalName. This property + is not supported by AD LDS. + - TrustedForDelegation - A property of type System.Boolean, derived + from the directory attributes: userAccountControl, + msDS-User-Account-Control-Computed. This property is not supported + by AD LDS. + - TrustedToAuthForDelegation - A property of type System.Boolean, + derived from the directory attributes: userAccountControl, + msDS-User-Account-Control-Computed. This property is not supported + by AD LDS. + - UseDESKeyOnly - A property of type System.Boolean, derived from the + directory attributes: userAccountControl, + msDS-User-Account-Control-Computed. This property is not supported + by AD LDS. + - UserPrincipalName - A property of type System.String, derived from + the directory attribute: userPrincipalName + - ADComputer - Represents a computer and is derived from ADAccount. + An ADComputer may contain the following properties in addition to + those inherited from its parent. + - DNSHostName - A property of type System.String, derived from the + directory attribute: dNSHostName + - IPv4Address - A property of type System.String, derived from the + directory attribute: dNSHostName + - IPv6Address - A property of type System.String, derived from the + directory attribute: dNSHostName + - Location - A property of type System.String, derived from the + directory attribute: location + - ManagedBy - A property of type System.String, derived from the + directory attribute: managedBy + - OperatingSystem - A property of type System.String, derived from + the directory attribute: operatingSystem + - OperatingSystemHotfix - A property of type System.String, derived + from the directory attribute: operatingSystemHotfix + - OperatingSystemServicePack - A property of type System.String, + derived from the directory attribute: operatingSystemServicePack + - OperatingSystemVersion - A property of type System.String, + derived from the directory attribute: operatingSystemVersion + - ServiceAccount - A property of type System.String, derived from + the directory attribute: msDS-HostServiceAccount + - ADServiceAccount - Represents a managed service account; that is, + an Active Directory object of type msDS-ManagerdServiceAccount and + is derived from ADAccount. This class is not supported by AD LDS. + An ADServiceAccount may contain the following properties in + addition to those inherited from its parent. + - HostComputers - A property of type System.String, derived from + the directory attribute: msDS-HostServiceAccountBL + - ADUser - Represents a user (or iNetOrgPerson) and is derived from + ADAccount. An ADUser may contain the following properties in + addition to those inherited from its parent. + - City - A property of type System.String, derived from the + directory attribute: l + - Company - A property of type System.String, derived from the + directory attribute: company + - Country - A property of type System.String, derived from the + directory attribute: c + - Department - A property of type System.String, derived from the + directory attribute: department + - Division - A property of type System.String, derived from the + directory attribute: division + - EmailAddress - A property of type System.String, derived from the + directory attribute: mail + - EmployeeID - A property of type System.String, derived from the + directory attribute: employeeID + - EmployeeNumber - A property of type System.String, derived from + the directory attribute: employeeNumber + - Fax - A property of type System.String, derived from the + directory attribute: facsimileTelephoneNumber + - GivenName - A property of type System.String, derived from the + directory attribute: givenName + - HomeDirectory - A property of type System.String, derived from + the directory attribute: homeDirectory. This property is not + supported by AD LDS. + - HomeDrive - A property of type System.String, derived from the + directory attribute: homeDrive. This property is not supported by + AD LDS. + - HomePhone - A property of type System.String, derived from the + directory attribute: homePhone + - Initials - A property of type System.String, derived from the + directory attribute: initials + - LogonWorkstations - A property of type System.String, derived + from the directory attribute: userWorkstations. This property is + not supported by AD LDS. + - Manager - A property of type System.String, derived from the + directory attribute: manager + - MobilePhone - A property of type System.String, derived from the + directory attribute: mobile + - Office - A property of type System.String, derived from the + directory attribute: physicalDeliveryOfficeName + - OfficePhone - A property of type System.String, derived from the + directory attribute: telephoneNumber + - Organization - A property of type System.String, derived from the + directory attribute: o + - OtherName - A property of type System.String, derived from the + directory attribute: middleName + - POBox - A property of type System.String, derived from the + directory attribute: postOfficeBox + - PostalCode - A property of type System.String, derived from the + directory attribute: postalCode + - ProfilePath - A property of type System.String, derived from the + directory attribute: profilePath. This property is not supported + by AD LDS. + - ScriptPath - A property of type System.String, derived from the + directory attribute: scriptPath. This property is not supported + by AD LDS. + - SmartcardLogonRequired - A property of type System.Boolean, + derived from the directory attributes: userAccountControl, + msDS-User-Account-Control-Computed. This property is not + supported by AD LDS. + - State - A property of type System.String, derived from the + directory attribute: st + - StreetAddress - A property of type System.String, derived from + the directory attribute: streetAddress + - Surname - A property of type System.String, derived from the + directory attribute: sn + - Title - A property of type System.String, derived from the + directory attribute: title + - ADGroup -Represents a group and is derived from ADPrincipal. An + ADGroup may contain the following properties in addition to those + inherited from its parent. + - GroupCategory - A property of type + Microsoft.ActiveDirectory.Management.ADGroupCategory, derived from + the directory attribute: groupType + - GroupScope - A property of type + Microsoft.ActiveDirectory.Management.ADGroupScope, derived from the + directory attribute: groupType + - ManagedBy - A property of type System.String, derived from the + directory attribute: managedBy + - Members - A property of type System.String, derived from the + directory attribute: member + - ADDefaultDomainPasswordPolicy - Represents the domain-wide password policy + of an Active Directory domain and is derived from ADEntity. This class is + not supported by AD LDS. An ADDefaultDomainPasswordPolicy may contain the + following properties in addition to those inherited from its parent. + - ComplexityEnabled - A property of type System.Boolean, derived from the + directory attribute: pwdProperties + - DistinguishedName - A property of type System.String, derived from the + directory attribute: distinguishedName + - LockoutDuration - A property of type System.TimeSpan, derived from the + directory attribute: lockoutDuration + - LockoutObservationWindow - A property of type System.TimeSpan, derived + from the directory attribute: lockoutObservationWindow + - LockoutThreshold - A property of type System.Int32, derived from the + directory attribute: lockoutThreshold + - MaxPasswordAge - A property of type System.TimeSpan, derived from the + directory attribute: maxPwdAge + - MinPasswordAge - A property of type System.TimeSpan, derived from the + directory attribute: minPwdAge + - MinPasswordLength - A property of type System.Int32, derived from the + directory attribute: minPwdLength + - PasswordHistoryCount - A property of type System.Int32, derived from the + directory attribute: pwdHistoryLength + - ReversibleEncryptionEnabled - A property of type System.Boolean, derived + from the directory attribute: pwdProperties + - ADForest - Represents a Active Directory forest in AD DS or a Configuration + Set in AD LDS and is derived from ADEntity. This class is not supported by + AD LDS. An ADForest may contain the following properties in addition to + those inherited from its parent. + - ApplicationPartitions - A property of type System.String, derived from + the directory attribute: ApplicationPartitions + - CrossForestReferences - A property of type System.String, derived from + the directory attribute: CrossForestReferences + - DomainNamingMaster - A property of type System.String, derived from the + directory attribute: DomainNamingMaster + - Domains - A property of type System.String, derived from the directory + attribute: Domains + - ForestMode - A property of type System.Int32, derived from the directory + attribute: msDS-Behavior-Version + - GlobalCatalogs - A property of type System.String, derived from the + directory attribute: GlobalCatalogs + - Name - A property of type System.String, derived from the directory + attribute: name + - PartitionContainerName - A property of type System.String, derived from + the directory attribute: distinguishedName + - RootDomain - A property of type System.String, derived from the directory + attribute: RootDomain + - SchemaMaster - A property of type System.String, derived from the + directory attribute: SchemaMaster + - Sites - A property of type System.String, derived from the directory + attribute: Sites + - SPNSuffixes - A property of type System.String, derived from the + directory attribute: msDS-SPNSuffixes + - UPNSuffixes - A property of type System.String, derived from the + directory attribute: uPNSuffixes + - ADDirectoryServer - Represents a directory server used as either a domain + controller or an AD LDS instance and is derived from ADEntity. An + ADDirectoryServer may contain the following properties in addition to those + inherited from its parent. + - DefaultPartition - A property of type System.String, derived from the + directory attribute: DefaultPartition + - HostName - A property of type System.String, derived from the directory + attribute: HostName + - InvocationId - A property of type System.Guid, derived from the directory + attribute: InvocationId + - IPv4Address - A property of type System.String, derived from the + directory attribute: HostName + - IPv6Address - A property of type System.String, derived from the + directory attribute: HostName + - LdapPort - A property of type System.Int32, derived from the directory + attribute: LdapPort + - Name - A property of type System.String, derived from the directory + attribute: Name + - NTDSSettingsObjectDN - A property of type System.String, derived from the + directory attribute: NTDSSettingsObjectDN + - OperationMasterRoles - A property of type + Microsoft.ActiveDirectory.Management.ADOperationMasterRole, derived from + the directory attribute: OperationMasterRole + - Partitions - A property of type System.String, derived from the directory + attribute: Partitions + - ServerObjectDN - A property of type System.String, derived from the + directory attribute: ServerObjectDN + - ServerObjectGuid - A property of type System.Guid, derived from the + directory attribute: ServerObjectGuid + - Site - A property of type System.String, derived from the directory + attribute: Site + - SslPort - A property of type System.Int32, derived from the directory + attribute: SslPort + - ADDomainController - Represents a domain controller in AD DS and is + derived from ADDirectoryServer. An ADDomainController may contain the + following properties in addition to those inherited from its parent. + - ComputerObjectDN - A property of type System.String, derived from the + directory attribute: ComputerDN + - Domain - A property of type System.String, derived from the directory + attribute: Domain + - Enabled - A property of type System.Boolean, derived from the directory + attribute: Enabled + - Forest - A property of type System.String, derived from the directory + attribute: Forest + - IsGlobalCatalog - A property of type System.Boolean, derived from the + directory attribute: IsGlobalCatalog + - IsReadOnly - A property of type System.Boolean, derived from the + directory attribute: IsReadOnly + - OperatingSystem - A property of type System.String, derived from the + directory attribute: OSName + - OperatingSystemHotfix - A property of type System.String, derived from + the directory attribute: OSHotFix + - OperatingSystemServicePack - A property of type System.String, derived + from the directory attribute: OSServicepack + - OperatingSystemVersion - A property of type System.String, derived from + the directory attribute: OSVersion diff --git a/docset/winserver2016-ps/activedirectory/About/About.md b/docset/winserver2016-ps/activedirectory/About/About.md index adc76085b9..449df28850 100644 --- a/docset/winserver2016-ps/activedirectory/About/About.md +++ b/docset/winserver2016-ps/activedirectory/About/About.md @@ -2,7 +2,7 @@ description: About articles for the ActiveDirectory module. Help Version: 3.1.0.0 Locale: en-US -ms.date: 04/22/2013 +ms.date: 07/03/2024 title: About articles --- # About topics @@ -13,5 +13,14 @@ About topics cover a range of concepts about PowerShell. ## About Topics +### [about_ActiveDirectory](about_ActiveDirectory.md) +The Active Directory module is a command line interface for managing Active Directory. + ### [about_ActiveDirectory_Filter](about_ActiveDirectory_Filter.md) Describes the syntax and behavior of the search filter supported by the Active Directory module for Windows PowerShell. + +### [about_ActiveDirectory_Identity](about_ActiveDirectory_Identity.md) +The Active Directory module for Windows PowerShell objects have a range of identifying attributes that are used for search and retrieval. + +### [about_ActiveDirectory_ObjectModel](about_ActiveDirectory_ObjectModel.md) +Describes the object model of the Active Directory module for Windows PowerShell. diff --git a/docset/winserver2016-ps/activedirectory/About/about_ActiveDirectory.md b/docset/winserver2016-ps/activedirectory/About/about_ActiveDirectory.md new file mode 100644 index 0000000000..1b7183dcd2 --- /dev/null +++ b/docset/winserver2016-ps/activedirectory/About/about_ActiveDirectory.md @@ -0,0 +1,81 @@ +--- +title: about_ActiveDirectory +ms.date: 04/22/2013 +description: The Active Directory module is a command line interface for managing Active Directory. +Locale: en-US +schema: 2.0.0 +--- + +# about_ActiveDirectory + +## SHORT DESCRIPTION + +The Active Directory module is a command line interface for managing Active +Directory. + +## LONG DESCRIPTION + +The Active Directory module for Windows PowerShell is for IT Professionals who +are administering and interfacing with Active Directory. The Active Directory +module provides an efficient way to complete many administrative, +configuration, and diagnostic tasks across Active Directory Domain Services (AD +DS) and Active Directory Lightweight Directory Services (AD LDS) instances in +their environments. The Active Directory module includes a set of Windows +PowerShell cmdlets and a provider. The provider exposes the Active Directory +database through a hierarchical navigation system, which is very similar to the +file system. As with drives in a file system, such as C:, you can connect +Windows PowerShell drives to Active Directory domains and AD LDS, as well as +Active Directory snapshots. + +### Coverage of Active Directory Module Cmdlets + +Create, Read, Update, and Delete actions are supported for Active Directory +objects by cmdlets such as `New-ADUser`, `Get-ADOrganizationalUnit`, +`Set-ADComputer`, and `Remove-ADUser`. + +Account and Password Policy Management are supported by cmdlets such as +`Enable-ADAccount`, `Unlock-ADAccount`, `New-ADServiceAccount`, +`Set-ADAccountControl`, and `Remove-ADFineGrainedPasswordPolicy`. + +Domain and Forest Management is supported by cmdlets such as `Get-ADForest`, +`Set-ADForest`, `Set-ADForestMode`, `Enable-ADOptionalFeature`, +`Get-ADDomainController`, and `Get-ADDomain`. + +### Listing the Active Directory Module Cmdlets + +To get a list of all of the Active Directory module cmdlets, run + +```powershell +Get-Command -Module ActiveDirectory +``` + +### Getting Started + +Getting started with the Active Directory module for Windows PowerShell is as +easy as clicking the following shortcut: + +Run the following command in any Windows PowerShell prompt to import the Active +Directory module: + +```powershell +Import-Module ActiveDirectory +``` + +### Overview and Conceptual Topics + +The first two of these topics offer a high level overview of the Active +Directory module and the Active Directory Provider. + +- For a brief introduction to the Active Directory provider for Windows + PowerShell, see [ActiveDirectory](/powershell/module/activedirectory). +- The following topics are conceptual support topics for the Active Directory + module cmdlets. + - For an introduction to the **Identity** parameter, which is used by the + Active Directory module cmdlets to identify objects in the directory, see + [about_ActiveDirectory_Identity](about_ActiveDirectory_Identity.md). + - For an introduction to the **Filter** parameter which is used by Active + Directory module cmdlets to search for objects in the directory, see + [about_ActiveDirectory_Filter](about_ActiveDirectory_Filter.md). + - For an introduction to the .NET Framework-based object model implemented by + the Active Directory module, see + [about_ActiveDirectory_ObjectModel](about_ActiveDirectory_ObjectModel.md). diff --git a/docset/winserver2016-ps/activedirectory/About/about_ActiveDirectory_Identity.md b/docset/winserver2016-ps/activedirectory/About/about_ActiveDirectory_Identity.md new file mode 100644 index 0000000000..c007277b19 --- /dev/null +++ b/docset/winserver2016-ps/activedirectory/About/about_ActiveDirectory_Identity.md @@ -0,0 +1,196 @@ +--- +title: about_ActiveDirectory_Identity +ms.date: 04/22/2013 +description: This article lists the identifying attributes that are used for search and retrieval supported by the Active Directory module for Windows PowerShell. +Locale: en-US +schema: 2.0.0 +--- + +# about_ActiveDirectory_Identity + +## SHORT DESCRIPTION + +The Active Directory module for Windows PowerShell objects have a range of +identifying attributes that are used for search and retrieval. + +## LONG DESCRIPTION + +In order to identify the objects in Active Directory, each object has +attributes that can be used as identifiers. In the Active Directory module, the +value of the identity of an object can be passed using the Identity parameter. +Each object type has its own set of possible types and values for use by the +Identity parameter. See the detailed description of the Identity parameter of +the given cmdlet for more information about its usage. + +When searching with the Active Directory module cmdlets, the value of the +Identity parameter, along with the values of the Server and Partition +parameters, is used to uniquely identify a single object. The Server parameter +is used to locate which server to connect with. The Partition parameter further +narrows the search to a specific partition. The Identity parameter then +resolves to a single unique object in the partition. + +Note that using the Security Accounts Manager (SAM) Account Name +(**sAMAccountName**) when targeting a global catalog port, you will not find a +user in a different domain if you are using the Identity parameter + +If more than one object is found using identity resolution, the Active +Directory module throws an error. + +For more information about the Server and Partition parameters, see the help +topics for the individual cmdlets where they are used, such as `Get-ADUser`, by +typing: + +```powershell +Get-Help Get-ADUser +``` + +### Objects and Identities + +Each object has a list of attributes that can be used as an identity for that +object. Additionally, if the object inherits from another object, then the +parent object's identities can also be used as the child object's identities. +For more information on the Active Directory object hierarchy, see +[about_ActiveDirectory_ObjectModel](about_ActiveDirectory_ObjectModel.md). + +> [!NOTE] +> For Active Directory Provider cmdlets, only an object's 'Distinguished Name' +> or 'Relative Distinguished Name' can be used as the identity. For a list of +> Active Directory Provider cmdlets, see ActiveDirectory. + +### Identity Attributes + +The following is a list of identity attributes by object type. + +- ADAccount + - Distinguished Name + - GUID (objectGUID) + - Security Identifier (objectSid) + - SAM Account Name (sAMAccountName) + +- ADComputer + - Distinguished Name + - GUID (objectGUID) + - Security Identifier (objectSid) + - Security Accounts Manager Account Name (sAMAccountName) + +- ADDirectoryServer + - Name of the server object (name) + - For AD LDS instances the syntax of a name is `$` + - For other Active Directory instances, use the value of the name property. + - Distinguished Name of the NTDS Settings object + - Distinguished Name of the server object that represents the directory + server. + - GUID (objectGUID) of server object under the configuration partition. + - GUID (objectGUID) of NTDS settings object under the configuration partition + +- ADDomain + - Distinguished Name + - GUID + - Security Identifier + - DNS domain name + - NetBIOS domain name + +- ADDomainController + - GUID (objectGUID) + - IPV4Address + - Global IPV6Address + - DNS Host Name (dNSHostName) + - Name of the server object + - Distinguished Name of the NTDS Settings object + - Distinguished Name of the server object that represents the domain controller + - GUID of NTDS settings object under the configuration partition + - GUID of server object under the configuration partition + - Distinguished Name of the computer object that represents the domain controller. + +- ADFineGrainedPasswordPolicy + - Distinguished Name + - GUID (objectGUID) + - Name (name) + +- ADForest + - Fully qualified domain name + - DNS host name + - NetBIOS name + +- ADGroup + - Distinguished Name + - GUID (objectGUID) + - Security Identifier (objectSid) + - Security Accounts Manager (SAM) Account Name (sAMAccountName) + +- ADObject + - Distinguished Name + - GUID (objectGUID) + +- ADOptionalFeature + - Distinguished Name + - Name (name) + - Feature GUID (featureGUID) + - GUID (objectGUID) + +- ADOrganizationalUnit + - Distinguished Name + - GUID (objectGUID) + +- ADPrincipal + - Distinguished Name + - GUID (objectGUID) + - Security Identifier (objectSid) + - SAM Account Name (sAMAccountName) + +- ADServiceAccount + - Distinguished Name + - GUID (objectGUID) + - Security Identifier (objectSid) + - SAM Account Name (sAMAccountName) + +- ADUser + - Distinguished Name + - GUID (objectGUID) + - Security Identifier (objectSid) + - SAM User Name (sAMUserName) + + +### Identities Formats + +Active Directory module objects have a range of identity attributes. Below is a +list of these, their types and