DEV Community

Cover image for Useful PowerShell One-Liners (and a few two-liners)
Mike P
Mike P

Posted on • Edited on

Useful PowerShell One-Liners (and a few two-liners)

PowerShell Commands

Useful PowerShell one-liner (and some two-liner) commands. These are commands I have collected over the years in various IT/Cybersecurity capacities and have been helpful in troubleshooting and doing security investigations alike.

Fork/Clone the repo here: https://github.com/mikeprivette/PowerShell

Table of Contents

Active Directory User Commands

Getting Started

Before running any Active Directory commands, you need to import the correct module.

Import Active Directory Module

Import-Module ActiveDirectory
Enter fullscreen mode Exit fullscreen mode

Get All Active Directory Module Commands

get-command -module ActiveDirectory
Enter fullscreen mode Exit fullscreen mode

Specific User Scenarios

Get All AD Information on a User in the Current Domain (the one you are running this from)

Get-ADUser -Identity <username> -properties *
Enter fullscreen mode Exit fullscreen mode

Get All AD Information on a User in a Different Domain (assumes you have trust and permissions to access)

Get-ADUser -Identity <username> -server "domain" -properties *
Enter fullscreen mode Exit fullscreen mode

Get All Members of a Group by name and ID

Get-ADGroupMember -Identity <group_name> -Recursive | select name,SamAccountName
Enter fullscreen mode Exit fullscreen mode

Find All Groups a User is a Member of

Get-ADPrincipalGroupMembership <username> | select name
Get-ADPrincipalGroupMembership <username> -server "domain" | select name | Sort-Object -Property name
Enter fullscreen mode Exit fullscreen mode

Add Member to an AD Group

Add-ADGroupMember -identity "<group_name>" -Member "<user_id>"
Enter fullscreen mode Exit fullscreen mode

Remove Member from an AD Group

Remove-ADGroupMember -identity "<group_name>" -Member "<user_id>"
Enter fullscreen mode Exit fullscreen mode

Find all users that are disabled

Search-ADAccount -AccountDisabled -UsersOnly | Format-Table Name,SamAccountName ObjectClass -A
Enter fullscreen mode Exit fullscreen mode

Find the Date/Time for When an Account Expires

[datetime](Get-ADuser <userid> -Properties accountExpires).accountExpires
Enter fullscreen mode Exit fullscreen mode

Find all Users with Locked Out Accounts

Search-ADAccount -LockedOut | select name, samAccountName
Search-ADAccount -LockedOut | Where-Object {$_.DistinguishedName -like "*DC=domain,DC=com"} | Select Name, LockedOut, LastLogonDate, PasswordExpired | Format-Table -AutoSize
Enter fullscreen mode Exit fullscreen mode

Get AD User Information for List of Users and Output to CSV

Get-Content C:\<path>\users.txt | % {Get-ADUser -Identity $_ -properties * | select CN, samAccountName, EmployeeID, enabled, Description, Department, mlSubLobDescr, OfficePhone, Manager ,StreetAddress, LastLogonDate, LastBadPasswordAttempt, PasswordExpired} | Export-Csv C:\<path>\user_lookup.csv
Enter fullscreen mode Exit fullscreen mode

Get AD User Group Membership Information for List of Users and Output to CSV

Get-Content C:\<path>\users.txt | % {Get-ADPrincipalGroupMembership $_ | select name} | Export-Csv C:\<path>\user_group_membership_lookup.csv
Enter fullscreen mode Exit fullscreen mode

Get All Users of AD Groups for List of Groups and Output to CSV

$groups = Get-Content C:\<path>\groups.txt

foreach ($group in $groups) {
Get-ADGroupMember -Identity $Group | select @{Expression={$Group};Label="Group Name"},Name,SamAccountName | Export-CSV C:\<path>\user_groups.csv -NoTypeInformation -append
}
Enter fullscreen mode Exit fullscreen mode

Get All Users of AD Groups Matching a Certain Name Format (i.e group name is like Local Admin)

$groups = Get-ADGroup -Filter {name -like "*Admin*"}

foreach ($group in $groups)
    {
    Get-ADGroupMember -Identity $Group -Server "domain" | Get-ADUser -Properties * | select @{Expression={$Group};Label="Common Name"},Name,enabled,LastLogonDate,GivenName,Surname,EmailAddress,title,department,mlSubLobDescr | Export-Csv C:\<path>\local_admin_group.csv -NoTypeInformation -Append
    }
Enter fullscreen mode Exit fullscreen mode

