• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 397
  • Last Modified:

understanding powershell

In Windows Host Scripting, we used Loops, IF , Else, End.
I wonder if powershell has the equivalent of that or it uses the pipes '|'  as  the equivalent.
it sounds to me that Powershell uses the concept of SQL queries, "Select columnname where columnname=XX and .....etc.." but with different syntax.

for instance I need to retrieve AD users who belong to Accounting Dept that have password expiration date "10/20/2013"

Any help will be appreciated,

7 Solutions
I believe the short answer is "yes" (& "all the above" probably too)
It's a pretty slick tool as I understand it.

However: I am not an expert in powershell, but some time ago, to get an understanding of it I started this quite comprehensive video by Don Jones: "Powershell Crash Course" - it's long (~4 hours) - and I didn't go through all of it

BUT: it gave me an appreciation for what it is, and if you need to use powershell I feel sure you gain from trying it at least.

{+ edit} and the url is: http://www.youtube.com/watch?v=-Ya1dQ1Igkc
Ben Personick (Previously QCubed)Lead Network EngineerCommented:
"If" is still alive and well in Powershell, I have done a few things wish Powershell, and find it's a far more prickly beast than batch, but 'if' 'else' still works quite the same as previous scripting languages.
Do a google search for powershell basics and you will see plenty of links to youtube videos and books to get the basics.  post questions when you need direction or get stuck!
Easily manage email signatures in Office 365

Managing email signatures in Office 365 can be a challenging task if you don't have the right tool. CodeTwo Email Signatures for Office 365 will help you implement a unified email signature look, no matter what email client is used by users. Test it for free!

I once read an article that I feel applies very well here, I hope I can paraphrase it correctly.  Essentially it said that due to its very nature as a scripting language it shares many features in common with other scripting languages.  So many (if not most) of the concepts that you have learned from one scripting language will apply to another.

Indeed there are several kinds of loops (for, foreach, do, while, ForEach-Object), If, Else, ElseIf, and so forth.  It also makes use of pipelines to facilitate streaming objects from one command to the next.

Depending on what you want to do, the use of a Select-Object cmdlet can come in very handy to filter and organize your data.  I wouldn't necessarily relate this to SQL queries, but rather I think it's common to most queries.  Most queries for data are rather broad by default so we have to include parameters to limit the scope and filter out unwanted results.  Sometimes the filtering can be performed at the time of the query, sometimes it has to happen later.  There are many operations that can be performed with PowerShell however that don't involve the retrieval or display of data.
Some examples for your specific query.
Here's a couple ways of retrieving users in the Accounting dept.  The first would be more efficient because we're filtering closer to the source.
Get-ADUser -filter {Department -eq "Accounting"}
Get-ADUser -filter * -properties Department | Where {$_.department -eq "Accounting"}

Open in new window

To then filter based on a password expiration date, you would first have to figure out what that is, since there is no attribute for it.  First look up the password policy to see the maximum password age, then the date the password was last set for a user, then use that information to calculate the expiration date, then filter the user results based on a comparison of that result.
$maxpwd = (Get-ADDefaultDomainPasswordPolicy).MaxPasswordAge.Days
Get-ADUser -filter {Department -eq "Accounting"} -properties PasswordLastSet | Where {($_.passwordlastset + $maxpwd) -eq  "10/20/2013"}

Open in new window

Edit:  One thing I should probably mention for anyone new to PowerShell - you will need to load the ActiveDirectory PowerShell module to use the MS AD cmdlets like I did above.  PS 3.0 will do this automatically, but with PS 2.0 you would need to run the command Import-Module ActiveDirectory.  You would also need a 2008 R2 (or newer) Domain Controller, or a 2003/2008 DC with AD Management Gateway Service installed.
QlemoBatchelor and DeveloperCommented:
As said above, PowerShell combines the concept of "normal" loops and conditional execution with the concept of filtering.

Filtering (using pipes) is similar to SQL queries, if you look at the query execution plan steps. It usually is
Selection - get access to the data source: Get-ADUser
Projection - reduce the number of columns (object properties): Select-Object
Partition - reduce the number of rows (objects): Where-Object
It's important to have the best filter at the very beginning. As footech showed, the Get-ADUser can make use of both a filter ("Partition") and list or set of properties to deliver ("Projection"), so we do not have to process too much of data in the very first place. This should be utilized to the maimum extent possible.
After that, it is usually better to restrict the number of objects to get, because that is most restrictive (say you are only interested in 1 out of 100 results).
Reducing the number of properties, or building your own custom objects, is done last in most cases.

Whether you use the iterative approach known from other scripting and programming languages, or the filtering approach as a "new" concept, depends on the purpose. Processing large amounts of uniform data you do not have in memory yet, or data which needs some time for each object to get, is better done by filtering. This allows for processing one object each time, without need to store intermediate information or the whole dataset.
However, if all data is present in memory, or it isn't that much of it, looping is faster.

BTW, attention! The foreach is both a looping statement as used in e.g. VB Script, and an alias for foreach-object, which can only be used in a pipe. That migt be confusing if you read PowerShell code.
One additional comment about the script code I posted above, in case you actually intend to use it.  I realized that an adjustment needed to be made so that the expiration date would be correctly calculated.  Here's one way to make the needed adjustment (and I have also included a Select-Object command to limit what properties are displayed).
$maxpwd = (Get-ADDefaultDomainPasswordPolicy).MaxPasswordAge
Get-ADUser -filter {Department -eq "Accounting"} -properties PasswordLastSet | Where-Object {($_.passwordlastset + $maxpwd) -eq  [datetime]"10/20/2013"} | Select-Object Name,DistinguishedName

Open in new window

BTW, it's worth noting that the last comparison is highly unlikely to ever be true in real life since the PasswordLastSet attribute has a much higher precision that just down to the day.  It would be much more fruitful to use the -gt or -lt operators for this comparison.
jskfanAuthor Commented:
Thank you
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

We Need Your Input!

WatchGuard is currently running a beta program for our new macOS Host Sensor for our Threat Detection and Response service. We're looking for more macOS users to help provide insight and feedback to help us make the product even better. Please sign up for our beta program today!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now