formats. + +- Distinguished Name + - Example: CN=SaraDavis,CN=Europe,CN=Users, DC=corp,DC=contoso,DC=com + +- DNS domain name + - Example: redmond.corp.contoso.com + +- DNS Host Name (dNSHostName) + - Example: corp-DC01.corp.contoso.com + +- Feature GUID (featureGUID) + - Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 + +- Fully qualified domain name + - Example: corp.contoso.com + +- Global IPV6Address + - Example: 2001:4898:0:fff:200:5efe:157.59.132.61 + +- GUID (objectGUID) + - Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 + +- IPV4Address + - Example:157.59.132.61 + +- NetBIOS domain name + - Example: redmond + +- Name of the server object + - Example: corp-DC01$ + +- SAM Account Name (sAMAccountName) + - Example: saradavisreports + +- Security Identifier (objectSid) + - Example: S-1-5-21-3165297888-301567370-576410423-1103 + +- Name + - Example: Recycle Bin Feature diff --git a/docset/winserver2016-ps/activedirectory/About/about_ActiveDirectory_ObjectModel.md b/docset/winserver2016-ps/activedirectory/About/about_ActiveDirectory_ObjectModel.md new file mode 100644 index 0000000000..8535a97464 --- /dev/null +++ b/docset/winserver2016-ps/activedirectory/About/about_ActiveDirectory_ObjectModel.md @@ -0,0 +1,595 @@ +--- +title: about_ActiveDirectory_ObjectModel +ms.date: 04/22/2013 +description: Describes the object model of the Active Directory module for Windows PowerShell. +Locale: en-US +schema: 2.0.0 +--- + +# about_ActiveDirectory_ObjectModel + +## SHORT DESCRIPTION +Describes the object model of the Active Directory module for Windows +PowerShell. + +## LONG DESCRIPTION + +This topic explains the Active Directory module classes and their properties +used to model actual Active Directory attributes. It also outlines the class +hierarchy constructed from its Active Directory counterpart. The object model +establishes a data foundation for all the operations supported by Active +Directory module cmdlets. + +### Class Hierarchy + +The following list shows the class hierarchy defined in the Active Directory +module object model, with class inheritance implied by indentation. This +inheritance model allows for Active Directory cmdlets to accept a range of +object types as input. This means, for example, that the cmdlet +Get-ADPrincipalGroupMembership can accept as input any of the following +objects: ADGroup, ADAccount, ADComputer, ADServiceAccount or ADUser. This works +because of the inheritance model and guarantees that an ADUser object has all +of the properties of an ADPrincipal object. + +``` +ADEntity + ADRootDSE + ADObject + ADFineGrainedPasswordPolicy + ADOptionalFeature + ADOrganizationalUnit + ADPartition + ADDomain + ADPrincipal + ADAccount + ADComputer + ADServiceAccount + ADUser + ADGroup + ADDefaultDomainPasswordPolicy + ADForest + ADDirectoryServer + ADDomainController +``` + +### Active Directory Module Classes + +The following listing shows every Active Directory module class from the class +hierarchy listing. Each class defines a set of properties, some of which are +LDAP attributes that are retrieved by default and some are new properties +created specifically for the Active Directory module. These new properties are +derived from one or more LDAP attributes as outlined in the class listings. + + +- ADEntity - The base level class from which all other classes are derived. + - ADRootDSE - Represents the rootDSE and is derived from ADEntity. An + ADRootDSE may contain the following properties in addition to those + inherited from its parent. + - ConfigurationNamingContext - A property of type System.String, derived + from the directory attribute ConfigurationNamingContext + - CurrentTime - A property of type System.DateTime, derived from the + directory attribute CurrentTime + - DefaultNamingContext - A property of type System.String, derived from the + directory attribute DefaultNamingContext + - DnsHostName - A property of type System.String, derived from the + directory attribute DnsHostName + - DomainControllerFunctionality - A property of type + ADDomainControllerMode, derived from the directory attribute + DomainControllerFunctionality + - DomainFunctionality - A property of type ADDomainMode, derived from the + directory attribute DomainFunctionality + - DsServiceName - A property of type System.String, derived from the + directory attribute DsServiceName + - ForestFunctionality - A property of type ADForestMode, derived from the + directory attribute ForestFunctionality + - GlobalCatalogReady - A property of type System.Boolean, derived from the + directory attribute GlobalCatalogReady + - HighestCommittedUSN - A property of type System.Long, derived from the + directory attribute HighestCommittedUSN + - LdapServiceName - A property of type System.String, derived from the + directory attribute LdapServiceName + - NamingContexts - A property of type System.String, derived from the + directory attribute NamingContexts + - RootDomainNamingContext - A property of type System.String, derived from + the directory attribute RootDomainNamingContext + - SchemaNamingContext - A property of type System.String, derived from the + directory attribute SchemaNamingContext + - ServerName - A property of type System.String, derived from the directory + attribute ServerName + - SubschemaSubentry - A property of type ADObject, derived from the + directory attribute SubschemaSubentry + - SupportedCapabilities - A property of type ADObjectIdentifier, derived + from the directory attribute SupportedCapabilities + - SupportedControl - A property of type ADObjectIdentifier, derived from + the directory attribute SupportedControl + - SupportedLDAPPolicies - A property of type System.String, derived from + the directory attribute SupportedLDAPPolicies + - SupportedLDAPVersion - A property of type System.Int, derived from the + directory attribute SupportedLDAPVersion + - SupportedRootDSEOperations - A property of type + ADPropertyValueCollection, derived from the directory attribute + SupportedRootDSEOperations + - SupportedSASLMechanisms - A property of type System.String, derived from + the directory attribute SupportedSASLMechanisms + - Syncronized - A property of type System.Boolean, derived from the + directory attribute IsSynchronized. + - ADObject - Represents any object in Active Directory and is derived from + ADEntity. An ADObject may contain the following properties in addition to + those inherited from its parent. + - CanonicalName - A property of type System.String, derived from the + directory attribute: canonicalName + - CN - A property of type System.String, derived from the directory + attribute: cn + - Created - A property of type System.DateTime, derived from the directory + attribute: createTimeStamp + - Deleted - A property of type System.Boolean, derived from the directory + attribute: isDeleted + - Description - A property of type System.String, derived from the + directory attribute: description + - DisplayName - A property of type System.String, derived from the + directory attribute: displayName + - DistinguishedName - A property of type System.String, derived from the + directory attribute: distinguishedName + - LastKnownParent - A property of type System.String, derived from the + directory attribute: lastKnownParent + - Modified - A property of type System.DateTime, derived from the directory + attribute: modifyTimeStamp + - Name - A property of type System.String, derived from the directory + attribute: name + - ObjectCategory - A property of type System.String, derived from the + directory attribute: objectCategory + - ObjectClass - A property of type System.String, derived from the + directory attribute: objectClass + - ObjectGUID - A property of type System.Guid, derived from the directory + attribute: objectGUID + - ProtectedFromAccidentalDeletion - A property of type System.Boolean, + derived from the directory attributes: nTSecurityDescriptor, + sdRightsEffective, instanceType, isDeleted + - ADFineGrainedPasswordPolicy Represents a fine grained password policy + object; that is, an AD object of type msDS-PasswordSettings in AD DS and + is derived from ADObject. This class is not supported by AD LDS. An + ADFineGrainedPasswordPolicy may contain the following properties in + addition to those inherited from its parent. + - AppliesTo - A property of type System.String, derived from the + directory attribute: msDS-PSOAppliesTo + - ComplexityEnabled - A property of type System.Boolean, derived from the + directory attribute: msDS-PasswordComplexityEnabled + - LockoutDuration - A property of type System.TimeSpan, derived from the + directory attribute: msDS-LockoutDuration + - LockoutObservationWindow - A property of type System.TimeSpan, derived + from the directory attribute: msDS-LockoutObservationWindow + - LockoutThreshold - A property of type System.Int32, derived from the + directory attribute: msDS-LockoutThreshold + - MaxPasswordAge - A property of type System.TimeSpan, derived from the + directory attribute: msDS-MaximumPasswordAge + - MinPasswordAge - A property of type System.TimeSpan, derived from the + directory attribute: msDS-MinimumPasswordAge + - MinPasswordLength - A property of type System.Int32, derived from the + directory attribute: msDS-MinimumPasswordLength + - PasswordHistoryCount - A property of type System.Int32, derived from + the directory attribute: msDS-PasswordHistoryLength + - Precedence - A property of type System.Int32, derived from the + directory attribute: msDS-PasswordSettingsPrecedence + - ReversibleEncryptionEnabled - A property of type System.Boolean, + derived from the directory attribute: + msDS-PasswordReversibleEncryptionEnabled + - ADOptionalFeature Represents an optional feature, an Active Directory + object of type msDS-OptionalFeature, and is derived from ADObject. An + ADOptionalFeaturemay contain the following properties in addition to + those inherited from its parent. + - EnabledScopes - A property of type System.String, derived from the + directory attribute: msDS-EnabledFeatureBL + - FeatureGUID - A property of type System.Guid, derived from the + directory attribute: msDS-OptionalFeatureGUID + - FeatureScope - A property of type System.Int32, derived from the + directory attribute: msDS-OptionalFeatureFlags + - IsDisableable - A property of type System.Boolean, derived from the + directory attribute: msDS-OptionalFeatureFlags + - RequiredDomainMode - A property of type + Microsoft.ActiveDirectory.Management.ADDomainMode, derived from the + directory attribute: msDS-RequiredDomainBehaviorVersion + - RequiredForestMode - A property of type + Microsoft.ActiveDirectory.Management.ADForestMode, derived from the + directory attribute: msDS-RequiredForestBehaviorVersion + - ADOrganizationalUnit Represents an organizationalUnit (OU) object and is + derived from ADObject. An ADOrganizationalUnit may contain the following + properties in addition to those inherited from its parent. + - City - A property of type System.String, derived from the directory + attribute: l + - Country - A property of type System.String, derived from the directory + attribute: c + - LinkedGroupPolicyObjects - A property of type System.String, derived + from the directory attribute: gpLink. This property is not supported on + AD LDS. + - ManagedBy - A property of type System.String, derived from the + directory attribute: managedBy + - PostalCode - A property of type System.String, derived from the + directory attribute: postalCode + - State - A property of type System.String, derived from the directory + attribute: st + - StreetAddress - A property of type System.String, derived from the + directory attribute: street + - ADPartition - Represents a naming context, Configuration, Schema, Domain + or Application Partition(ND NC) and is derived from ADObject. This class + is not supported by AD LDS. An ADPartition may contain the following + properties in addition to those inherited from its parent. + - DeletedObjectsContainer - A property of type System.String, derived + from the directory attribute: DeletedObjectsContainer + - DNSRoot - A property of type System.String, derived from the directory + attribute: DNSRoot + - LostAndFoundContainer - A property of type System.String, derived from + the directory attribute: LostAndFoundContainer + - QuotasContainer - A property of type System.String, derived from the + directory attribute: QuotasContainer + - ReadOnlyReplicaDirectoryServers - A property of type System.String, + derived from the directory attribute: ReadOnlyReplicaDirectoryServers + - ReplicaDirectoryServers - A property of type System.String, derived + from the directory attribute: ReplicaDirectoryServers + - SubordinateReferences - A property of type System.String, derived from + the directory attribute: SubordinateReferences + - ADDomain - Represents a domain in AD DS or an instance in AD LDS; for + example, an Active Directory object of type domainDNS and is derived + from ADPartition. This class is not supported by AD LDS. An ADDomain + may contain the following properties in addition to those inherited + from its parent. + - AllowedDNSSuffixes - A property of type System.String, derived from + the directory attribute: msDS-AllowedDNSSuffixes + - ChildDomains - A property of type System.String, derived from the + directory attribute: ChildDomains + - ComputersContainer - A property of type System.String, derived from + the directory attribute: ComputersContainer + - DomainControllersContainer - A property of type System.String, + derived from the directory attribute: DomainControllersContainer + - DomainMode - A property of type System.Int32, derived from the + directory attribute: msDS-Behavior-Version + - DomainSID - A property of type + System.Security.Principal.SecurityIdentifier, derived from the + directory attribute: objectSid + - ForeignSecurityPrincipalsContainer - A property of type + System.String, derived from the directory attribute: + ForeignSecurityPrincipalsContainer + - Forest - A property of type System.String, derived from the directory + attribute: Forest + - InfrastructureMaster - A property of type System.String, derived from + the directory attribute: InfrastructureMaster + - LastLogonReplicationInterval - A property of type System.TimeSpan, + derived from the directory attribute: msDS-LogonTimeSyncInterval + - LinkedGroupPolicyObjects - A property of type System.String, derived + from the directory attribute: LinkedGroupPolicyObjects + - ManagedBy - A property of type System.String, derived from the + directory attribute: managedBy + - NetBIOSName - A property of type System.String, derived from the + directory attribute: NetBIOSName + - ParentDomain - A property of type System.String, derived from the + directory attribute: ParentDomain + - PDCEmulator - A property of type System.String, derived from the + directory attribute: PDCEmulator + - RIDMaster - A property of type System.String, derived from the + directory attribute: RIDMaster + - SystemsContainer - A property of type System.String, derived from the + directory attribute: SystemsContainer + - UsersContainer - A property of type System.String, derived from the + directory attribute: UsersContainer + - ADPrincipal - Represents a security principal, which is an Active + Directory object of type user, computer, group or iNetOrgPerson and is + derived from ADObject. An ADPrincipal may contain the following + properties in addition to those inherited from its parent. + - HomePage - A property of type System.String, derived from the + directory attribute: wWWHomePage + - MemberOf - A property of type System.String, derived from the + directory attribute: memberOf + - SamAccountName - A property of type System.String, derived from the + directory attribute: sAMAccountName. This property is not supported + for AD LDS. + - SID - A property of type + System.Security.Principal.SecurityIdentifier, derived from the + directory attribute: objectSid + - SIDHistory - A property of type + System.Security.Principal.SecurityIdentifier, derived from the + directory attribute: sIDHistory. This property is not supported for + AD LDS. + - ADAccount - Represents a security account; that is, an Active + Directory object of type user, computer or iNetOrgPerson and is + derived from ADPrincipal. An ADAccount may contain the following + properties in addition to those inherited from its parent. + - AccountExpirationDate - A property of type System.DateTime, derived + from the directory attribute: accountExpires + - AccountLockoutTime - A property of type System.DateTime, derived + from the directory attribute: lockoutTime + - AccountNotDelegated - A property of type System.Boolean, derived + from the directory attributes: userAccountControl, + msDS-User-Account-Control-Computed. This property is not supported + by AD LDS. + - AllowReversiblePasswordEncryption - A property of type + System.Boolean, for AD DS it is derived from the directory + attribute: userAccountControl; for AD LDS it is derived from the + directory attribute: ms-DS-UserEncryptedTextPasswordAllowed + - BadLogonCount - A property of type System.Int32, derived from the + directory attribute: badPwdCount + - CannotChangePassword - A property of type System.Boolean, derived + from the directory attribute: nTSecurityDescriptor + - Certificates - A property of type + System.Security.Cryptography.X509Certificates.X509Certificate, + derived from the directory attribute: userCertificate + - DoesNotRequirePreAuth - A property of type System.Boolean, derived + from the directory attributes: userAccountControl, + msDS-User-Account-Control-Computed. This property is not supported + by AD LDS. + - Enabled - A property of type System.Boolean, for AD DS it is + derived from the directory attributes: userAccountControl, + msDS-User-Account-Control-Computed; for AD LDS it is derived from + the directory attribute msDS-UserAccountDisabled + - HomedirRequired - A property of type System.Boolean, derived from + the directory attributes: userAccountControl, + msDS-User-Account-Control-Computed. This property is not supported + by AD LDS. + - LastBadPasswordAttempt - A property of type System.DateTime, + derived from the directory attribute: badPasswordTime + - LastLogonDate - A property of type System.DateTime, derived from + the directory attribute: lastLogonTimestamp + - LockedOut - A property of type System.Boolean, for AD DS it is + derived from the directory attributes: userAccountControl, + msDS-User-Account-Control-Computed, lockoutTime; for AD LDS it is + derived from the directory attribute msDS-UserAccountDisabled + - MNSLogonAccount - A property of type System.Boolean, derived from + the directory attributes: userAccountControl, + msDS-User-Account-Control-Computed. This property is not supported + by AD LDS. + - PasswordExpired - A property of type System.Boolean, for AD DS it + is derived from the directory attributes: userAccountControl, + msDS-User-Account-Control-Computed; for AD LDS it is derived from + the directory attribute msDS-UserPasswordExpired + - PasswordLastSet - A property of type System.DateTime, derived from + the directory attribute: pwdLastSet + - PasswordNeverExpires - A property of type System.Boolean, for AD + LDS it is derived from the directory attributes: + userAccountControl, msDS-User-Account-Control-Computed; for AD LDS + it is derived from the directory attribute: + msDS-UserDontExpirePassword + - PasswordNotRequired - A property of type System.Boolean, for AD DS + it is derived from the directory attributes: userAccountControl, + msDS-User-Account-Control-Computed; for AD LDS it is derived from + the directory attribute: ms-DS-UserPasswordNotRequired + - PrimaryGroup - A property of type System.String, derived from the + directory attributes: primaryGroupID, objectSid. This property is + not supported by AD LDS. + - ServicePrincipalNames - A property of type System.String, derived + from the directory attribute: servicePrincipalName. This property + is not supported by AD LDS. + - TrustedForDelegation - A property of type System.Boolean, derived + from the directory attributes: userAccountControl, + msDS-User-Account-Control-Computed. This property is not supported + by AD LDS. + - TrustedToAuthForDelegation - A property of type System.Boolean, + derived from the directory attributes: userAccountControl, + msDS-User-Account-Control-Computed. This property is not supported + by AD LDS. + - UseDESKeyOnly - A property of type System.Boolean, derived from the + directory attributes: userAccountControl, + msDS-User-Account-Control-Computed. This property is not supported + by AD LDS. + - UserPrincipalName - A property of type System.String, derived from + the directory attribute: userPrincipalName + - ADComputer - Represents a computer and is derived from ADAccount. + An ADComputer may contain the following properties in addition to + those inherited from its parent. + - DNSHostName - A property of type System.String, derived from the + directory attribute: dNSHostName + - IPv4Address - A property of type System.String, derived from the + directory attribute: dNSHostName + - IPv6Address - A property of type System.String, derived from the + directory attribute: dNSHostName + - Location - A property of type System.String, derived from the + directory attribute: location + - ManagedBy - A property of type System.String, derived from the + directory attribute: managedBy + - OperatingSystem - A property of type System.String, derived from + the directory attribute: operatingSystem + - OperatingSystemHotfix - A property of type System.String, derived + from the directory attribute: operatingSystemHotfix + - OperatingSystemServicePack - A property of type System.String, + derived from the directory attribute: operatingSystemServicePack + - OperatingSystemVersion - A property of type System.String, + derived from the directory attribute: operatingSystemVersion + - ServiceAccount - A property of type System.String, derived from + the directory attribute: msDS-HostServiceAccount + - ADServiceAccount - Represents a managed service account; that is, + an Active Directory object of type msDS-ManagerdServiceAccount and + is derived from ADAccount. This class is not supported by AD LDS. + An ADServiceAccount may contain the following properties in + addition to those inherited from its parent. + - HostComputers - A property of type System.String, derived from + the directory attribute: msDS-HostServiceAccountBL + - ADUser - Represents a user (or iNetOrgPerson) and is derived from + ADAccount. An ADUser may contain the following properties in + addition to those inherited from its parent. + - City - A property of type System.String, derived from the + directory attribute: l + - Company - A property of type System.String, derived from the + directory attribute: company + - Country - A property of type System.String, derived from the + directory attribute: c + - Department - A property of type System.String, derived from the + directory attribute: department + - Division - A property of type System.String, derived from the + directory attribute: division + - EmailAddress - A property of type