Find user information by AD attribute (i.e. DisplayName)

Get-ADUser -Filter {DisplayName -like "*Bobby Administrator*"} -Properties * | Select name, DisplayName, EmailAddress, enabled, LastLogonDate, title, department, mlSubLobDescr | Format-Table -AutoSize
Enter fullscreen mode Exit fullscreen mode

Computer Object Commands

Find a Specific Service on a Computer using WMI

get-wmiobject -query "SELECT * FROM Win32_Process where Name = '<service_name.exe>'" | select-object Name,CommandLine | Sort-Object -Descending Name
Enter fullscreen mode Exit fullscreen mode

Find Computers by Operating System Type

Get-ADComputer -Filter * -Properties OperatingSystem | Select OperatingSystem -unique | Sort OperatingSystem
Enter fullscreen mode Exit fullscreen mode

List all Servers in a Domain

Get-ADComputer -Server "domain.com" -Filter {operatingsystem -like "*server*"} -Properties * | select enabled,name,operatingsystem,canonicalname,lastlogondate | Export-Csv C:\<path>\computer_list.csv -Append -NoClobber
Enter fullscreen mode Exit fullscreen mode

List all Servers in a Domain, but only return Enabled Computer Objects, and only return those logged into within the last 60 days from the current date, and only show the top 10 rows

Get-ADComputer -Server "domain.com" -Filter {(operatingsystem -like "*server*") -and (enabled -eq "TRUE")} -Properties * | where {$_.LastLogonDate -ge (Get-Date).AddDays(-60)} | select enabled,name,operatingsystem,canonicalname,lastlogondate | Format-Table -AutoSize | select -First 10
Enter fullscreen mode Exit fullscreen mode

Find All Domain Controllers in a Specific Domain

Get-ADDomainController -Filter * -server <domain> | Select-Object name, domain
Enter fullscreen mode Exit fullscreen mode

Find Out Information About a Specific Computer by Hostname

Get-ADComputer -Filter {Name -Like "<hostname>"} -Property * | Format-Table Name,ipv4address,OperatingSystem,OperatingSystemServicePack,LastLogonDate -Wrap -Auto
Enter fullscreen mode Exit fullscreen mode

Find Host Information from TXT File of Hosts

Get-Content C:\<path>\file.txt | % {Get-ADComputer -Identity $_ -server <domain> -properties * | select name, ipv4address, operatingsystem, distinguishedname} | Export-Csv C:\<path>\output.csv -Append -NoClobber
Enter fullscreen mode Exit fullscreen mode

Get the CN and DN for each Organizational Unit in a Specific Domain

Get-ADOrganizationalUnit -server "domain.com" -Filter * -Properties CanonicalName | Select-Object -Property CanonicalName, DistinguishedName | Sort-Object CanonicalName, ascending
Enter fullscreen mode Exit fullscreen mode

Get All Computer Objects in a Particular OU in a Particular Domain

Get-ADComputer -server "domain.com" -SearchBase 'OU=NA,OU=USA,OU=HQ,DC=domain,DC=com' -Filter '*' -Properties * | Select name, ipv4address, operatingsystem, CanonicalName, distinguishedname | Format-Table -AutoSize
Enter fullscreen mode Exit fullscreen mode

Get All Computer Objects from a TXT File of OUs

Get-Content C:\<path>\computer_ous.txt | % {Get-ADComputer -Server "domain.com" -SearchBase $_ -Filter '*' -Properties * | Select name,ipv4address,operatingsystem,CanonicalName,distinguishedname,enabled} | Export-Csv C:\<path>\computers_in_ous.csv -Append -NoClobber
Enter fullscreen mode Exit fullscreen mode

File Level Commands

Recursively Remove Files Older than a Certain Day in a Directory

Get-ChildItem -Path "C:\<path>\<dir>\" -Recurse | Where-Object CreationTime -gt (Get-Date).AddDays(-180) | Remove-Item -Recurse
Enter fullscreen mode Exit fullscreen mode

Top comments (0)