System.String, derived from the + directory attribute: mail + - EmployeeID - A property of type System.String, derived from the + directory attribute: employeeID + - EmployeeNumber - A property of type System.String, derived from + the directory attribute: employeeNumber + - Fax - A property of type System.String, derived from the + directory attribute: facsimileTelephoneNumber + - GivenName - A property of type System.String, derived from the + directory attribute: givenName + - HomeDirectory - A property of type System.String, derived from + the directory attribute: homeDirectory. This property is not + supported by AD LDS. + - HomeDrive - A property of type System.String, derived from the + directory attribute: homeDrive. This property is not supported by + AD LDS. + - HomePhone - A property of type System.String, derived from the + directory attribute: homePhone + - Initials - A property of type System.String, derived from the + directory attribute: initials + - LogonWorkstations - A property of type System.String, derived + from the directory attribute: userWorkstations. This property is + not supported by AD LDS. + - Manager - A property of type System.String, derived from the + directory attribute: manager + - MobilePhone - A property of type System.String, derived from the + directory attribute: mobile + - Office - A property of type System.String, derived from the + directory attribute: physicalDeliveryOfficeName + - OfficePhone - A property of type System.String, derived from the + directory attribute: telephoneNumber + - Organization - A property of type System.String, derived from the + directory attribute: o + - OtherName - A property of type System.String, derived from the + directory attribute: middleName + - POBox - A property of type System.String, derived from the + directory attribute: postOfficeBox + - PostalCode - A property of type System.String, derived from the + directory attribute: postalCode + - ProfilePath - A property of type System.String, derived from the + directory attribute: profilePath. This property is not supported + by AD LDS. + - ScriptPath - A property of type System.String, derived from the + directory attribute: scriptPath. This property is not supported + by AD LDS. + - SmartcardLogonRequired - A property of type System.Boolean, + derived from the directory attributes: userAccountControl, + msDS-User-Account-Control-Computed. This property is not + supported by AD LDS. + - State - A property of type System.String, derived from the + directory attribute: st + - StreetAddress - A property of type System.String, derived from + the directory attribute: streetAddress + - Surname - A property of type System.String, derived from the + directory attribute: sn + - Title - A property of type System.String, derived from the + directory attribute: title + - ADGroup -Represents a group and is derived from ADPrincipal. An + ADGroup may contain the following properties in addition to those + inherited from its parent. + - GroupCategory - A property of type + Microsoft.ActiveDirectory.Management.ADGroupCategory, derived from + the directory attribute: groupType + - GroupScope - A property of type + Microsoft.ActiveDirectory.Management.ADGroupScope, derived from the + directory attribute: groupType + - ManagedBy - A property of type System.String, derived from the + directory attribute: managedBy + - Members - A property of type System.String, derived from the + directory attribute: member + - ADDefaultDomainPasswordPolicy - Represents the domain-wide password policy + of an Active Directory domain and is derived from ADEntity. This class is + not supported by AD LDS. An ADDefaultDomainPasswordPolicy may contain the + following properties in addition to those inherited from its parent. + - ComplexityEnabled - A property of type System.Boolean, derived from the + directory attribute: pwdProperties + - DistinguishedName - A property of type System.String, derived from the + directory attribute: distinguishedName + - LockoutDuration - A property of type System.TimeSpan, derived from the + directory attribute: lockoutDuration + - LockoutObservationWindow - A property of type System.TimeSpan, derived + from the directory attribute: lockoutObservationWindow + - LockoutThreshold - A property of type System.Int32, derived from the + directory attribute: lockoutThreshold + - MaxPasswordAge - A property of type System.TimeSpan, derived from the + directory attribute: maxPwdAge + - MinPasswordAge - A property of type System.TimeSpan, derived from the + directory attribute: minPwdAge + - MinPasswordLength - A property of type System.Int32, derived from the + directory attribute: minPwdLength + - PasswordHistoryCount - A property of type System.Int32, derived from the + directory attribute: pwdHistoryLength + - ReversibleEncryptionEnabled - A property of type System.Boolean, derived + from the directory attribute: pwdProperties + - ADForest - Represents a Active Directory forest in AD DS or a Configuration + Set in AD LDS and is derived from ADEntity. This class is not supported by + AD LDS. An ADForest may contain the following properties in addition to + those inherited from its parent. + - ApplicationPartitions - A property of type System.String, derived from + the directory attribute: ApplicationPartitions + - CrossForestReferences - A property of type System.String, derived from + the directory attribute: CrossForestReferences + - DomainNamingMaster - A property of type System.String, derived from the + directory attribute: DomainNamingMaster + - Domains - A property of type System.String, derived from the directory + attribute: Domains + - ForestMode - A property of type System.Int32, derived from the directory + attribute: msDS-Behavior-Version + - GlobalCatalogs - A property of type System.String, derived from the + directory attribute: GlobalCatalogs + - Name - A property of type System.String, derived from the directory + attribute: name + - PartitionContainerName - A property of type System.String, derived from + the directory attribute: distinguishedName + - RootDomain - A property of type System.String, derived from the directory + attribute: RootDomain + - SchemaMaster - A property of type System.String, derived from the + directory attribute: SchemaMaster + - Sites - A property of type System.String, derived from the directory + attribute: Sites + - SPNSuffixes - A property of type System.String, derived from the + directory attribute: msDS-SPNSuffixes + - UPNSuffixes - A property of type System.String, derived from the + directory attribute: uPNSuffixes + - ADDirectoryServer - Represents a directory server used as either a domain + controller or an AD LDS instance and is derived from ADEntity. An + ADDirectoryServer may contain the following properties in addition to those + inherited from its parent. + - DefaultPartition - A property of type System.String, derived from the + directory attribute: DefaultPartition + - HostName - A property of type System.String, derived from the directory + attribute: HostName + - InvocationId - A property of type System.Guid, derived from the directory + attribute: InvocationId + - IPv4Address - A property of type System.String, derived from the + directory attribute: HostName + - IPv6Address - A property of type System.String, derived from the + directory attribute: HostName + - LdapPort - A property of type System.Int32, derived from the directory + attribute: LdapPort + - Name - A property of type System.String, derived from the directory + attribute: Name + - NTDSSettingsObjectDN - A property of type System.String, derived from the + directory attribute: NTDSSettingsObjectDN + - OperationMasterRoles - A property of type + Microsoft.ActiveDirectory.Management.ADOperationMasterRole, derived from + the directory attribute: OperationMasterRole + - Partitions - A property of type System.String, derived from the directory + attribute: Partitions + - ServerObjectDN - A property of type System.String, derived from the + directory attribute: ServerObjectDN + - ServerObjectGuid - A property of type System.Guid, derived from the + directory attribute: ServerObjectGuid + - Site - A property of type System.String, derived from the directory + attribute: Site + - SslPort - A property of type System.Int32, derived from the directory + attribute: SslPort + - ADDomainController - Represents a domain controller in AD DS and is + derived from ADDirectoryServer. An ADDomainController may contain the + following properties in addition to those inherited from its parent. + - ComputerObjectDN - A property of type System.String, derived from the + directory attribute: ComputerDN + - Domain - A property of type System.String, derived from the directory + attribute: Domain + - Enabled - A property of type System.Boolean, derived from the directory + attribute: Enabled + - Forest - A property of type System.String, derived from the directory + attribute: Forest + - IsGlobalCatalog - A property of type System.Boolean, derived from the + directory attribute: IsGlobalCatalog + - IsReadOnly - A property of type System.Boolean, derived from the + directory attribute: IsReadOnly + - OperatingSystem - A property of type System.String, derived from the + directory attribute: OSName + - OperatingSystemHotfix - A property of type System.String, derived from + the directory attribute: OSHotFix + - OperatingSystemServicePack - A property of type System.String, derived + from the directory attribute: OSServicepack + - OperatingSystemVersion - A property of type System.String, derived from + the directory attribute: OSVersion diff --git a/docset/winserver2019-ps/activedirectory/About/About.md b/docset/winserver2019-ps/activedirectory/About/About.md index adc76085b9..449df28850 100644 --- a/docset/winserver2019-ps/activedirectory/About/About.md +++ b/docset/winserver2019-ps/activedirectory/About/About.md @@ -2,7 +2,7 @@ description: About articles for the ActiveDirectory module. Help Version: 3.1.0.0 Locale: en-US -ms.date: 04/22/2013 +ms.date: 07/03/2024 title: About articles --- # About topics @@ -13,5 +13,14 @@ About topics cover a range of concepts about PowerShell. ## About Topics +### [about_ActiveDirectory](about_ActiveDirectory.md) +The Active Directory module is a command line interface for managing Active Directory. + ### [about_ActiveDirectory_Filter](about_ActiveDirectory_Filter.md) Describes the syntax and behavior of the search filter supported by the Active Directory module for Windows PowerShell. + +### [about_ActiveDirectory_Identity](about_ActiveDirectory_Identity.md) +The Active Directory module for Windows PowerShell objects have a range of identifying attributes that are used for search and retrieval. + +### [about_ActiveDirectory_ObjectModel](about_ActiveDirectory_ObjectModel.md) +Describes the object model of the Active Directory module for Windows PowerShell. diff --git a/docset/winserver2019-ps/activedirectory/About/about_ActiveDirectory.md b/docset/winserver2019-ps/activedirectory/About/about_ActiveDirectory.md new file mode 100644 index 0000000000..1b7183dcd2 --- /dev/null +++ b/docset/winserver2019-ps/activedirectory/About/about_ActiveDirectory.md @@ -0,0 +1,81 @@ +--- +title: about_ActiveDirectory +ms.date: 04/22/2013 +description: The Active Directory module is a command line interface for managing Active Directory. +Locale: en-US +schema: 2.0.0 +--- + +# about_ActiveDirectory + +## SHORT DESCRIPTION + +The Active Directory module is a command line interface for managing Active +Directory. + +## LONG DESCRIPTION + +The Active Directory module for Windows PowerShell is for IT Professionals who +are administering and interfacing with Active Directory. The Active Directory +module provides an efficient way to complete many administrative, +configuration, and diagnostic tasks across Active Directory Domain Services (AD +DS) and Active Directory Lightweight Directory Services (AD LDS) instances in +their environments. The Active Directory module includes a set of Windows +PowerShell cmdlets and a provider. The provider exposes the Active Directory +database through a hierarchical navigation system, which is very similar to the +file system. As with drives in a file system, such as C:, you can connect +Windows PowerShell drives to Active Directory domains and AD LDS, as well as +Active Directory snapshots. + +### Coverage of Active Directory Module Cmdlets + +Create, Read, Update, and Delete actions are supported for Active Directory +objects by cmdlets such as `New-ADUser`, `Get-ADOrganizationalUnit`, +`Set-ADComputer`, and `Remove-ADUser`. + +Account and Password Policy Management are supported by cmdlets such as +`Enable-ADAccount`, `Unlock-ADAccount`, `New-ADServiceAccount`, +`Set-ADAccountControl`, and `Remove-ADFineGrainedPasswordPolicy`. + +Domain and Forest Management is supported by cmdlets such as `Get-ADForest`, +`Set-ADForest`, `Set-ADForestMode`, `Enable-ADOptionalFeature`, +`Get-ADDomainController`, and `Get-ADDomain`. + +### Listing the Active Directory Module Cmdlets + +To get a list of all of the Active Directory module cmdlets, run + +```powershell +Get-Command -Module ActiveDirectory +``` + +### Getting Started + +Getting started with the Active Directory module for Windows PowerShell is as +easy as clicking the following shortcut: + +Run the following command in any Windows PowerShell prompt to import the Active +Directory module: + +```powershell +Import-Module ActiveDirectory +``` + +### Overview and Conceptual Topics + +The first two of these topics offer a high level overview of the Active +Directory module and the Active Directory Provider. + +- For a brief introduction to the Active Directory provider for Windows + PowerShell, see [ActiveDirectory](/powershell/module/activedirectory). +- The following topics are conceptual support topics for the Active Directory + module cmdlets. + - For an introduction to the **Identity** parameter, which is used by the + Active Directory module cmdlets to identify objects in the directory, see + [about_ActiveDirectory_Identity](about_ActiveDirectory_Identity.md). + - For an introduction to the **Filter** parameter which is used by Active + Directory module cmdlets to search for objects in the directory, see + [about_ActiveDirectory_Filter](about_ActiveDirectory_Filter.md). + - For an introduction to the .NET Framework-based object model implemented by + the Active Directory module, see + [about_ActiveDirectory_ObjectModel](about_ActiveDirectory_ObjectModel.md). diff --git a/docset/winserver2019-ps/activedirectory/About/about_ActiveDirectory_Identity.md b/docset/winserver2019-ps/activedirectory/About/about_ActiveDirectory_Identity.md new file mode 100644 index 0000000000..c007277b19 --- /dev/null +++ b/docset/winserver2019-ps/activedirectory/About/about_ActiveDirectory_Identity.md @@ -0,0 +1,196 @@ +--- +title: about_ActiveDirectory_Identity +ms.date: 04/22/2013 +description: This article lists the identifying attributes that are used for search and retrieval supported by the Active Directory module for Windows PowerShell. +Locale: en-US +schema: 2.0.0 +--- + +# about_ActiveDirectory_Identity + +## SHORT DESCRIPTION + +The Active Directory module for Windows PowerShell objects have a range of +identifying attributes that are used for search and retrieval. + +## LONG DESCRIPTION + +In order to identify the objects in Active Directory, each object has +attributes that can be used as identifiers. In the Active Directory module, the +value of the identity of an object can be passed using the Identity parameter. +Each object type has its own set of possible types and values for use by the +Identity parameter. See the detailed description of the Identity parameter of +the given cmdlet for more information about its usage. + +When searching with the Active Directory module cmdlets, the value of the +Identity parameter, along with the values of the Server and Partition +parameters, is used to uniquely identify a single object. The Server parameter +is used to locate which server to connect with. The Partition parameter further +narrows the search to a specific partition. The Identity parameter then +resolves to a single unique object in the partition. + +Note that using the Security Accounts Manager (SAM) Account Name +(**sAMAccountName**) when targeting a global catalog port, you will not find a +user in a different domain if you are using the Identity parameter + +If more than one object is found using identity resolution, the Active +Directory module throws an error. + +For more information about the Server and Partition parameters, see the help +topics for the individual cmdlets where they are used, such as `Get-ADUser`, by +typing: + +```powershell +Get-Help Get-ADUser +``` + +### Objects and Identities + +Each object has a list of attributes that can be used as an identity for that +object. Additionally, if the object inherits from another object, then the +parent object's identities can also be used as the child object's identities. +For more information on the Active Directory object hierarchy, see +[about_ActiveDirectory_ObjectModel](about_ActiveDirectory_ObjectModel.md). + +> [!NOTE] +> For Active Directory Provider cmdlets, only an object's 'Distinguished Name' +> or 'Relative Distinguished Name' can be used as the identity. For a list of +> Active Directory Provider cmdlets, see ActiveDirectory. + +### Identity Attributes + +The following is a list of identity attributes by object type. + +- ADAccount + - Distinguished Name + - GUID (objectGUID) + - Security Identifier (objectSid) + - SAM Account Name (sAMAccountName) + +- ADComputer + - Distinguished Name + - GUID (objectGUID) + - Security Identifier (objectSid) + - Security Accounts Manager Account Name (sAMAccountName) + +- ADDirectoryServer + - Name of the server object (name) + - For AD LDS instances the syntax of a name is `$` + - For other Active Directory instances, use the value of the name property. + - Distinguished Name of the NTDS Settings object + - Distinguished Name of the server object that represents the directory + server. + - GUID (objectGUID) of server object under the configuration partition. + - GUID (objectGUID) of NTDS settings object under the configuration partition + +- ADDomain + - Distinguished Name + - GUID + - Security Identifier + - DNS domain name + - NetBIOS domain name + +- ADDomainController + - GUID (objectGUID) + - IPV4Address + - Global IPV6Address + - DNS Host Name (dNSHostName) + - Name of the server object + - Distinguished Name of the NTDS Settings object + - Distinguished Name of the server object that represents the domain controller + - GUID of NTDS settings object under the configuration partition + - GUID of server object under the configuration partition + - Distinguished Name of the computer object that represents the domain controller. + +- ADFineGrainedPasswordPolicy + - Distinguished Name + - GUID (objectGUID) + - Name (name) + +- ADForest + - Fully qualified domain name + - DNS host name + - NetBIOS name + +- ADGroup + - Distinguished Name + - GUID (objectGUID) + - Security Identifier (objectSid) + - Security Accounts Manager (SAM) Account Name (sAMAccountName) + +- ADObject + - Distinguished Name + - GUID (objectGUID) + +- ADOptionalFeature + - Distinguished Name + - Name (name) + - Feature GUID (featureGUID) + - GUID (objectGUID) + +- ADOrganizationalUnit + - Distinguished Name + - GUID (objectGUID) + +- ADPrincipal + - Distinguished Name + - GUID (objectGUID) + - Security Identifier (objectSid) + - SAM Account Name (sAMAccountName) + +- ADServiceAccount + - Distinguished Name + - GUID (objectGUID) + - Security Identifier (objectSid) + - SAM Account Name (sAMAccountName) + +- ADUser + - Distinguished Name + - GUID (objectGUID) + - Security Identifier (objectSid) + - SAM User Name (sAMUserName) + + +### Identities Formats + +Active Directory module objects have a range of identity attributes. Below is a +list of these, their types and formats. + +- Distinguished Name + - Example: CN=SaraDavis,CN=Europe,CN=Users, DC=corp,DC=contoso,DC=com + +- DNS domain name + - Example: redmond.corp.contoso.com + +- DNS Host Name (dNSHostName) + - Example: corp-DC01.corp.contoso.com + +- Feature GUID (featureGUID) + - Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 + +- Fully qualified domain name + - Example: corp.contoso.com + +- Global IPV6Address + - Example: 2001:4898:0:fff:200:5efe:157.59.132.61 + +- GUID (objectGUID) + - Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 + +- IPV4Address + - Example:157.59.132.61 + +- NetBIOS domain name + - Example: redmond + +- Name of the server object + - Example: corp-DC01$ + +- SAM Account Name (sAMAccountName) + - Example: saradavisreports + +- Security Identifier (objectSid) + - Example: S-1-5-21-3165297888-301567370-576410423-1103 + +- Name + - Example: Recycle Bin Feature diff --git a/docset/winserver2019-ps/activedirectory/About/about_ActiveDirectory_ObjectModel.md b/docset/winserver2019-ps/activedirectory/About/about_ActiveDirectory_ObjectModel.md new file mode 100644 index 0000000000..8535a97464 --- /dev/null +++ b/docset/winserver2019-ps/activedirectory/About/about_ActiveDirectory_ObjectModel.md @@ -0,0 +1,595 @@ +--- +title: about_ActiveDirectory_ObjectModel +ms.date: 04/22/2013 +description: Describes the object model of the Active Directory module for Windows PowerShell. +Locale: en-US +schema: 2.0.0 +--- + +# about_ActiveDirectory_ObjectModel + +## SHORT DESCRIPTION +Describes the object model of the Active Directory module for Windows +PowerShell. + +## LONG DESCRIPTION + +This topic explains the Active Directory module classes and their properties +used to model actual Active Directory attributes. It also outlines the class +hierarchy constructed from its Active Directory counterpart. The object model +establishes a data foundation for all the operations supported by Active +Directory module cmdlets. + +### Class Hierarchy + +The following list shows the class hierarchy defined in the Active Directory +module object model, with class inheritance implied by indentation. This +inheritance model allows for Active Directory cmdlets to accept a range of +object types as input. This means, for example, that the cmdlet +Get-ADPrincipalGroupMembership can accept as input any of the following +objects: ADGroup, ADAccount, ADComputer, ADServiceAccount or ADUser. This works +because of the inheritance model and guarantees that an ADUser object has all +of the properties of an ADPrincipal object. + +``` +ADEntity + ADRootDSE + ADObject + ADFineGrainedPasswordPolicy + ADOptionalFeature + ADOrganizationalUnit + ADPartition + ADDomain + ADPrincipal + ADAccount + ADComputer + ADServiceAccount + ADUser + ADGroup + ADDefaultDomainPasswordPolicy + ADForest + ADDirectoryServer + ADDomainController +``` + +### Active Directory Module Classes + +The following listing shows every Active Directory module class from the class +hierarchy listing. Each class defines a set of properties, some of which are +LDAP attributes that are retrieved by default and some are new properties +created specifically for the Active Directory module. These new properties are +derived from one or more LDAP attributes as outlined in the class listings. + + +- ADEntity - The base level class from which all other classes are derived. + - ADRootDSE - Represents the rootDSE and is derived from ADEntity. An + ADRootDSE may contain the following properties in addition to those + inherited from its parent. + - ConfigurationNamingContext - A property of type System.String, derived + from the directory attribute ConfigurationNamingContext + - CurrentTime - A property of type System.DateTime, derived from the + directory attribute CurrentTime + - DefaultNamingContext - A property of type System.String, derived from the + directory attribute DefaultNamingContext + - DnsHostName - A property of type System.String, derived from the + directory attribute DnsHostName + - DomainControllerFunctionality - A property of type + ADDomainControllerMode, derived from the directory attribute + DomainControllerFunctionality + - DomainFunctionality - A property of type ADDomainMode, derived from the + directory attribute DomainFunctionality + - DsServiceName - A property of type System.String, derived from the + directory attribute DsServiceName + - ForestFunctionality - A property of type ADForestMode, derived from the + directory attribute ForestFunctionality + - GlobalCatalogReady - A property of type System.Boolean, derived from the + directory attribute GlobalCatalogReady + - HighestCommittedUSN - A property of type System.Long, derived from the + directory attribute HighestCommittedUSN + - LdapServiceName - A property of type System.String, derived from the + directory attribute LdapServiceName + - NamingContexts - A property of type System.String, derived from the + directory attribute NamingContexts + - RootDomainNamingContext - A property of type System.String, derived from + the directory attribute RootDomainNamingContext + - SchemaNamingContext - A property of type System.String, derived from the + directory attribute SchemaNamingContext + - ServerName - A property of type System.String, derived from the directory + attribute ServerName + - SubschemaSubentry - A property of type ADObject, derived from the + directory attribute SubschemaSubentry + - SupportedCapabilities - A property of type ADObjectIdentifier, derived + from the directory attribute SupportedCapabilities + - SupportedControl - A property of type ADObjectIdentifier, derived from + the directory attribute SupportedControl + - SupportedLDAPPolicies - A property of type System.String, derived from + the directory attribute SupportedLDAPPolicies + - SupportedLDAPVersion - A property of type System.Int, derived from the + directory attribute SupportedLDAPVersion + - SupportedRootDSEOperations - A property of type + ADPropertyValueCollection, derived from the directory attribute + SupportedRootDSEOperations + - SupportedSASLMechanisms - A property of type System.String, derived from + the directory attribute SupportedSASLMechanisms + - Syncronized - A property of type System.Boolean, derived from the + directory attribute IsSynchronized. + - ADObject - Represents any object in Active Directory and is derived from + ADEntity. An ADObject may contain the following properties in addition to + those inherited from its parent. + - CanonicalName - A property of type System.String, derived from the + directory attribute: canonicalName + - CN - A property of type System.String, derived from the directory + attribute: cn + - Created - A property of type System.DateTime, derived from the directory + attribute: createTimeStamp + - Deleted - A property of type System.Boolean, derived from the directory + attribute: isDeleted + - Description - A property of type System.String, derived from the + directory attribute: description + - DisplayName - A property of type System.String, derived from the + directory attribute: displayName + - DistinguishedName - A property of type System.String, derived from the + directory attribute: distinguishedName + - LastKnownParent - A property of type System.String, derived from the + directory attribute: lastKnownParent + - Modified - A property of type System.DateTime, derived from the directory + attribute: modifyTimeStamp + - Name - A property of type System.String, derived from the directory + attribute: name + - ObjectCategory - A property of type System.String, derived from the + directory attribute: objectCategory + - ObjectClass - A property of type System.String, derived from the + directory attribute: objectClass + - ObjectGUID - A property of type System.Guid, derived from the directory + attribute: objectGUID + - ProtectedFromAccidentalDeletion - A property of type System.Boolean, + derived from the directory attributes: nTSecurityDescriptor, + sdRightsEffective, instanceType, isDeleted + - ADFineGrainedPasswordPolicy Represents a fine grained password policy + object; that is, an AD object of type msDS-PasswordSettings in AD DS and + is derived from ADObject. This class is not supported by AD LDS. An + ADFineGrainedPasswordPolicy may contain the following properties in + addition to those inherited from its parent. + - AppliesTo - A property of type System.String, derived from the + directory attribute: msDS-PSOAppliesTo + - ComplexityEnabled - A property of type System.Boolean, derived from the + directory attribute: msDS-PasswordComplexityEnabled + - LockoutDuration - A property of type System.TimeSpan, derived from the + directory attribute: msDS-LockoutDuration + - LockoutObservationWindow - A property of type System.TimeSpan, derived + from the directory attribute: msDS-LockoutObservationWindow + - LockoutThreshold - A property of type System.Int32, derived from the + directory attribute: msDS-LockoutThreshold + - MaxPasswordAge - A property of type System.TimeSpan, derived from the + directory attribute: msDS-MaximumPasswordAge + - MinPasswordAge - A property of type System.TimeSpan, derived from the + directory attribute: msDS-MinimumPasswordAge + - MinPasswordLength - A property of type System.Int32, derived from the + directory attribute: msDS-MinimumPasswordLength + - PasswordHistoryCount - A property of type System.Int32, derived from + the directory attribute: msDS-PasswordHistoryLength + - Precedence - A property of type System.Int32, derived from the + directory attribute: msDS-PasswordSettingsPrecedence + - ReversibleEncryptionEnabled - A property of type System.Boolean, + derived from the directory attribute: + msDS-PasswordReversibleEncryptionEnabled + - ADOptionalFeature Represents an optional feature, an Active Directory + object of type msDS-OptionalFeature, and is derived from ADObject. An + ADOptionalFeaturemay contain the following properties in addition to + those inherited from its parent. + - EnabledScopes - A property of type System.String, derived from the + directory attribute: msDS-EnabledFeatureBL + - FeatureGUID - A property of type System.Guid, derived from the + directory attribute: msDS-OptionalFeatureGUID + - FeatureScope - A property of type System.Int32, derived from the + directory attribute: msDS-OptionalFeatureFlags + - IsDisableable - A property of type System.Boolean, derived from the + directory attribute: msDS-OptionalFeatureFlags + - RequiredDomainMode - A property of type + Microsoft.ActiveDirectory.Management.ADDomainMode, derived from the + directory attribute: msDS-RequiredDomainBehaviorVersion + - RequiredForestMode - A property of type + Microsoft.ActiveDirectory.Management.ADForestMode, derived from the + directory attribute: msDS-RequiredForestBehaviorVersion + - ADOrganizationalUnit Represents an organizationalUnit (OU) object and is + derived from ADObject. An ADOrganizationalUnit may contain the following + properties in addition to those inherited from its parent. + - City - A property of type System.String, derived from the directory + attribute: l + - Country - A property of type System.String, derived from the directory + attribute: c + - LinkedGroupPolicyObjects - A property of type System.String, derived + from the directory attribute: gpLink. This property is not supported on + AD LDS. + - ManagedBy - A property of type System.String, derived from the + directory attribute: managedBy + - PostalCode - A property of type System.String, derived from the + directory attribute: postalCode + - State - A property of type System.String, derived from the directory + attribute: st + - StreetAddress - A property of type System.String, derived from the + directory attribute: street + - ADPartition - Represents a naming context, Configuration, Schema, Domain + or Application Partition(ND NC) and is derived from ADObject. This class + is not supported by AD LDS. An ADPartition may contain the following + properties in addition to those inherited from its parent. + - DeletedObjectsContainer - A property of type System.String, derived + from the directory attribute: DeletedObjectsContainer + - DNSRoot - A property of type System.String, derived from the directory + attribute: DNSRoot + - LostAndFoundContainer - A property of type System.String, derived from + the directory attribute: LostAndFoundContainer + - QuotasContainer - A property of type System.String, derived from the + directory attribute: QuotasContainer + - ReadOnlyReplicaDirectoryServers - A property of type System.String, + derived from the directory attribute: ReadOnlyReplicaDirectoryServers + - ReplicaDirectoryServers - A property of type System.String, derived + from the directory attribute: ReplicaDirectoryServers + - SubordinateReferences - A property of type System.String, derived from + the directory attribute: SubordinateReferences + - ADDomain - Represents a domain in AD DS or an instance in AD LDS; for + example, an Active Directory object of type domainDNS and is derived + from ADPartition. This class is not supported by AD LDS. An ADDomain + may contain the following properties in addition to those inherited + from its parent. + - AllowedDNSSuffixes - A property of type System.String, derived from + the directory attribute: msDS-AllowedDNSSuffixes + - ChildDomains - A property of type System.String, derived from the + directory attribute: ChildDomains + - ComputersContainer - A property of type System.String, derived from + the directory attribute: ComputersContainer + - DomainControllersContainer - A property of type System.String, + derived from the directory attribute: DomainControllersContainer + - DomainMode - A property of type System.Int32, derived from the + directory attribute: msDS-Behavior-Version + - DomainSID - A property of type + System.Security.Principal.SecurityIdentifier, derived from the + directory attribute: objectSid + - ForeignSecurityPrincipalsContainer - A property of type + System.String, derived from the directory attribute: + ForeignSecurityPrincipalsContainer + - Forest - A property of type System.String, derived from the directory + attribute: Forest + - InfrastructureMaster - A property of type System.String, derived from + the directory attribute: InfrastructureMaster + - LastLogonReplicationInterval - A property of type System.TimeSpan, + derived from the directory attribute: msDS-LogonTimeSyncInterval + - LinkedGroupPolicyObjects - A property of type System.String, derived + from the directory attribute: LinkedGroupPolicyObjects + - ManagedBy - A property of type System.String, derived from the + directory attribute: managedBy + - NetBIOSName - A property of type System.String, derived from the + directory attribute: NetBIOSName + - ParentDomain - A property of type System.String, derived from the + directory attribute: ParentDomain + - PDCEmulator - A property of type System.String, derived from the + directory attribute: PDCEmulator + - RIDMaster - A property of type System.String, derived from the + directory attribute: RIDMaster + - SystemsContainer - A property of type System.String, derived from the + directory attribute: SystemsContainer + - UsersContainer - A property of type System.String, derived from the + directory attribute: UsersContainer + - ADPrincipal - Represents a security principal, which is an Active + Directory object of type user, computer, group or iNetOrgPerson and is + derived from ADObject. An ADPrincipal may contain the following + properties in addition to those inherited from its parent. + - HomePage - A property of type System.String, derived from the + directory attribute: wWWHomePage + - MemberOf - A property of type System.String, derived from the + directory attribute: memberOf + - SamAccountName - A property of type System.String, derived from the + directory attribute: sAMAccountName. This property is not supported + for AD LDS. + - SID - A property of type + System.Security.Principal.SecurityIdentifier, derived from the + directory attribute: objectSid + - SIDHistory - A property of type + System.Security.Principal.SecurityIdentifier, derived from the + directory attribute: sIDHistory. This property is not supported for + AD LDS. + - ADAccount - Represents a security account; that is, an Active + Directory object of type user, computer or iNetOrgPerson and is + derived from ADPrincipal. An ADAccount may contain the following + properties in addition to those inherited from its parent. + - AccountExpirationDate - A property of type System.DateTime, derived + from the directory attribute: accountExpires + - AccountLockoutTime - A property of type System.DateTime, derived + from the directory attribute: lockoutTime + - AccountNotDelegated - A property of type System.Boolean, derived + from the directory attributes: userAccountControl, + msDS-User-Account-Control-Computed. This property is not supported + by AD LDS. + - AllowReversiblePasswordEncryption - A property of type + System.Boolean, for AD DS it is derived from the directory + attribute: userAccountControl; for AD LDS it is derived from the + directory attribute: ms-DS-UserEncryptedTextPasswordAllowed + - BadLogonCount - A property of type System.Int32, derived from the + directory attribute: badPwdCount + - CannotChangePassword - A property of type System.Boolean, derived + from the directory attribute: nTSecurityDescriptor + - Certificates - A property of type + System.Security.Cryptography.X509Certificates.X509Certificate, + derived from the directory attribute: userCertificate + - DoesNotRequirePreAuth - A property of type System.Boolean, derived + from the directory attributes: userAccountControl, + msDS-User-Account-Control-Computed. This property is not supported + by AD LDS. + - Enabled - A property of type System.Boolean, for AD DS it is + derived from the directory attributes: userAccountControl, + msDS-User-Account-Control-Computed; for AD LDS it is derived from + the directory attribute msDS-UserAccountDisabled + - HomedirRequired - A property of type System.Boolean, derived from + the directory attributes: userAccountControl, + msDS-User-Account-Control-Computed. This property is not supported + by AD LDS. + - LastBadPasswordAttempt - A property of type System.DateTime, + derived from the directory attribute: badPasswordTime + - LastLogonDate - A property of type System.DateTime, derived from + the directory attribute: lastLogonTimestamp + - LockedOut - A property of type System.Boolean, for AD DS it is + derived from the directory attributes: userAccountControl, + msDS-User-Account-Control-Computed, lockoutTime; for AD LDS it is + derived from the directory attribute msDS-UserAccountDisabled + - MNSLogonAccount - A property of type System.Boolean, derived from + the directory attributes: userAccountControl, + msDS-User-Account-Control-Computed. This property is not supported + by AD LDS. + - PasswordExpired - A property of type System.Boolean, for AD DS it + is derived from the directory attributes: userAccountControl, + msDS-User-Account-Control-Computed; for AD LDS it is derived from + the directory attribute msDS-UserPasswordExpired + - PasswordLastSet - A property of type System.DateTime, derived from + the directory attribute: pwdLastSet + - PasswordNeverExpires - A property of type System.Boolean, for AD + LDS it is derived from the directory attributes: + userAccountControl, msDS-User-Account-Control-Computed; for AD LDS + it is derived from the directory attribute: + msDS-UserDontExpirePassword + - PasswordNotRequired - A property of type System.Boolean, for AD DS + it is derived from the directory attributes: userAccountControl, + msDS-User-Account-Control-Computed; for AD LDS it is derived from + the directory attribute: ms-DS-UserPasswordNotRequired + - PrimaryGroup - A property of type System.String, derived from the + directory attributes: primaryGroupID, objectSid. This property is + not supported by AD LDS. + - ServicePrincipalNames - A property of type System.String, derived + from the directory attribute: servicePrincipalName. This property + is not supported by AD LDS. + - TrustedForDelegation - A property of type System.Boolean, derived + from the directory attributes: userAccountControl, + msDS-User-Account-Control-Computed. This property is not supported + by AD LDS. + - TrustedToAuthForDelegation - A property of type System.Boolean, + derived from the directory attributes: userAccountControl, + msDS-User-Account-Control-Computed. This property is not supported + by AD LDS. + - UseDESKeyOnly - A property of type System.Boolean, derived from the + directory attributes: userAccountControl, + msDS-User-Account-Control-Computed. This property is not supported + by AD LDS. + - UserPrincipalName - A property of type System.String, derived from + the directory attribute: userPrincipalName + - ADComputer - Represents a computer and is derived from ADAccount. + An ADComputer may contain the following properties in addition to + those inherited from its parent. + - DNSHostName - A property of type System.String, derived from the + directory attribute: dNSHostName + - IPv4Address - A property of type System.String, derived from the + directory attribute: dNSHostName + - IPv6Address - A property of type System.String, derived from the + directory attribute: dNSHostName + - Location - A property of type System.String, derived from the + directory attribute: location + - ManagedBy - A property of type System.String, derived from the + directory attribute: managedBy + - OperatingSystem - A property of type System.String, derived from + the directory attribute: operatingSystem + - OperatingSystemHotfix - A property of type System.String, derived + from the directory attribute: operatingSystemHotfix + - OperatingSystemServicePack - A property of type System.String, + derived from the directory attribute: operatingSystemServicePack + - OperatingSystemVersion - A property of type System.String, + derived from the directory attribute: operatingSystemVersion + - ServiceAccount - A property of type System.String, derived from + the directory attribute: msDS-HostServiceAccount + - ADServiceAccount - Represents a managed service account; that is, + an Active Directory object of type msDS-ManagerdServiceAccount and + is derived from ADAccount. This class is not supported by AD LDS. + An ADServiceAccount may contain the following properties in + addition to those inherited from its parent. + - HostComputers - A property of type System.String, derived from + the directory attribute: msDS-HostServiceAccountBL + - ADUser - Represents a user (or iNetOrgPerson) and is derived from + ADAccount. An ADUser may contain the following properties in + addition to those inherited from its parent. + - City - A property of type System.String, derived from the + directory attribute: l + - Company - A property of type System.String, derived from the + directory attribute: company + - Country - A property of type System.String, derived from the + directory attribute: c + - Department - A property of type System.String, derived from the + directory attribute: department + - Division - A property of type System.String, derived from the + directory attribute: division + - EmailAddress - A property of type System.String, derived from the + directory attribute: mail + - EmployeeID - A property of type System.String, derived from the + directory attribute: employeeID + - EmployeeNumber - A property of type System.String, derived from + the directory attribute: employeeNumber + - Fax - A property of type System.String, derived from the + directory attribute: facsimileTelephoneNumber + - GivenName - A property of type System.String, derived from the + directory attribute: givenName + - HomeDirectory - A property of type System.String, derived from + the directory attribute: homeDirectory. This property is not + supported by AD LDS. + - HomeDrive - A property of type System.String, derived from the + directory attribute: homeDrive. This property is not supported by + AD LDS. + - HomePhone - A property of type System.String, derived from the + directory attribute: homePhone + - Initials - A property of type System.String, derived from the + directory attribute: initials + - LogonWorkstations - A property of type System.String, derived + from the directory attribute: userWorkstations. This property is + not supported by AD LDS. + - Manager - A property of type System.String, derived from the + directory attribute: manager + - MobilePhone - A property of type System.String, derived from the + directory attribute: mobile + - Office - A property of type System.String, derived from the + directory attribute: physicalDeliveryOfficeName + - OfficePhone - A property of type System.String, derived from the + directory attribute: telephoneNumber + - Organization - A property of type System.String, derived from the + directory attribute: o + - OtherName - A property of type System.String, derived from the + directory attribute: middleName + - POBox - A property of type System.String, derived from the + directory attribute: postOfficeBox + - PostalCode - A property of type System.String, derived from the + directory attribute: postalCode + - ProfilePath - A property of type System.String, derived from the + directory attribute: profilePath. This property is not supported + by AD LDS. + - ScriptPath - A property of type System.String, derived from the + directory attribute: scriptPath. This property is not supported + by AD LDS. + - SmartcardLogonRequired - A property of type System.Boolean, + derived from the directory attributes: userAccountControl, + msDS-User-Account-Control-Computed. This property is not + supported by AD LDS. + - State - A property of type System.String, derived from the + directory attribute: st + - StreetAddress - A property of type System.String, derived from + the directory attribute: streetAddress + - Surname - A property of type System.String, derived from the + directory attribute: sn + - Title - A property of type System.String, derived from the + directory attribute: title + - ADGroup -Represents a group and is derived from ADPrincipal. An + ADGroup may contain the following properties in addition to those + inherited from its parent. + - GroupCategory - A property of type + Microsoft.ActiveDirectory.Management.ADGroupCategory, derived from + the directory attribute: groupType + - GroupScope - A property of type + Microsoft.ActiveDirectory.Management.ADGroupScope, derived from the + directory attribute: groupType + - ManagedBy - A property of type System.String, derived from the + directory attribute: managedBy + - Members - A property of type System.String, derived from the + directory attribute: member + - ADDefaultDomainPasswordPolicy - Represents the domain-wide password policy + of an Active Directory domain and is derived from ADEntity. This class is + not supported by AD LDS. An ADDefaultDomainPasswordPolicy may contain the + following properties in addition to those inherited from its parent. + - ComplexityEnabled - A property of type System.Boolean, derived from the + directory attribute: pwdProperties + - DistinguishedName - A property of type System.String, derived from the + directory attribute: distinguishedName + - LockoutDuration - A property of type System.TimeSpan, derived from the + directory attribute: lockoutDuration + - LockoutObservationWindow - A property of type System.TimeSpan, derived + from the directory attribute: lockoutObservationWindow + - LockoutThreshold - A property of type System.Int32, derived from the + directory attribute: lockoutThreshold + - MaxPasswordAge - A property of type System.TimeSpan, derived from the + directory attribute: maxPwdAge + - MinPasswordAge - A property of type System.TimeSpan, derived from the + directory attribute: minPwdAge + - MinPasswordLength - A property of type System.Int32, derived from the + directory attribute: minPwdLength + - PasswordHistoryCount - A property of type System.Int32, derived from the + directory attribute: pwdHistoryLength + - ReversibleEncryptionEnabled - A property of type System.Boolean, derived + from the directory attribute: pwdProperties + - ADForest - Represents a Active Directory forest in AD DS or a Configuration + Set in AD LDS and is derived from ADEntity. This class is not supported by + AD LDS. An ADForest may contain the following properties in addition to + those inherited from its parent. + - ApplicationPartitions - A property of type System.String, derived from + the directory attribute: ApplicationPartitions + - CrossForestReferences - A property of type System.String, derived from + the directory attribute: CrossForestReferences + - DomainNamingMaster - A property of type System.String, derived from the + directory attribute: DomainNamingMaster + - Domains - A property of type System.String, derived from the directory + attribute: Domains + - ForestMode - A property of type System.Int32, derived from the directory + attribute: msDS-Behavior-Version + - GlobalCatalogs - A property of type System.String, derived from the + directory attribute: GlobalCatalogs + - Name - A property of type System.String, derived from the directory + attribute: name + - PartitionContainerName - A property of type System.String, derived from + the directory attribute: distinguishedName + - RootDomain - A property of type System.String, derived from the directory + attribute: RootDomain + - SchemaMaster - A property of type System.String, derived from the + directory attribute: SchemaMaster + - Sites - A property of type System.String, derived from the directory + attribute: Sites + - SPNSuffixes - A property of type System.String, derived from the + directory attribute: msDS-SPNSuffixes + - UPNSuffixes - A property of type System.String, derived from the + directory attribute: uPNSuffixes + - ADDirectoryServer - Represents a directory server used as either a domain + controller or an AD LDS instance and is derived from ADEntity. An + ADDirectoryServer may contain the following properties in addition to those + inherited from its parent. + - DefaultPartition - A property of type System.String, derived from the + directory attribute: DefaultPartition + - HostName - A property of type System.String, derived from the directory + attribute: HostName + - InvocationId - A property of type System.Guid, derived from the directory + attribute: InvocationId + - IPv4Address - A property of type System.String, derived from the + directory attribute: HostName + - IPv6Address - A property of type System.String, derived from the + directory attribute: HostName + - LdapPort - A property of type System.Int32, derived from the directory + attribute: LdapPort + - Name - A property of type System.String, derived from the directory + attribute: Name + - NTDSSettingsObjectDN - A property of type System.String, derived from the + directory attribute: NTDSSettingsObjectDN + - OperationMasterRoles - A property of type + Microsoft.ActiveDirectory.Management.ADOperationMasterRole, derived from + the directory attribute: OperationMasterRole + - Partitions - A property of type System.String, derived from the directory + attribute: Partitions + - ServerObjectDN - A property of type System.String, derived from the + directory attribute: ServerObjectDN + - ServerObjectGuid - A property of type System.Guid, derived from the + directory attribute: ServerObjectGuid + - Site - A property of type System.String, derived from the directory + attribute: Site + - SslPort - A property of type System.Int32, derived from the directory + attribute: SslPort + - ADDomainController - Represents a domain controller in AD DS and is + derived from ADDirectoryServer. An ADDomainController may contain the + following properties in addition to those inherited from its parent. + - ComputerObjectDN - A property of type System.String, derived from the + directory attribute: ComputerDN + - Domain - A property of type System.String, derived from the directory + attribute: Domain + - Enabled - A property of type System.Boolean, derived from the directory + attribute: Enabled + - Forest - A property of type System.String, derived from the directory + attribute: Forest + - IsGlobalCatalog - A property of type System.Boolean, derived from the + directory attribute: IsGlobalCatalog + - IsReadOnly - A property of type System.Boolean, derived from the + directory attribute: IsReadOnly + - OperatingSystem - A property of type System.String, derived from the + directory attribute: OSName + - OperatingSystemHotfix - A property of type System.String, derived from + the directory attribute: OSHotFix + - OperatingSystemServicePack - A property of type System.String, derived + from the directory attribute: OSServicepack + - OperatingSystemVersion - A property of type System.String, derived from + the directory attribute: OSVersion diff --git a/docset/winserver2022-ps/activedirectory/About/About.md b/docset/winserver2022-ps/activedirectory/About/About.md index adc76085b9..449df28850 100644 --- a/docset/winserver2022-ps/activedirectory/About/About.md +++ b/docset/winserver2022-ps/activedirectory/About/About.md @@ -2,7 +2,7 @@ description: About articles for the ActiveDirectory module. Help Version: 3.1.0.0 Locale: en-US -ms.date: 04/22/2013 +ms.date: 07/03/2024 title: About articles --- # About topics @@ -13,5 +13,14 @@ About topics cover a range of concepts about PowerShell. ## About Topics +### [about_ActiveDirectory](about_ActiveDirectory.md) +The Active Directory module is a command line interface for managing Active Directory. + ### [about_ActiveDirectory_Filter](about_ActiveDirectory_Filter.md) Describes the syntax and behavior of the search filter supported by the Active Directory module for Windows PowerShell. + +### [about_ActiveDirectory_Identity](about_ActiveDirectory_Identity.md) +The Active Directory module for Windows PowerShell objects have a range of identifying attributes that are used for search and retrieval. + +### [about_ActiveDirectory_ObjectModel](about_ActiveDirectory_ObjectModel.md) +Describes the object model of the Active Directory module for Windows PowerShell. diff --git a/docset/winserver2022-ps/activedirectory/About/about_ActiveDirectory.md b/docset/winserver2022-ps/activedirectory/About/about_ActiveDirectory.md new file mode 100644 index 0000000000..1b7183dcd2 --- /dev/null +++ b/docset/winserver2022-ps/activedirectory/About/about_ActiveDirectory.md @@ -0,0 +1,81 @@ +--- +title: about_ActiveDirectory +ms.date: 04/22/2013 +description: The Active Directory module is a command line interface for managing Active Directory. +Locale: en-US +schema: 2.0.0 +--- + +# about_ActiveDirectory + +## SHORT DESCRIPTION + +The Active Directory module is a command line interface for managing Active +Directory. + +## LONG DESCRIPTION + +The Active Directory module for Windows PowerShell is for IT Professionals who +are administering and interfacing with Active Directory. The Active Directory +module provides an efficient way to complete many administrative, +configuration, and diagnostic tasks across Active Directory Domain Services (AD +DS) and Active Directory Lightweight Directory Services (AD LDS) instances in +their environments. The Active Directory module includes a set of Windows +PowerShell cmdlets and a provider. The provider exposes the Active Directory +database through a hierarchical navigation system, which is very similar to the +file system. As with drives in a file system, such as C:, you can connect +Windows PowerShell drives to Active Directory domains and AD LDS, as well as +Active Directory snapshots. + +### Coverage of Active Directory Module Cmdlets + +Create, Read, Update, and Delete actions are supported for Active Directory +objects by cmdlets such as `New-ADUser`, `Get-ADOrganizationalUnit`, +`Set-ADComputer`, and `Remove-ADUser`. + +Account and Password Policy Management are supported by cmdlets such as +`Enable-ADAccount`, `Unlock-ADAccount`, `New-ADServiceAccount`, +`Set-ADAccountControl`, and `Remove-ADFineGrainedPasswordPolicy`. + +Domain and Forest Management is supported by cmdlets such as `Get-ADForest`, +`Set-ADForest`, `Set-ADForestMode`, `Enable-ADOptionalFeature`, +`Get-ADDomainController`, and `Get-ADDomain`. + +### Listing the Active Directory Module Cmdlets + +To get a list of all of the Active Directory module cmdlets, run + +```powershell +Get-Command -Module ActiveDirectory +``` + +### Getting Started + +Getting started with the Active Directory module for Windows PowerShell is as +easy as clicking the following shortcut: + +Run the following command in any Windows PowerShell prompt to import the Active +Directory module: + +```powershell +Import-Module ActiveDirectory +``` + +### Overview and Conceptual Topics + +The first two of these topics offer a high level overview of the Active +Directory module and the Active Directory Provider. + +- For a brief introduction to the Active Directory provider for Windows + PowerShell, see [ActiveDirectory](/powershell/module/activedirectory). +- The following topics are conceptual support topics for the Active Directory + module cmdlets. + - For an introduction to the **Identity** parameter, which is used by the + Active Directory module cmdlets to identify objects in the directory, see + [about_ActiveDirectory_Identity](about_ActiveDirectory_Identity.md). + - For an introduction to the **Filter** parameter which is used by Active + Directory module cmdlets to search for objects in the directory, see + [about_ActiveDirectory_Filter](about_ActiveDirectory_Filter.md). + - For an introduction to the .NET Framework-based object model implemented by + the Active Directory module, see + [about_ActiveDirectory_ObjectModel](about_ActiveDirectory_ObjectModel.md). diff --git a/docset/winserver2022-ps/activedirectory/About/about_ActiveDirectory_Identity.md b/docset/winserver2022-ps/activedirectory/About/about_ActiveDirectory_Identity.md new file mode 100644 index 0000000000..c007277b19 --- /dev/null +++ b/docset/winserver2022-ps/activedirectory/About/about_ActiveDirectory_Identity.md @@ -0,0 +1,196 @@ +--- +title: about_ActiveDirectory_Identity +ms.date: 04/22/2013 +description: This article lists the identifying attributes that are used for search and retrieval supported by the Active Directory module for Windows PowerShell. +Locale: en-US +schema: 2.0.0 +--- + +# about_ActiveDirectory_Identity + +## SHORT DESCRIPTION + +The Active Directory module for Windows PowerShell objects have a range of +identifying attributes that are used for search and retrieval. + +## LONG DESCRIPTION + +In order to identify the objects in Active Directory, each object has +attributes that can be used as identifiers. In the Active Directory module, the +value of the identity of an object can be passed using the Identity parameter. +Each object type has its own set of possible types and values for use by the +Identity parameter. See the detailed description of the Identity parameter of +the given cmdlet for more information about its usage. + +When searching with the Active Directory module cmdlets, the value of the +Identity parameter, along with the values of the Server and Partition +parameters, is used to uniquely identify a single object. The Server parameter +is used to locate which server to connect with. The Partition parameter further +narrows the search to a specific partition. The Identity parameter then +resolves to a single unique object in the partition. + +Note that using the Security Accounts Manager (SAM) Account Name +(**sAMAccountName**) when targeting a global catalog port, you will not find a +user in a different domain if you are using the Identity parameter + +If more than one object is found using identity resolution, the Active +Directory module throws an error. + +For more information about the Server and Partition parameters, see the help +topics for the individual cmdlets where they are used, such as `Get-ADUser`, by +typing: + +```powershell +Get-Help Get-ADUser +``` + +### Objects and Identities + +Each object has a list of attributes that can be used as an identity for that +object. Additionally, if the object inherits from another object, then the +parent object's identities can also be used as the child object's identities. +For more information on the Active Directory object hierarchy, see +[about_ActiveDirectory_ObjectModel](about_ActiveDirectory_ObjectModel.md). + +> [!NOTE] +> For Active Directory Provider cmdlets, only an object's 'Distinguished Name' +> or 'Relative Distinguished Name' can be used as the identity. For a list of +> Active Directory Provider cmdlets, see ActiveDirectory. + +### Identity Attributes + +The following is a list of identity attributes by object type. + +- ADAccount + - Distinguished Name + - GUID (objectGUID) + - Security Identifier (objectSid) + - SAM Account Name (sAMAccountName) + +- ADComputer + - Distinguished Name + - GUID (objectGUID) + - Security Identifier (objectSid) + - Security Accounts Manager Account Name (sAMAccountName) + +- ADDirectoryServer + - Name of the server object (name) + - For AD LDS instances the syntax of a name is `$` + - For other Active Directory instances, use the value of the name property. + - Distinguished Name of the NTDS Settings object + - Distinguished Name of the server object that represents the directory + server. + - GUID (objectGUID) of server object under the configuration partition. + - GUID (objectGUID) of NTDS settings object under the configuration partition + +- ADDomain + - Distinguished Name + - GUID + - Security Identifier + - DNS domain name + - NetBIOS domain name + +- ADDomainController + - GUID (objectGUID) + - IPV4Address + - Global IPV6Address + - DNS Host Name (dNSHostName) + - Name of the server object + - Distinguished Name of the NTDS Settings object + - Distinguished Name of the server object that represents the domain controller + - GUID of NTDS settings object under the configuration partition + - GUID of server object under the configuration partition + - Distinguished Name of the computer object that represents the domain controller. + +- ADFineGrainedPasswordPolicy + - Distinguished Name + - GUID (objectGUID) + - Name (name) + +- ADForest + - Fully qualified domain name + - DNS host name + - NetBIOS name + +- ADGroup + - Distinguished Name + - GUID (objectGUID) + - Security Identifier (objectSid) + - Security Accounts Manager (SAM) Account Name (sAMAccountName) + +- ADObject + - Distinguished Name + - GUID (objectGUID) + +- ADOptionalFeature + - Distinguished Name + - Name (name) + - Feature GUID (featureGUID) + - GUID (objectGUID) + +- ADOrganizationalUnit + - Distinguished Name + - GUID (objectGUID) + +- ADPrincipal + - Distinguished Name + - GUID (objectGUID) + - Security Identifier (objectSid) + - SAM Account Name (sAMAccountName) + +- ADServiceAccount + - Distinguished Name + - GUID (objectGUID) + - Security Identifier (objectSid) + - SAM Account Name (sAMAccountName) + +- ADUser + - Distinguished Name + - GUID (objectGUID) + - Security Identifier (objectSid) + - SAM User Name (sAMUserName) + + +### Identities Formats + +Active Directory module objects have a range of identity attributes. Below is a +list of these, their types and formats. + +- Distinguished Name + - Example: CN=SaraDavis,CN=Europe,CN=Users, DC=corp,DC=contoso,DC=com + +- DNS domain name + - Example: redmond.corp.contoso.com + +- DNS Host Name (dNSHostName) + - Example: corp-DC01.corp.contoso.com + +- Feature GUID (featureGUID) + - Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 + +- Fully qualified domain name + - Example: corp.contoso.com + +- Global IPV6Address + - Example: 2001:4898:0:fff:200:5efe:157.59.132.61 + +- GUID (objectGUID) + - Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 + +- IPV4Address + - Example:157.59.132.61 + +- NetBIOS domain name + - Example: redmond + +- Name of the server object + - Example: corp-DC01$ + +- SAM Account Name (sAMAccountName) + - Example: saradavisreports + +- Security Identifier (objectSid) + - Example: S-1-5-21-3165297888-301567370-576410423-1103 + +- Name + - Example: Recycle Bin Feature diff --git a/docset/winserver2022-ps/activedirectory/About/about_ActiveDirectory_ObjectModel.md b/docset/winserver2022-ps/activedirectory/About/about_ActiveDirectory_ObjectModel.md new file mode 100644 index 0000000000..8535a97464 --- /dev/null +++ b/docset/winserver2022-ps/activedirectory/About/about_ActiveDirectory_ObjectModel.md @@ -0,0 +1,595 @@ +--- +title: about_ActiveDirectory_ObjectModel +ms.date: 04/22/2013 +description: Describes the object model of the Active Directory module for Windows PowerShell. +Locale: en-US +schema: 2.0.0 +--- + +# about_ActiveDirectory_ObjectModel + +## SHORT DESCRIPTION +Describes the object model of the Active Directory module for Windows +PowerShell. + +## LONG DESCRIPTION + +This topic explains the Active Directory module classes and their properties +used to model actual Active Directory attributes. It also outlines the class +hierarchy constructed from its Active Directory counterpart. The object model +establishes a data foundation for all the operations supported by Active +Directory module cmdlets. + +### Class Hierarchy + +The following list shows the class hierarchy defined in the Active Directory +module object model, with class inheritance implied by indentation. This +inheritance model allows for Active Directory cmdlets to accept a range of +object types as input. This means, for example, that the cmdlet +Get-ADPrincipalGroupMembership can accept as input any of the following +objects: ADGroup, ADAccount, ADComputer, ADServiceAccount or ADUser. This works +because of the inheritance model and guarantees that an ADUser object has all +of the properties of an ADPrincipal object. + +``` +ADEntity + ADRootDSE + ADObject + ADFineGrainedPasswordPolicy + ADOptionalFeature + ADOrganizationalUnit + ADPartition + ADDomain + ADPrincipal + ADAccount + ADComputer + ADServiceAccount + ADUser + ADGroup + ADDefaultDomainPasswordPolicy + ADForest + ADDirectoryServer + ADDomainController +``` + +### Active Directory Module Classes + +The following listing shows every Active Directory module class from the class +hierarchy listing. Each class defines a set of properties, some of which are +LDAP attributes that are retrieved by default and some are new properties +created specifically for the Active Directory module. These new properties are +derived from one or more LDAP attributes as outlined in the class listings. + + +- ADEntity - The base level class from which all other classes are derived. + - ADRootDSE - Represents the rootDSE and is derived from ADEntity. An + ADRootDSE may contain the following properties in addition to those + inherited from its parent. + - ConfigurationNamingContext - A property of type System.String, derived + from the directory attribute ConfigurationNamingContext + - CurrentTime - A property of type System.DateTime, derived from the + directory attribute CurrentTime + - DefaultNamingContext - A property of type System.String, derived from the + directory attribute DefaultNamingContext + - DnsHostName - A property of type System.String, derived from the + directory attribute DnsHostName + - DomainControllerFunctionality - A property of type + ADDomainControllerMode, derived from the directory attribute + DomainControllerFunctionality + - DomainFunctionality - A property of type ADDomainMode, derived from the + directory attribute DomainFunctionality + - DsServiceName - A property of type System.String, derived from the + directory attribute DsServiceName + - ForestFunctionality - A property of type ADForestMode, derived from the + directory attribute ForestFunctionality + - GlobalCatalogReady - A property of type System.Boolean, derived from the + directory attribute GlobalCatalogReady + - HighestCommittedUSN - A property of type System.Long, derived from the + directory attribute HighestCommittedUSN + - LdapServiceName - A property of type System.String, derived from the + directory attribute LdapServiceName + - NamingContexts - A property of type System.String, derived from the + directory attribute NamingContexts + - RootDomainNamingContext - A property of type System.String, derived from + the directory attribute RootDomainNamingContext + - SchemaNamingContext - A property of type System.String, derived from the + directory attribute SchemaNamingContext + - ServerName - A property of type System.String, derived from the directory + attribute ServerName + - SubschemaSubentry - A property of type ADObject, derived from the + directory attribute SubschemaSubentry + - SupportedCapabilities - A property of type ADObjectIdentifier, derived + from the directory attribute SupportedCapabilities + - SupportedControl - A property of type ADObjectIdentifier, derived from + the directory attribute SupportedControl + - SupportedLDAPPolicies - A property of type System.String, derived from + the directory attribute SupportedLDAPPolicies + - SupportedLDAPVersion - A property of type System.Int, derived from the + directory attribute SupportedLDAPVersion + - SupportedRootDSEOperations - A property of type + ADPropertyValueCollection, derived from the directory attribute + SupportedRootDSEOperations + - SupportedSASLMechanisms - A property of type System.String, derived from + the directory attribute SupportedSASLMechanisms + - Syncronized - A property of type System.Boolean, derived from the + directory attribute IsSynchronized. + - ADObject - Represents any object in Active Directory and is derived from + ADEntity. An ADObject may contain the following properties in addition to + those inherited from its parent. + - CanonicalName - A property of type System.String, derived from the + directory attribute: canonicalName + - CN - A property of type System.String, derived from the directory + attribute: cn + - Created - A property of type System.DateTime, derived from the directory + attribute: createTimeStamp + - Deleted - A property of type System.Boolean, derived from the directory + attribute: isDeleted + - Description - A property of type System.String, derived from the + directory attribute: description + - DisplayName - A property of type System.String, derived from the + directory attribute: displayName + - DistinguishedName - A property of type System.String, derived from the + directory attribute: distinguishedName + - LastKnownParent - A property of type System.String, derived from the + directory attribute: lastKnownParent + - Modified - A property of type System.DateTime, derived from the directory + attribute: modifyTimeStamp + - Name - A property of type System.String, derived from the directory + attribute: name + - ObjectCategory - A property of type System.String, derived from the + directory attribute: objectCategory + - ObjectClass - A property of type System.String, derived from the + directory attribute: objectClass + - ObjectGUID - A property of type System.Guid, derived from the directory + attribute: objectGUID + - ProtectedFromAccidentalDeletion - A property of type System.Boolean, + derived from the directory attributes: nTSecurityDescriptor, + sdRightsEffective, instanceType, isDeleted + - ADFineGrainedPasswordPolicy Represents a fine grained password policy + object; that is, an AD object of type msDS-PasswordSettings in AD DS and + is derived from ADObject. This class is not supported by AD LDS. An + ADFineGrainedPasswordPolicy may contain the following properties in + addition to those inherited from its parent. + - AppliesTo - A property of type System.String, derived from the + directory attribute: msDS-PSOAppliesTo + - ComplexityEnabled - A property of type System.Boolean, derived from the + directory attribute: msDS-PasswordComplexityEnabled + - LockoutDuration - A property of type System.TimeSpan, derived from the + directory attribute: msDS-LockoutDuration + - LockoutObservationWindow - A property of type System.TimeSpan, derived + from the directory attribute: msDS-LockoutObservationWindow + - LockoutThreshold - A property of type System.Int32, derived from the + directory attribute: msDS-LockoutThreshold + - MaxPasswordAge - A property of type System.TimeSpan, derived from the + directory attribute: msDS-MaximumPasswordAge + - MinPasswordAge - A property of type System.TimeSpan, derived from the + directory attribute: msDS-MinimumPasswordAge + - MinPasswordLength - A property of type System.Int32, derived from the + directory attribute: msDS-MinimumPasswordLength + - PasswordHistoryCount - A property of type System.Int32, derived from + the directory attribute: msDS-PasswordHistoryLength + - Precedence - A property of type System.Int32, derived from the + directory attribute: msDS-PasswordSettingsPrecedence + - ReversibleEncryptionEnabled - A property of type System.Boolean, + derived from the directory attribute: + msDS-PasswordReversibleEncryptionEnabled + - ADOptionalFeature Represents an optional feature, an Active Directory + object of type msDS-OptionalFeature, and is derived from ADObject. An + ADOptionalFeaturemay contain the following properties in addition to + those inherited from its parent. + - EnabledScopes - A property of type System.String, derived from the + directory attribute: msDS-EnabledFeatureBL + - FeatureGUID - A property of type System.Guid, derived from the + directory attribute: msDS-OptionalFeatureGUID + - FeatureScope - A property of type System.Int32, derived from the + directory attribute: msDS-OptionalFeatureFlags + - IsDisableable - A property of type System.Boolean, derived from the + directory attribute: msDS-OptionalFeatureFlags + - RequiredDomainMode - A property of type + Microsoft.ActiveDirectory.Management.ADDomainMode, derived from the + directory attribute: msDS-RequiredDomainBehaviorVersion + - RequiredForestMode - A property of type + Microsoft.ActiveDirectory.Management.ADForestMode, derived from the + directory attribute: msDS-RequiredForestBehaviorVersion + - ADOrganizationalUnit Represents an organizationalUnit (OU) object and is + derived from ADObject. An ADOrganizationalUnit may contain the following + properties in addition to those inherited from its parent. + - City - A property of type System.String, derived from the directory + attribute: l + - Country - A property of type System.String, derived from the directory + attribute: c + - LinkedGroupPolicyObjects - A property of type System.String, derived + from the directory attribute: gpLink. This property is not supported on + AD LDS. + - ManagedBy - A property of type System.String, derived from the + directory attribute: managedBy + - PostalCode - A property of type System.String, derived from the + directory attribute: postalCode + - State - A property of type System.String, derived from the directory + attribute: st + - StreetAddress - A property of type System.String, derived from the + directory attribute: street + - ADPartition - Represents a naming context, Configuration, Schema, Domain + or Application Partition(ND NC) and is derived from ADObject. This class + is not supported by AD LDS. An ADPartition may contain the following + properties in addition to those inherited from its parent. + - DeletedObjectsContainer - A property of type System.String, derived + from the directory attribute: DeletedObjectsContainer + - DNSRoot - A property of type System.String, derived from the directory + attribute: DNSRoot + - LostAndFoundContainer - A property of type System.String, derived from + the directory attribute: LostAndFoundContainer + - QuotasContainer - A property of type System.String, derived from the + directory attribute: QuotasContainer + - ReadOnlyReplicaDirectoryServers - A property of type System.String, + derived from the directory attribute: ReadOnlyReplicaDirectoryServers + - ReplicaDirectoryServers - A property of type System.String, derived + from the directory attribute: ReplicaDirectoryServers + - SubordinateReferences - A property of type System.String, derived from + the directory attribute: SubordinateReferences + - ADDomain - Represents a domain in AD DS or an instance in AD LDS; for + example, an Active Directory object of type domainDNS and is derived + from ADPartition. This class is not supported by AD LDS. An ADDomain + may contain the following properties in addition to those inherited + from its parent. + - AllowedDNSSuffixes - A property of type System.String, derived from + the directory attribute: msDS-AllowedDNSSuffixes + - ChildDomains - A property of type System.String, derived from the + directory attribute: ChildDomains + - ComputersContainer - A property of type System.String, derived from + the directory attribute: ComputersContainer + - DomainControllersContainer - A property of type System.String, + derived from the directory attribute: DomainControllersContainer + - DomainMode - A property of type System.Int32, derived from the + directory attribute: msDS-Behavior-Version + - DomainSID - A property of type + System.Security.Principal.SecurityIdentifier, derived from the + directory attribute: objectSid + - ForeignSecurityPrincipalsContainer - A property of type + System.String, derived from the directory attribute: + ForeignSecurityPrincipalsContainer + - Forest - A property of type System.String, derived from the directory + attribute: Forest + - InfrastructureMaster - A property of type System.String, derived from + the directory attribute: InfrastructureMaster + - LastLogonReplicationInterval - A property of type System.TimeSpan, + derived from the directory attribute: msDS-LogonTimeSyncInterval + - LinkedGroupPolicyObjects - A property of type System.String, derived + from the directory attribute: LinkedGroupPolicyObjects + - ManagedBy - A property of type System.String, derived from the + directory attribute: managedBy + - NetBIOSName - A property of type System.String, derived from the + directory attribute: NetBIOSName + - ParentDomain - A property of type System.String, derived from the + directory attribute: ParentDomain + - PDCEmulator - A property of type System.String, derived from the + directory attribute: PDCEmulator + - RIDMaster - A property of type System.String, derived from the + directory attribute: RIDMaster + - SystemsContainer - A property of type System.String, derived from the + directory attribute: SystemsContainer + - UsersContainer - A property of type System.String, derived from the + directory attribute: UsersContainer + - ADPrincipal - Represents a security principal, which is an Active + Directory object of type user, computer, group or iNetOrgPerson and is + derived from ADObject. An ADPrincipal may contain the following + properties in addition to those inherited from its parent. + - HomePage - A property of type System.String, derived from the + directory attribute: wWWHomePage + - MemberOf - A property of type System.String, derived from the + directory attribute: memberOf + - SamAccountName - A property of type System.String, derived from the + directory attribute: sAMAccountName. This property is not supported + for AD LDS. + - SID - A property of type + System.Security.Principal.SecurityIdentifier, derived from the + directory attribute: objectSid + - SIDHistory - A property of type + System.Security.Principal.SecurityIdentifier, derived from the + directory attribute: sIDHistory. This property is not supported for + AD LDS. + - ADAccount - Represents a security account; that is, an Active + Directory object of type user, computer or iNetOrgPerson and is + derived from ADPrincipal. An ADAccount may contain the following + properties in addition to those inherited from its parent. + - AccountExpirationDate - A property of type System.DateTime, derived + from the directory attribute: accountExpires + - AccountLockoutTime - A property of type System.DateTime, derived + from the directory attribute: lockoutTime + - AccountNotDelegated - A property of type System.Boolean, derived + from the directory attributes: userAccountControl, + msDS-User-Account-Control-Computed. This property is not supported + by AD LDS. + - AllowReversiblePasswordEncryption - A property of type + System.Boolean, for AD DS it is derived from the directory + attribute: userAccountControl; for AD LDS it is derived from the + directory attribute: ms-DS-UserEncryptedTextPasswordAllowed + - BadLogonCount - A property of type System.Int32, derived from the + directory attribute: badPwdCount + - CannotChangePassword - A property of type System.Boolean, derived + from the directory attribute: nTSecurityDescriptor + - Certificates - A property of type + System.Security.Cryptography.X509Certificates.X509Certificate, + derived from the directory attribute: userCertificate + - DoesNotRequirePreAuth - A property of type System.Boolean, derived + from the directory attributes: userAccountControl, + msDS-User-Account-Control-Computed. This property is not supported + by AD LDS. + - Enabled - A property of type System.Boolean, for AD DS it is + derived from the directory attributes: userAccountControl, + msDS-User-Account-Control-Computed; for AD LDS it is derived from + the directory attribute msDS-UserAccountDisabled + - HomedirRequired - A property of type System.Boolean, derived from + the directory attributes: userAccountControl, + msDS-User-Account-Control-Computed. This property is not supported + by AD LDS. + - LastBadPasswordAttempt - A property of type System.DateTime, + derived from the directory attribute: badPasswordTime + - LastLogonDate - A property of type System.DateTime, derived from + the directory attribute: lastLogonTimestamp + - LockedOut - A property of type System.Boolean, for AD DS it is + derived from the directory attributes: userAccountControl, + msDS-User-Account-Control-Computed, lockoutTime; for AD LDS it is + derived from the directory attribute msDS-UserAccountDisabled + - MNSLogonAccount - A property of type System.Boolean, derived from + the directory attributes: userAccountControl, + msDS-User-Account-Control-Computed. This property is not supported + by AD LDS. + - PasswordExpired - A property of type System.Boolean, for AD DS it + is derived from the directory attributes: userAccountControl, + msDS-User-Account-Control-Computed; for AD LDS it is derived from + the directory attribute msDS-UserPasswordExpired + - PasswordLastSet - A property of type System.DateTime, derived from + the directory attribute: pwdLastSet + - PasswordNeverExpires - A property of type System.Boolean, for AD + LDS it is derived from the directory attributes: + userAccountControl, msDS-User-Account-Control-Computed; for AD LDS + it is derived from the directory attribute: + msDS-UserDontExpirePassword + - PasswordNotRequired - A property of type System.Boolean, for AD DS + it is derived from the directory attributes: userAccountControl, + msDS-User-Account-Control-Computed; for AD LDS it is derived from + the directory attribute: ms-DS-UserPasswordNotRequired + - PrimaryGroup - A property of type System.String, derived from the + directory attributes: primaryGroupID, objectSid. This property is + not supported by AD LDS. + - ServicePrincipalNames - A property of type System.String, derived + from the directory attribute: servicePrincipalName. This property + is not supported by AD LDS. + - TrustedForDelegation - A property of type System.Boolean, derived + from the directory attributes: userAccountControl, + msDS-User-Account-Control-Computed. This property is not supported + by AD LDS. + - TrustedToAuthForDelegation - A property of type System.Boolean, + derived from the directory attributes: userAccountControl, + msDS-User-Account-Control-Computed. This property is not supported + by AD LDS. + - UseDESKeyOnly - A property of type System.Boolean, derived from the + directory attributes: userAccountControl, + msDS-User-Account-Control-Computed. This property is not supported + by AD LDS. + - UserPrincipalName - A property of type System.String, derived from + the directory attribute: userPrincipalName + - ADComputer - Represents a computer and is derived from ADAccount. + An ADComputer may contain the following properties in addition to + those inherited from its parent. + - DNSHostName - A property of type System.String, derived from the + directory attribute: dNSHostName + - IPv4Address - A property of type System.String, derived from the + directory attribute: dNSHostName + - IPv6Address - A property of type System.String, derived from the + directory attribute: dNSHostName + - Location - A property of type System.String, derived from the + directory attribute: location + - ManagedBy - A property of type System.String, derived from the + directory attribute: managedBy + - OperatingSystem - A property of type System.String, derived from + the directory attribute: operatingSystem + - OperatingSystemHotfix - A property of type System.String, derived + from the directory attribute: operatingSystemHotfix + - OperatingSystemServicePack - A property of type System.String, + derived from the directory attribute: operatingSystemServicePack + - OperatingSystemVersion - A property of type System.String, + derived from the directory attribute: operatingSystemVersion + - ServiceAccount - A property of type System.String, derived from + the directory attribute: msDS-HostServiceAccount + - ADServiceAccount - Represents a managed service account; that is, + an Active Directory object of type msDS-ManagerdServiceAccount and + is derived from ADAccount. This class is not supported by AD LDS. + An ADServiceAccount may contain the following properties in + addition to those inherited from its parent. + - HostComputers - A property of type System.String, derived from + the directory attribute: msDS-HostServiceAccountBL + - ADUser - Represents a user (or iNetOrgPerson) and is derived from + ADAccount. An ADUser may contain the following properties in + addition to those inherited from its parent. + - City - A property of type System.String, derived from the + directory attribute: l + - Company - A property of type System.String, derived from the + directory attribute: company + - Country - A property of type System.String, derived from the + directory attribute: c + - Department - A property of type System.String, derived from the + directory attribute: department + - Division - A property of type System.String, derived from the + directory attribute: division + - EmailAddress - A property of type System.String, derived from the + directory attribute: mail + - EmployeeID - A property of type System.String, derived from the + directory attribute: employeeID + - EmployeeNumber - A property of type System.String, derived from + the directory attribute: employeeNumber + - Fax - A property of type System.String, derived from the + directory attribute: facsimileTelephoneNumber + - GivenName - A property of type System.String, derived from the + directory attribute: givenName + - HomeDirectory - A property of type System.String, derived from + the directory attribute: homeDirectory. This property is not + supported by AD LDS. + - HomeDrive - A property of type System.String, derived from the + directory attribute: homeDrive. This property is not supported by + AD LDS. + - HomePhone - A property of type System.String, derived from the + directory attribute: homePhone + - Initials - A property of type System.String, derived from the + directory attribute: initials + - LogonWorkstations - A property of type System.String, derived + from the directory attribute: userWorkstations. This property is + not supported by AD LDS. + - Manager - A property of type System.String, derived from the + directory attribute: manager + - MobilePhone - A property of type System.String, derived from the + directory attribute: mobile + - Office - A property of type System.String, derived from the + directory attribute: physicalDeliveryOfficeName + - OfficePhone - A property of type System.String, derived from the + directory attribute: telephoneNumber + - Organization - A property of type System.String, derived from the + directory attribute: o + - OtherName - A property of type System.String, derived from the + directory attribute: middleName + - POBox - A property of type System.String, derived from the + directory attribute: postOfficeBox + - PostalCode - A property of type System.String, derived from the + directory attribute: postalCode + - ProfilePath - A property of type System.String, derived from the + directory attribute: profilePath. This property is not supported + by AD LDS. + - ScriptPath - A property of type System.String, derived from the + directory attribute: scriptPath. This property is not supported + by AD LDS. + - SmartcardLogonRequired - A property of type System.Boolean, + derived from the directory attributes: userAccountControl, + msDS-User-Account-Control-Computed. This property is not + supported by AD LDS. + - State - A property of type System.String, derived from the + directory attribute: st + - StreetAddress - A property of type System.String, derived from + the directory attribute: streetAddress + - Surname - A property of type System.String, derived from the + directory attribute: sn + - Title - A property of type System.String, derived from the + directory attribute: title + - ADGroup -Represents a group and is derived from ADPrincipal. An + ADGroup may contain the following properties in addition to those + inherited from its parent. + - GroupCategory - A property of type + Microsoft.ActiveDirectory.Management.ADGroupCategory, derived from + the directory attribute: groupType + - GroupScope - A property of type + Microsoft.ActiveDirectory.Management.ADGroupScope, derived from the + directory attribute: groupType + - ManagedBy - A property of type System.String, derived from the + directory attribute: managedBy + - Members - A property of type System.String, derived from the + directory attribute: member + - ADDefaultDomainPasswordPolicy - Represents the domain-wide password policy + of an Active Directory domain and is derived from ADEntity. This class is + not supported by AD LDS. An ADDefaultDomainPasswordPolicy may contain the + following properties in addition to those inherited from its parent. + - ComplexityEnabled - A property of type System.Boolean, derived from the + directory attribute: pwdProperties + - DistinguishedName - A property of type System.String, derived from the + directory attribute: distinguishedName + - LockoutDuration - A property of type System.TimeSpan, derived from the + directory attribute: lockoutDuration + - LockoutObservationWindow - A property of type System.TimeSpan, derived + from the directory attribute: lockoutObservationWindow + - LockoutThreshold - A property of type System.Int32, derived from the + directory attribute: lockoutThreshold + - MaxPasswordAge - A property of type System.TimeSpan, derived from the + directory attribute: maxPwdAge + - MinPasswordAge - A property of type System.TimeSpan, derived from the + directory attribute: minPwdAge + - MinPasswordLength - A property of type System.Int32, derived from the + directory attribute: minPwdLength + - PasswordHistoryCount - A property of type System.Int32, derived from the + directory attribute: pwdHistoryLength + - ReversibleEncryptionEnabled - A property of type System.Boolean, derived + from the directory attribute: pwdProperties + - ADForest - Represents a Active Directory forest in AD DS or a Configuration + Set in AD LDS and is derived from ADEntity. This class is not supported by + AD LDS. An ADForest may contain the following properties in addition to + those inherited from its parent. + - ApplicationPartitions - A property of type System.String, derived from + the directory attribute: ApplicationPartitions + - CrossForestReferences - A property of type System.String, derived from + the directory attribute: CrossForestReferences + - DomainNamingMaster - A property of type System.String, derived from the + directory attribute: DomainNamingMaster + - Domains - A property of type System.String, derived from the directory + attribute: Domains + - ForestMode - A property of type System.Int32, derived from the directory + attribute: msDS-Behavior-Version + - GlobalCatalogs - A property of type System.String, derived from the + directory attribute: GlobalCatalogs + - Name - A property of type System.String, derived from the directory + attribute: name + - PartitionContainerName - A property of type System.String, derived from + the directory attribute: distinguishedName + - RootDomain - A property of type System.String, derived from the directory + attribute: RootDomain + - SchemaMaster - A property of type System.String, derived from the + directory attribute: SchemaMaster + - Sites - A property of type System.String, derived from the directory + attribute: Sites + - SPNSuffixes - A property of type System.String, derived from the + directory attribute: msDS-SPNSuffixes + - UPNSuffixes - A property of type System.String, derived from the + directory attribute: uPNSuffixes + - ADDirectoryServer - Represents a directory server used as either a domain + controller or an AD LDS instance and is derived from ADEntity. An + ADDirectoryServer may contain the following properties in addition to those + inherited from its parent. + - DefaultPartition - A property of type System.String, derived from the + directory attribute: DefaultPartition + - HostName - A property of type System.String, derived from the directory + attribute: HostName + - InvocationId - A property of type System.Guid, derived from the directory + attribute: InvocationId + - IPv4Address - A property of type System.String, derived from the + directory attribute: HostName + - IPv6Address - A property of type System.String, derived from the + directory attribute: HostName + - LdapPort - A property of type System.Int32, derived from the directory + attribute: LdapPort + - Name - A property of type System.String, derived from the directory + attribute: Name + - NTDSSettingsObjectDN - A property of type System.String, derived from the + directory attribute: NTDSSettingsObjectDN + - OperationMasterRoles - A property of type + Microsoft.ActiveDirectory.Management.ADOperationMasterRole, derived from + the directory attribute: OperationMasterRole + - Partitions - A property of type System.String, derived from the directory + attribute: Partitions + - ServerObjectDN - A property of type System.String, derived from the + directory attribute: ServerObjectDN + - ServerObjectGuid - A property of type System.Guid, derived from the + directory attribute: ServerObjectGuid + - Site - A property of type System.String, derived from the directory + attribute: Site + - SslPort - A property of type System.Int32, derived from the directory + attribute: SslPort + - ADDomainController - Represents a domain controller in AD DS and is + derived from ADDirectoryServer. An ADDomainController may contain the + following properties in addition to those inherited from its parent. + - ComputerObjectDN - A property of type System.String, derived from the + directory attribute: ComputerDN + - Domain - A property of type System.String, derived from the directory + attribute: Domain + - Enabled - A property of type System.Boolean, derived from the directory + attribute: Enabled + - Forest - A property of type System.String, derived from the directory + attribute: Forest + - IsGlobalCatalog - A property of type System.Boolean, derived from the + directory attribute: IsGlobalCatalog + - IsReadOnly - A property of type System.Boolean, derived from the + directory attribute: IsReadOnly + - OperatingSystem - A property of type System.String, derived from the + directory attribute: OSName + - OperatingSystemHotfix - A property of type System.String, derived from + the directory attribute: OSHotFix + - OperatingSystemServicePack - A property of type System.String, derived + from the directory attribute: OSServicepack + - OperatingSystemVersion - A property of type System.String, derived from + the directory attribute: OSVersion diff --git a/docset/winserver2025-ps/activedirectory/About/About.md b/docset/winserver2025-ps/activedirectory/About/About.md index adc76085b9..449df28850 100644 --- a/docset/winserver2025-ps/activedirectory/About/About.md +++ b/docset/winserver2025-ps/activedirectory/About/About.md @@ -2,7 +2,7 @@ description: About articles for the ActiveDirectory module. Help Version: 3.1.0.0 Locale: en-US -ms.date: 04/22/2013 +ms.date: 07/03/2024 title: About articles --- # About topics @@ -13,5 +13,14 @@ About topics cover a range of concepts about PowerShell. ## About Topics +### [about_ActiveDirectory](about_ActiveDirectory.md) +The Active Directory module is a command line interface for managing Active Directory. + ### [about_ActiveDirectory_Filter](about_ActiveDirectory_Filter.md) Describes the syntax and behavior of the search filter supported by the Active Directory module for Windows PowerShell. + +### [about_ActiveDirectory_Identity](about_ActiveDirectory_Identity.md) +The Active Directory module for Windows PowerShell objects have a range of identifying attributes that are used for search and retrieval. + +### [about_ActiveDirectory_ObjectModel](about_ActiveDirectory_ObjectModel.md) +Describes the object model of the Active Directory module for Windows PowerShell. diff --git a/docset/winserver2025-ps/activedirectory/About/about_ActiveDirectory.md b/docset/winserver2025-ps/activedirectory/About/about_ActiveDirectory.md new file mode 100644 index 0000000000..1b7183dcd2 --- /dev/null +++ b/docset/winserver2025-ps/activedirectory/About/about_ActiveDirectory.md @@ -0,0 +1,81 @@ +--- +title: about_ActiveDirectory +ms.date: 04/22/2013 +description: The Active Directory module is a command line interface for managing Active Directory. +Locale: en-US +schema: 2.0.0 +--- + +# about_ActiveDirectory + +## SHORT DESCRIPTION + +The Active Directory module is a command line interface for managing Active +Directory. + +## LONG DESCRIPTION + +The Active Directory module for Windows PowerShell is for IT Professionals who +are administering and interfacing with Active Directory. The Active Directory +module provides an efficient way to complete many administrative, +configuration, and diagnostic tasks across Active Directory Domain Services (AD +DS) and Active Directory Lightweight Directory Services (AD LDS) instances in +their environments. The Active Directory module includes a set of Windows +PowerShell cmdlets and a provider. The provider exposes the Active Directory +database through a hierarchical navigation system, which is very similar to the +file system. As with drives in a file system, such as C:, you can connect +Windows PowerShell drives to Active Directory domains and AD LDS, as well as +Active Directory snapshots. + +### Coverage of Active Directory Module Cmdlets + +Create, Read, Update, and Delete actions are supported for Active Directory +objects by cmdlets such as `New-ADUser`, `Get-ADOrganizationalUnit`, +`Set-ADComputer`, and `Remove-ADUser`. + +Account and Password Policy Management are supported by cmdlets such as +`Enable-ADAccount`, `Unlock-ADAccount`, `New-ADServiceAccount`, +`Set-ADAccountControl`, and `Remove-ADFineGrainedPasswordPolicy`. + +Domain and Forest Management is supported by cmdlets such as `Get-ADForest`, +`Set-ADForest`, `Set-ADForestMode`, `Enable-ADOptionalFeature`, +`Get-ADDomainController`, and `Get-ADDomain`. + +### Listing the Active Directory Module Cmdlets + +To get a list of all of the Active Directory module cmdlets, run + +```powershell +Get-Command -Module ActiveDirectory +``` + +### Getting Started + +Getting started with the Active Directory module for Windows PowerShell is as +easy as clicking the following shortcut: + +Run the following command in any Windows PowerShell prompt to import the Active +Directory module: + +```powershell +Import-Module ActiveDirectory +``` + +### Overview and Conceptual Topics + +The first two of these topics offer a high level overview of the Active +Directory module and the Active Directory Provider. + +- For a brief introduction to the Active Directory provider for Windows + PowerShell, see [ActiveDirectory](/powershell/module/activedirectory). +- The following topics are conceptual support topics for the Active Directory + module cmdlets. + - For an introduction to the **Identity** parameter, which is used by the + Active Directory module cmdlets to identify objects in the directory, see + [about_ActiveDirectory_Identity](about_ActiveDirectory_Identity.md). + - For an introduction to the **Filter** parameter which is used by Active + Directory module cmdlets to search for objects in the directory, see + [about_ActiveDirectory_Filter](about_ActiveDirectory_Filter.md). + - For an introduction to the .NET Framework-based object model implemented by + the Active Directory module, see + [about_ActiveDirectory_ObjectModel](about_ActiveDirectory_ObjectModel.md). diff --git a/docset/winserver2025-ps/activedirectory/About/about_ActiveDirectory_Identity.md b/docset/winserver2025-ps/activedirectory/About/about_ActiveDirectory_Identity.md new file mode 100644 index 0000000000..c007277b19 --- /dev/null +++ b/docset/winserver2025-ps/activedirectory/About/about_ActiveDirectory_Identity.md @@ -0,0 +1,196 @@ +--- +title: about_ActiveDirectory_Identity +ms.date: 04/22/2013 +description: This article lists the identifying attributes that are used for search and retrieval supported by the Active Directory module for Windows PowerShell. +Locale: en-US +schema: 2.0.0 +--- + +# about_ActiveDirectory_Identity + +## SHORT DESCRIPTION + +The Active Directory module for Windows PowerShell objects have a range of +identifying attributes that are used for search and retrieval. + +## LONG DESCRIPTION + +In order to identify the objects in Active Directory, each object has +attributes that can be used as identifiers. In the Active Directory module, the +value of the identity of an object can be passed using the Identity parameter. +Each object type has its own set of possible types and values for use by the +Identity parameter. See the detailed description of the Identity parameter of +the given cmdlet for more information about its usage. + +When searching with the Active Directory module cmdlets, the value of the +Identity parameter, along with the values of the Server and Partition +parameters, is used to uniquely identify a single object. The Server parameter +is used to locate which server to connect with. The Partition parameter further +narrows the search to a specific partition. The Identity parameter then +resolves to a single unique object in the partition. + +Note that using the Security Accounts Manager (SAM) Account Name +(**sAMAccountName**) when targeting a global catalog port, you will not find a +user in a different domain if you are using the Identity parameter + +If more than one object is found using identity resolution, the Active +Directory module throws an error. + +For more information about the Server and Partition parameters, see the help +topics for the individual cmdlets where they are used, such as `Get-ADUser`, by +typing: + +```powershell +Get-Help Get-ADUser +``` + +### Objects and Identities + +Each object has a list of attributes that can be used as an identity for that +object. Additionally, if the object inherits from another object, then the +parent object's identities can also be used as the child object's identities. +For more information on the Active Directory object hierarchy, see +[about_ActiveDirectory_ObjectModel](about_ActiveDirectory_ObjectModel.md). + +> [!NOTE] +> For Active Directory Provider cmdlets, only an object's 'Distinguished Name' +> or 'Relative Distinguished Name' can be used as the identity. For a list of +> Active Directory Provider cmdlets, see ActiveDirectory. + +### Identity Attributes + +The following is a list of identity attributes by object type. + +- ADAccount + - Distinguished Name + - GUID (objectGUID) + - Security Identifier (objectSid) + - SAM Account Name (sAMAccountName) + +- ADComputer + - Distinguished Name + - GUID (objectGUID) + - Security Identifier (objectSid) + - Security Accounts Manager Account Name (sAMAccountName) + +- ADDirectoryServer + - Name of the server object (name) + - For AD LDS instances the syntax of a name is `$` + - For other Active Directory instances, use the value of the name property. + - Distinguished Name of the NTDS Settings object + - Distinguished Name of the server object that represents the directory + server. + - GUID (objectGUID) of server object under the configuration partition. + - GUID (objectGUID) of NTDS settings object under the configuration partition + +- ADDomain + - Distinguished Name + - GUID + - Security Identifier + - DNS domain name + - NetBIOS domain name + +- ADDomainController + - GUID (objectGUID) + - IPV4Address + - Global IPV6Address + - DNS Host Name (dNSHostName) + - Name of the server object + - Distinguished Name of the NTDS Settings object + - Distinguished Name of the server object that represents the domain controller + - GUID of NTDS settings object under the configuration partition + - GUID of server object under the configuration partition + - Distinguished Name of the computer object that represents the domain controller. + +- ADFineGrainedPasswordPolicy + - Distinguished Name + - GUID (objectGUID) + - Name (name) + +- ADForest + - Fully qualified domain name + - DNS host name + - NetBIOS name + +- ADGroup + - Distinguished Name + - GUID (objectGUID) + - Security Identifier (objectSid) + - Security Accounts Manager (SAM) Account Name (sAMAccountName) + +- ADObject + - Distinguished Name + - GUID (objectGUID) + +- ADOptionalFeature + - Distinguished Name + - Name (name) + - Feature GUID (featureGUID) + - GUID (objectGUID) + +- ADOrganizationalUnit + - Distinguished Name + - GUID (objectGUID) + +- ADPrincipal + - Distinguished Name + - GUID (objectGUID) + - Security Identifier (objectSid) + - SAM Account Name (sAMAccountName) + +- ADServiceAccount + - Distinguished Name + - GUID (objectGUID) + - Security Identifier (objectSid) + - SAM Account Name (sAMAccountName) + +- ADUser + - Distinguished Name + - GUID (objectGUID) + - Security Identifier (objectSid) + - SAM User Name (sAMUserName) + + +### Identities Formats + +Active Directory module objects have a range of identity attributes. Below is a +list of these, their types and formats. + +- Distinguished Name + - Example: CN=SaraDavis,CN=Europe,CN=Users, DC=corp,DC=contoso,DC=com + +- DNS domain name + - Example: redmond.corp.contoso.com + +- DNS Host Name (dNSHostName) + - Example: corp-DC01.corp.contoso.com + +- Feature GUID (featureGUID) + - Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 + +- Fully qualified domain name + - Example: corp.contoso.com + +- Global IPV6Address + - Example: 2001:4898:0:fff:200:5efe:157.59.132.61 + +- GUID (objectGUID) + - Example: 599c3d2e-f72d-4d20-8a88-030d99495f20 + +- IPV4Address + - Example:157.59.132.61 + +- NetBIOS domain name + - Example: redmond + +- Name of the server object + - Example: corp-DC01$ + +- SAM Account Name (sAMAccountName) + - Example: saradavisreports + +- Security Identifier (objectSid) + - Example: S-1-5-21-3165297888-301567370-576410423-1103 + +- Name + - Example: Recycle Bin Feature diff --git a/docset/winserver2025-ps/activedirectory/About/about_ActiveDirectory_ObjectModel.md b/docset/winserver2025-ps/activedirectory/About/about_ActiveDirectory_ObjectModel.md new file mode 100644 index 0000000000..8535a97464 --- /dev/null +++ b/docset/winserver2025-ps/activedirectory/About/about_ActiveDirectory_ObjectModel.md @@ -0,0 +1,595 @@ +--- +title: about_ActiveDirectory_ObjectModel +ms.date: 04/22/2013 +description: Describes the object model of the Active Directory module for Windows PowerShell. +Locale: en-US +schema: 2.0.0 +--- + +# about_ActiveDirectory_ObjectModel + +## SHORT DESCRIPTION +Describes the object model of the Active Directory module for Windows +PowerShell. + +## LONG DESCRIPTION + +This topic explains the Active Directory module classes and their properties +used to model actual Active Directory attributes. It also outlines the class +hierarchy constructed from its Active Directory counterpart. The object model +establishes a data foundation for all the operations supported by Active +Directory module cmdlets. + +### Class Hierarchy + +The following list shows the class hierarchy defined in the Active Directory +module object model, with class inheritance implied by indentation. This +inheritance model allows for Active Directory cmdlets to accept a range of +object types as input. This means, for example, that the cmdlet +Get-ADPrincipalGroupMembership can accept as input any of the following +objects: ADGroup, ADAccount, ADComputer, ADServiceAccount or ADUser. This works +because of the inheritance model and guarantees that an ADUser object has all +of the properties of an ADPrincipal object. + +``` +ADEntity + ADRootDSE + ADObject + ADFineGrainedPasswordPolicy + ADOptionalFeature + ADOrganizationalUnit + ADPartition + ADDomain + ADPrincipal + ADAccount + ADComputer + ADServiceAccount + ADUser + ADGroup + ADDefaultDomainPasswordPolicy + ADForest + ADDirectoryServer + ADDomainController +``` + +### Active Directory Module Classes + +The following listing shows every Active Directory module class from the class +hierarchy listing. Each class defines a set of properties, some of which are +LDAP attributes that are retrieved by default and some are new properties +created specifically for the Active Directory module. These new properties are +derived from one or more LDAP attributes as outlined in the class listings. + + +- ADEntity - The base level class from which all other classes are derived. + - ADRootDSE - Represents the rootDSE and is derived from ADEntity. An + ADRootDSE may contain the following properties in addition to those + inherited from its parent. + - ConfigurationNamingContext - A property of type System.String, derived + from the directory attribute ConfigurationNamingContext + - CurrentTime - A property of type System.DateTime, derived from the + directory attribute CurrentTime + - DefaultNamingContext - A property of type System.String, derived from the + directory attribute DefaultNamingContext + - DnsHostName - A property of type System.String, derived from the + directory attribute DnsHostName + - DomainControllerFunctionality - A property of type + ADDomainControllerMode, derived from the directory attribute + DomainControllerFunctionality + - DomainFunctionality - A property of type ADDomainMode, derived from the + directory attribute DomainFunctionality + - DsServiceName - A property of type System.String, derived from the + directory attribute DsServiceName + - ForestFunctionality - A property of type ADForestMode, derived from the + directory attribute ForestFunctionality + - GlobalCatalogReady - A property of type System.Boolean, derived from the + directory attribute GlobalCatalogReady + - HighestCommittedUSN - A property of type System.Long, derived from the + directory attribute HighestCommittedUSN + - LdapServiceName - A property of type System.String, derived from the + directory attribute LdapServiceName + - NamingContexts - A property of type System.String, derived from the + directory attribute NamingContexts + - RootDomainNamingContext - A property of type System.String, derived from + the directory attribute RootDomainNamingContext + - SchemaNamingContext - A property of type System.String, derived from the + directory attribute SchemaNamingContext + - ServerName - A property of type System.String, derived from the directory + attribute ServerName + - SubschemaSubentry - A property of type ADObject, derived from the + directory attribute SubschemaSubentry + - SupportedCapabilities - A property of type ADObjectIdentifier, derived + from the directory attribute SupportedCapabilities + - SupportedControl - A property of type ADObjectIdentifier, derived from + the directory attribute SupportedControl + - SupportedLDAPPolicies - A property of type System.String, derived from + the directory attribute SupportedLDAPPolicies + - SupportedLDAPVersion - A property of type System.Int, derived from the + directory attribute SupportedLDAPVersion + - SupportedRootDSEOperations - A property of type + ADPropertyValueCollection, derived from the directory attribute + SupportedRootDSEOperations + - SupportedSASLMechanisms - A property of type System.String, derived from + the directory attribute SupportedSASLMechanisms + - Syncronized - A property of type System.Boolean, derived from the + directory attribute IsSynchronized. + - ADObject - Represents any object in Active Directory and is derived from + ADEntity. An ADObject may contain the following properties in addition to + those inherited from its parent. + - CanonicalName - A property of type System.String, derived from the + directory attribute: canonicalName + - CN - A property of type System.String, derived from the directory + attribute: cn + - Created - A property of type System.DateTime, derived from the directory + attribute: createTimeStamp + - Deleted - A property of type System.Boolean, derived from the directory + attribute: isDeleted + - Description - A property of type System.String, derived from the + directory attribute: description + - DisplayName - A property of type System.String, derived from the + directory attribute: displayName + - DistinguishedName - A property of type System.String, derived from the + directory attribute: distinguishedName + - LastKnownParent - A property of type System.String, derived from the + directory attribute: lastKnownParent + - Modified - A property of type System.DateTime, derived from the directory + attribute: modifyTimeStamp + - Name - A property of type System.String, derived from the directory + attribute: name + - ObjectCategory - A property of type System.String, derived from the + directory attribute: objectCategory + - ObjectClass - A property of type System.String, derived from the + directory attribute: objectClass + - ObjectGUID - A property of type System.Guid, derived from the directory + attribute: objectGUID + - ProtectedFromAccidentalDeletion - A property of type System.Boolean, + derived from the directory attributes: nTSecurityDescriptor, + sdRightsEffective, instanceType, isDeleted + - ADFineGrainedPasswordPolicy Represents a fine grained password policy + object; that is, an AD object of type msDS-PasswordSettings in AD DS and + is derived from ADObject. This class is not supported by AD LDS. An + ADFineGrainedPasswordPolicy may contain the following properties in + addition to those inherited from its parent. + - AppliesTo - A property of type System.String, derived from the + directory attribute: msDS-PSOAppliesTo + - ComplexityEnabled - A property of type System.Boolean, derived from the + directory attribute: msDS-PasswordComplexityEnabled + - LockoutDuration - A property of type System.TimeSpan, derived from the + directory attribute: msDS-LockoutDuration + - LockoutObservationWindow - A property of type System.TimeSpan, derived + from the directory attribute: msDS-LockoutObservationWindow + - LockoutThreshold - A property of type System.Int32, derived from the + directory attribute: msDS-LockoutThreshold + - MaxPasswordAge - A property of type System.TimeSpan, derived from the + directory attribute: msDS-MaximumPasswordAge + - MinPasswordAge - A property of type System.TimeSpan, derived from the + directory attribute: msDS-MinimumPasswordAge + - MinPasswordLength - A property of type System.Int32, derived from the + directory attribute: msDS-MinimumPasswordLength + - PasswordHistoryCount - A property of type System.Int32, derived from + the directory attribute: msDS-PasswordHistoryLength + - Precedence - A property of type System.Int32, derived from the + directory attribute: msDS-PasswordSettingsPrecedence + - ReversibleEncryptionEnabled - A property of type System.Boolean, + derived from the directory attribute: + msDS-PasswordReversibleEncryptionEnabled + - ADOptionalFeature Represents an optional feature, an Active Directory + object of type msDS-OptionalFeature, and is derived from ADObject. An + ADOptionalFeaturemay contain the following properties in addition to + those inherited from its parent. + - EnabledScopes - A property of type System.String, derived from the + directory attribute: msDS-EnabledFeatureBL + - FeatureGUID - A property of type System.Guid, derived from the + directory attribute: msDS-OptionalFeatureGUID + - FeatureScope - A property of type System.Int32, derived from the + directory attribute: msDS-OptionalFeatureFlags + - IsDisableable - A property of type System.Boolean, derived from the + directory attribute: msDS-OptionalFeatureFlags + - RequiredDomainMode - A property of type + Microsoft.ActiveDirectory.Management.ADDomainMode, derived from the + directory attribute: msDS-RequiredDomainBehaviorVersion + - RequiredForestMode - A property of type + Microsoft.ActiveDirectory.Management.ADForestMode, derived from the + directory attribute: msDS-RequiredForestBehaviorVersion + - ADOrganizationalUnit Represents an organizationalUnit (OU) object and is + derived from ADObject. An ADOrganizationalUnit may contain the following + properties in addition to those inherited from its parent. + - City - A property of type System.String, derived from the directory + attribute: l + - Country - A property of type System.String, derived from the directory + attribute: c + - LinkedGroupPolicyObjects - A property of type System.String, derived + from the directory attribute: gpLink. This property is not supported on + AD LDS. + - ManagedBy - A property of type System.String, derived from the + directory attribute: managedBy + - PostalCode - A property of type System.String, derived from the + directory attribute: postalCode + - State - A property of type System.String, derived from the directory + attribute: st + - StreetAddress - A property of type System.String, derived from the + directory attribute: street + - ADPartition - Represents a naming context, Configuration, Schema, Domain + or Application Partition(ND NC) and is derived from ADObject. This class + is not supported by AD LDS. An ADPartition may contain the following + properties in addition to those inherited from its parent. + - DeletedObjectsContainer - A property of type System.String, derived + from the directory attribute: DeletedObjectsContainer + - DNSRoot - A property of type System.String, derived from the directory + attribute: DNSRoot + - LostAndFoundContainer - A property of type System.String, derived from + the directory attribute: LostAndFoundContainer + - QuotasContainer - A property of type System.String, derived from the + directory attribute: QuotasContainer + - ReadOnlyReplicaDirectoryServers - A property of type System.String, + derived from the directory attribute: ReadOnlyReplicaDirectoryServers + - ReplicaDirectoryServers - A property of type System.String, derived + from the directory attribute: ReplicaDirectoryServers + - SubordinateReferences - A property of type System.String, derived from + the directory attribute: SubordinateReferences + - ADDomain - Represents a domain in AD DS or an instance in AD LDS; for + example, an Active Directory object of type domainDNS and is derived + from ADPartition. This class is not supported by AD LDS. An ADDomain + may contain the following properties in addition to those inherited + from its parent. + - AllowedDNSSuffixes - A property of type System.String, derived from + the directory attribute: msDS-AllowedDNSSuffixes + - ChildDomains - A property of type System.String, derived from the + directory attribute: ChildDomains + - ComputersContainer - A property of type System.String, derived from + the directory attribute: ComputersContainer + - DomainControllersContainer - A property of type System.String, + derived from the directory attribute: DomainControllersContainer + - DomainMode - A property of type System.Int32, derived from the + directory attribute: msDS-Behavior-Version + - DomainSID - A property of type + System.Security.Principal.SecurityIdentifier, derived from the + directory attribute: objectSid + - ForeignSecurityPrincipalsContainer - A property of type + System.String, derived from the directory attribute: + ForeignSecurityPrincipalsContainer + - Forest - A property of type System.String, derived from the directory + attribute: Forest + - InfrastructureMaster - A property of type System.String, derived from + the directory attribute: InfrastructureMaster + - LastLogonReplicationInterval - A property of type System.TimeSpan, + derived from the directory attribute: msDS-LogonTimeSyncInterval + - LinkedGroupPolicyObjects - A property of type System.String, derived + from the directory attribute: LinkedGroupPolicyObjects + - ManagedBy - A property of type System.String, derived from the + directory attribute: managedBy + - NetBIOSName - A property of type System.String, derived from the + directory attribute: NetBIOSName + - ParentDomain - A property of type System.String, derived from the + directory attribute: ParentDomain + - PDCEmulator - A property of type System.String, derived from the + directory attribute: PDCEmulator + - RIDMaster - A property of type System.String, derived from the + directory attribute: RIDMaster + - SystemsContainer - A property of type System.String, derived from the + directory attribute: SystemsContainer + - UsersContainer - A property of type System.String, derived from the + directory attribute: UsersContainer + - ADPrincipal - Represents a security principal, which is an Active + Directory object of type user, computer, group or iNetOrgPerson and is + derived from ADObject. An ADPrincipal may contain the following + properties in addition to those inherited from its parent. + - HomePage - A property of type System.String, derived from the + directory attribute: wWWHomePage + - MemberOf - A property of type System.String, derived from the + directory attribute: memberOf + - SamAccountName - A property of type System.String, derived from the + directory attribute: sAMAccountName. This property is not supported + for AD LDS. + - SID - A property of type + System.Security.Principal.SecurityIdentifier, derived from the + directory attribute: objectSid + - SIDHistory - A property of type + System.Security.Principal.SecurityIdentifier, derived from the + directory attribute: sIDHistory. This property is not supported for + AD LDS. + - ADAccount - Represents a security account; that is, an Active + Directory object of type user, computer or iNetOrgPerson and is + derived from ADPrincipal. An ADAccount may contain the following + properties in addition to those inherited from its parent. + - AccountExpirationDate - A property of type System.DateTime, derived + from the directory attribute: accountExpires + - AccountLockoutTime - A property of type System.DateTime, derived + from the directory attribute: lockoutTime + - AccountNotDelegated - A property of type System.Boolean, derived + from the directory attributes: userAccountControl, + msDS-User-Account-Control-Computed. This property is not supported + by AD LDS. + - AllowReversiblePasswordEncryption - A property of type + System.Boolean, for AD DS it is derived from the directory + attribute: userAccountControl; for AD LDS it is derived from the + directory attribute: ms-DS-UserEncryptedTextPasswordAllowed + - BadLogonCount - A property of type System.Int32, derived from the + directory attribute: badPwdCount + - CannotChangePassword - A property of type System.Boolean, derived + from the directory attribute: nTSecurityDescriptor + - Certificates - A property of type + System.Security.Cryptography.X509Certificates.X509Certificate, + derived from the directory attribute: userCertificate + - DoesNotRequirePreAuth - A property of type System.Boolean, derived + from the directory attributes: userAccountControl, + msDS-User-Account-Control-Computed. This property is not supported + by AD LDS. + - Enabled - A property of type System.Boolean, for AD DS it is + derived from the directory attributes: userAccountControl, + msDS-User-Account-Control-Computed; for AD LDS it is derived from + the directory attribute msDS-UserAccountDisabled + - HomedirRequired - A property of type System.Boolean, derived from + the directory attributes: userAccountControl, + msDS-User-Account-Control-Computed. This property is not supported + by AD LDS. + - LastBadPasswordAttempt - A property of type System.DateTime, + derived from the directory attribute: badPasswordTime + - LastLogonDate - A property of type System.DateTime, derived from + the directory attribute: lastLogonTimestamp + - LockedOut - A property of type System.Boolean, for AD DS it is + derived from the directory attributes: userAccountControl, + msDS-User-Account-Control-Computed, lockoutTime; for AD LDS it is + derived from the directory attribute msDS-UserAccountDisabled + - MNSLogonAccount - A property of type System.Boolean, derived from + the directory attributes: userAccountControl, + msDS-User-Account-Control-Computed. This property is not supported + by AD LDS. + - PasswordExpired - A property of type System.Boolean, for AD DS it + is derived from the directory attributes: userAccountControl, + msDS-User-Account-Control-Computed; for AD LDS it is derived from + the directory attribute msDS-UserPasswordExpired + - PasswordLastSet - A property of type System.DateTime, derived from + the directory attribute: pwdLastSet + - PasswordNeverExpires - A property of type System.Boolean, for AD + LDS it is derived from the directory attributes: + userAccountControl, msDS-User-Account-Control-Computed; for AD LDS + it is derived from the directory attribute: + msDS-UserDontExpirePassword + - PasswordNotRequired - A property of type System.Boolean, for AD DS + it is derived from the directory attributes: userAccountControl, + msDS-User-Account-Control-Computed; for AD LDS it is derived from + the directory attribute: ms-DS-UserPasswordNotRequired + - PrimaryGroup - A property of type System.String, derived from the + directory attributes: primaryGroupID, objectSid. This property is + not supported by AD LDS. + - ServicePrincipalNames - A property of type System.String, derived + from the directory attribute: servicePrincipalName. This property + is not supported by AD LDS. + - TrustedForDelegation - A property of type System.Boolean, derived + from the directory attributes: userAccountControl, + msDS-User-Account-Control-Computed. This property is not supported + by AD LDS. + - TrustedToAuthForDelegation - A property of type System.Boolean, + derived from the directory attributes: userAccountControl, + msDS-User-Account-Control-Computed. This property is not supported + by AD LDS. + - UseDESKeyOnly - A property of type System.Boolean, derived from the + directory attributes: userAccountControl, + msDS-User-Account-Control-Computed. This property is not supported + by AD LDS. + - UserPrincipalName - A property of type System.String, derived from + the directory attribute: userPrincipalName + - ADComputer - Represents a computer and is derived from ADAccount. + An ADComputer may contain the following properties in addition to + those inherited from its parent. + - DNSHostName - A property of type System.String, derived from the + directory attribute: dNSHostName + - IPv4Address - A property of type System.String, derived from the + directory attribute: dNSHostName + - IPv6Address - A property of type System.String, derived from the + directory attribute: dNSHostName + - Location - A property of type System.String, derived from the + directory attribute: location + - ManagedBy - A property of type System.String, derived from the + directory attribute: managedBy + - OperatingSystem - A property of type System.String, derived from + the directory attribute: operatingSystem + - OperatingSystemHotfix - A property of type System.String, derived + from the directory attribute: operatingSystemHotfix + - OperatingSystemServicePack - A property of type System.String, + derived from the directory attribute: operatingSystemServicePack + - OperatingSystemVersion - A property of type System.String, + derived from the directory attribute: operatingSystemVersion + - ServiceAccount - A property of type System.String, derived from + the directory attribute: msDS-HostServiceAccount + - ADServiceAccount - Represents a managed service account; that is, + an Active Directory object of type msDS-ManagerdServiceAccount and + is derived from ADAccount. This class is not supported by AD LDS. + An ADServiceAccount may contain the following properties in + addition to those inherited from its parent. + - HostComputers - A property of type System.String, derived from + the directory attribute: msDS-HostServiceAccountBL + - ADUser - Represents a user (or iNetOrgPerson) and is derived from + ADAccount. An ADUser may contain the following properties in + addition to those inherited from its parent. + - City - A property of type System.String, derived from the + directory attribute: l + - Company - A property of type System.String, derived from the + directory attribute: company + - Country - A property of type System.String, derived from the + directory attribute: c + - Department - A property of type System.String, derived from the + directory attribute: department + - Division - A property of type System.String, derived from the + directory attribute: division + - EmailAddress - A property of type System.String, derived from the + directory attribute: mail + - EmployeeID - A property of type System.String, derived from the + directory attribute: employeeID + - EmployeeNumber - A property of type System.String, derived from + the directory attribute: employeeNumber + - Fax - A property of type System.String, derived from the + directory attribute: facsimileTelephoneNumber + - GivenName - A property of type System.String, derived from the + directory attribute: givenName + - HomeDirectory - A property of type System.String, derived from + the directory attribute: homeDirectory. This property is not + supported by AD LDS. + - HomeDrive - A property of type System.String, derived from the + directory attribute: homeDrive. This property is not supported by + AD LDS. + - HomePhone - A property of type System.String, derived from the + directory attribute: homePhone + - Initials - A property of type System.String, derived from the + directory attribute: initials + - LogonWorkstations - A property of type System.String, derived + from the directory attribute: userWorkstations. This property is + not supported by AD LDS. + - Manager - A property of type System.String, derived from the + directory attribute: manager + - MobilePhone - A property of type System.String, derived from the + directory attribute: mobile + - Office - A property of type System.String, derived from the + directory attribute: physicalDeliveryOfficeName + - OfficePhone - A property of type System.String, derived from the + directory attribute: telephoneNumber + - Organization - A property of type System.String, derived from the + directory attribute: o + - OtherName - A property of type System.String, derived from the + directory attribute: middleName + - POBox - A property of type System.String, derived from the + directory attribute: postOfficeBox + - PostalCode - A property of type System.String, derived from the + directory attribute: postalCode + - ProfilePath - A property of type System.String, derived from the + directory attribute: profilePath. This property is not supported + by AD LDS. + - ScriptPath - A property of type System.String, derived from the + directory attribute: scriptPath. This property is not supported + by AD LDS. + - SmartcardLogonRequired - A property of type System.Boolean, + derived from the directory attributes: userAccountControl, + msDS-User-Account-Control-Computed. This property is not + supported by AD LDS. + - State - A property of type System.String, derived from the + directory attribute: st + - StreetAddress - A property of type System.String, derived from + the directory attribute: streetAddress + - Surname - A property of type System.String, derived from the + directory attribute: sn + - Title - A property of type System.String, derived from the + directory attribute: title + - ADGroup -Represents a group and is derived from ADPrincipal. An + ADGroup may contain the following properties in addition to those + inherited from its parent. + - GroupCategory - A property of type + Microsoft.ActiveDirectory.Management.ADGroupCategory, derived from + the directory attribute: groupType + - GroupScope - A property of type + Microsoft.ActiveDirectory.Management.ADGroupScope, derived from the + directory attribute: groupType + - ManagedBy - A property of type System.String, derived from the + directory attribute: managedBy + - Members - A property of type System.String, derived from the + directory attribute: member + - ADDefaultDomainPasswordPolicy - Represents the domain-wide password policy + of an Active Directory domain and is derived from ADEntity. This class is + not supported by AD LDS. An ADDefaultDomainPasswordPolicy may contain the + following properties in addition to those inherited from its parent. + - ComplexityEnabled - A property of type System.Boolean, derived from the + directory attribute: pwdProperties + - DistinguishedName - A property of type System.String, derived from the + directory attribute: distinguishedName + - LockoutDuration - A property of type System.TimeSpan, derived from the + directory attribute: lockoutDuration + - LockoutObservationWindow - A property of type System.TimeSpan, derived + from the directory attribute: lockoutObservationWindow + - LockoutThreshold - A property of type System.Int32, derived from the + directory attribute: lockoutThreshold + - MaxPasswordAge - A property of type System.TimeSpan, derived from the + directory attribute: maxPwdAge + - MinPasswordAge - A property of type System.TimeSpan, derived from the + directory attribute: minPwdAge + - MinPasswordLength - A property of type System.Int32, derived from the + directory attribute: minPwdLength + - PasswordHistoryCount - A property of type System.Int32, derived from the + directory attribute: pwdHistoryLength + - ReversibleEncryptionEnabled - A property of type System.Boolean, derived + from the directory attribute: pwdProperties + - ADForest - Represents a Active Directory forest in AD DS or a Configuration + Set in AD LDS and is derived from ADEntity. This class is not supported by + AD LDS. An ADForest may contain the following properties in addition to + those inherited from its parent. + - ApplicationPartitions - A property of type System.String, derived from + the directory attribute: ApplicationPartitions + - CrossForestReferences - A property of type System.String, derived from + the directory attribute: CrossForestReferences + - DomainNamingMaster - A property of type System.String, derived from the + directory attribute: DomainNamingMaster + - Domains - A property of type System.String, derived from the directory + attribute: Domains + - ForestMode - A property of type System.Int32, derived from the directory + attribute: msDS-Behavior-Version + - GlobalCatalogs - A property of type System.String, derived from the + directory attribute: GlobalCatalogs + - Name - A property of type System.String, derived from the directory + attribute: name + - PartitionContainerName - A property of type System.String, derived from + the directory attribute: distinguishedName + - RootDomain - A property of type System.String, derived from the directory + attribute: RootDomain + - SchemaMaster - A property of type System.String, derived from the + directory attribute: SchemaMaster + - Sites - A property of type System.String, derived from the directory + attribute: Sites + - SPNSuffixes - A property of type System.String, derived from the + directory attribute: msDS-SPNSuffixes + - UPNSuffixes - A property of type System.String, derived from the + directory attribute: uPNSuffixes + - ADDirectoryServer - Represents a directory server used as either a domain + controller or an AD LDS instance and is derived from ADEntity. An + ADDirectoryServer may contain the following properties in addition to those + inherited from its parent. + - DefaultPartition - A property of type System.String, derived from the + directory attribute: DefaultPartition + - HostName - A property of type System.String, derived from the directory + attribute: HostName + - InvocationId - A property of type System.Guid, derived from the directory + attribute: InvocationId + - IPv4Address - A property of type System.String, derived from the + directory attribute: HostName + - IPv6Address - A property of type System.String, derived from the + directory attribute: HostName + - LdapPort - A property of type System.Int32, derived from the directory + attribute: LdapPort + - Name - A property of type System.String, derived from the directory + attribute: Name + - NTDSSettingsObjectDN - A property of type System.String, derived from the + directory attribute: NTDSSettingsObjectDN + - OperationMasterRoles - A property of type + Microsoft.ActiveDirectory.Management.ADOperationMasterRole, derived from + the directory attribute: OperationMasterRole + - Partitions - A property of type System.String, derived from the directory + attribute: Partitions + - ServerObjectDN - A property of type System.String, derived from the + directory attribute: ServerObjectDN + - ServerObjectGuid - A property of type System.Guid, derived from the + directory attribute: ServerObjectGuid + - Site - A property of type System.String, derived from the directory + attribute: Site + - SslPort - A property of type System.Int32, derived from the directory + attribute: SslPort + - ADDomainController - Represents a domain controller in AD DS and is + derived from ADDirectoryServer. An ADDomainController may contain the + following properties in addition to those inherited from its parent. + - ComputerObjectDN - A property of type System.String, derived from the + directory attribute: ComputerDN + - Domain - A property of type System.String, derived from the directory + attribute: Domain + - Enabled - A property of type System.Boolean, derived from the directory + attribute: Enabled + - Forest - A property of type System.String, derived from the directory + attribute: Forest + - IsGlobalCatalog - A property of type System.Boolean, derived from the + directory attribute: IsGlobalCatalog + - IsReadOnly - A property of type System.Boolean, derived from the + directory attribute: IsReadOnly + - OperatingSystem - A property of type System.String, derived from the + directory attribute: OSName + - OperatingSystemHotfix - A property of type System.String, derived from + the directory attribute: OSHotFix + - OperatingSystemServicePack - A property of type System.String, derived + from the directory attribute: OSServicepack + - OperatingSystemVersion - A property of type System.String, derived from + the directory attribute: OSVersion