passthru parameter is used to return the user object after creation of the account.
If this parameter is not specified, the cmdlet will not show any output after successful creation of the object
Import-Module ActiveDirectory
(Get-Command -Module ActiveDirectory).Count
Installing the Active Directory module
New-ADUser -Name ganGet-Help New-ADUser -Detailed
$Password = Read-Host "Enter the password that you want to set" - AsSecureString
New-ADUser -Name James -Surname "Tang" -GivenName "James" - EmailAddress [email protected] -SamAccountName "james" - AccountPassword $password -DisplayName "James Tang" -Department "Sales" -Country "CN" -City "Ningbo" -Path "OU=NOS,DC=afd,DC=ink" -Enabled $true -PassThru
Get-ADUser -Identity James -Properties *
Creating bulk user accounts
$Password = Read-Host "Enter the password that you want to set" - AsSecureString
1..100 | foreach { New-ADUser -Name "Labuser$_" -AccountPassword $password -Path "OU=LAB,DC=afd,DC=ink"}
$Users = Import-CSV <path of the saved CSV file> $Users | Format-Table
foreach($User in $Users) {
New-ADUser -Name $User.LoginName -Surname $User.LastName - GivenName $User.FirstName -EmailAddress $User.Email - SamAccountName $User.LoginName -AccountPassword $Password - DisplayName $User.DisplayName -Country $User.Country -City $User.City -Path "OU=LAB,DC=afd,DC=ink" -Enabled $true -PassThru
}Modifying user properties
Get-ADUser -Filter {Name -eq "gazh" }
Get-ADUser -Filter {Name -eq "gazh" } -Property *
Get-ADUser -Filter {Name -like "ga*" }
Get-ADUser -Filter * -SearchBase "OU=LAB,dc=afd,dc=ink"
Get-ADUser -Filter * -SearchBase "OU=NIPC Users,OU=Managed Users,OU=Nipc Lan,DC=nipc,DC=com,DC=cn"
Get-ADUser -Filter * -SearchBase "OU=NIPC Users,OU=Managed Users,OU=Nipc Lan,DC=nipc,DC=com,DC=cn" |foreach {Set-ADUser -Identity $_.SamAccountName -UserPrincipalName($_.SamAccountName+"@nip.com.cn")}
$UserObj = Get-ADUser -Filter {Name -eq "zhiyan gan" } -Properties *
$UserObj.Description
$userObj.Description.GetType()
Set-ADUser -Identity $UserObj -Description "Added new description via PowerShell"
$UserName = "ChrisB"
$NewDescription = "Delete this account after November"
$UserObj = Get-ADUser -Filter {Name -eq $UserName} -Properties *
Write-Host "Current description is : $($UserObj.Description)"
Set-ADUser -Identity $UserObj -Description $NewDescription
$UserObj = Get-ADUser -Filter {Name -eq $UserName} -Properties *
Write-Host "New description is : $($UserObj.Description)"Get-ADUser -Identity ChrisB -Properties * | select HomePhone, OfficePhone, mobile
$OfficeNumber = "+65 12345678" $HomeNumber = "+65 87654321" $MobileNumber = "+65 13578642"
Set-ADUser -Identity ChrisB -OfficePhone $OfficeNumber -HomePhone $HomeNumber -MobilePhone $MobileNumber
Set-ADUser -Identity ChrisB -Clear telephonenumber, homephone, mobile
Set-ADUser -Identity ChrisB -Add @{telephonenumber = $OfficeNumber; homephone = $HomeNumber ; mobile = $MobileNumber }
Set-ADUser cmdlet has parameters that can set these phone numbers. If the attribute that you are trying to set is not available as a parameter to the cmdlet then you can use the -Add parameter to directly specify the attribute name and the value. Similarly, you can use other parameters such as -Replace and -Clear to work with attributes directly.
Set-ADUser -Identity ChrisB -Clear telephonenumber, homephone, mobile
Set-ADUser -Identity ChrisB -Add @{telephonenumber = $OfficeNumber; homephone = $HomeNumber ; mobile = $MobileNumber } we can extend this logic to multiple users using a for loop in PowerShell. Before doing this, store the user names and numbers
you want to set in a CSV file and import it into PowerShell. The following screenshot shows how the contents of the CSV look:
$Users = Import-CSV c:\temp\usersPhoneNumbers.csv
foreach($User in $Users) {
Set-ADUser -Identity $User.UserName -OfficePhone $User.OfficeNumber -HomePhone $User.HomeNumber -MobilePhone $User.MobileNumber
}Enabling or disabling user accounts
Enable-ADAccount: This cmdlet is used for enabling Active Directory user, computer, or service account objectsDisable-ADAccount: This cmdlet is used for disabling Active Directory user, computer, or service account objects
Disable-ADAccount -Identity ChrisB -Passthru
Get-ADUser -SearchBase "OU=LAB,DC=techibee,DC=AD" -Filter * | Disable-ADAccount
Get-Content C:\temp\users.txt | % { Disable-ADAccount -Identity $_ }Get-ADUser -Filter 'Department -eq "sales"' | Disable-ADAccount
Moving user accounts to another OU
Move-ADObject -Identity "CN=ChrisB,OU=LAB,DC=techibee,DC=ad" - TargetPath "OU=Singapore,OU=LAB,DC=Techibee,DC=ad"
Moving all users from LAB OU to PROD OU
Get-ADUser -Filter * -SearchBase "OU=LAB,DC=techibee,DC=ad" | Move-ADObject -TargetPath "OU=Prod,DC=techibee,DC=ad"
Get-ADUser -Filter 'department -eq "Sales"' | Move-ADObject -TargetPath "OU=Sales,OU=PROD,DC=techibee,DC=AD"
Deleting user accounts
Remove-ADUser -Identity ChrisB
Remove-ADUser -Identity ChrisB -Confirm:$false
Get-Content C:\temp\users.txt | % { Remove-ADUser -Identity $_ - Confirm:$false}
Managing computer accounts
Creating computer accounts
Get-Help New-ADComputer -Full
New-ADComputer -Name SRVMEM2 -PassThru
New-ADComputer -Name SRVMEM2 -Path "OU=Computers,OU=PROD,DC=techibee,DC=AD" -PassThru
New-ADComputer -Name SRVMEM2 -Path "OU=Computers,OU=PROD,DC=techibee,DC=AD" -Enabled $false -PassThru
Set-ADComputer –identity SRVMEM1 –description "Member Server"
Moving computer accounts to a different OU
Move-ADObject -Identity "CN=SRVMEM1,CN=Computers,DC=techibee,DC=ad" - TargetPath "OU=Computers,OU=PROD,DC=techibee,DC=ad" -PassThru
Get-ADComputer -Filter "name -eq 'SRVMEM1'" | Move-ADObject - TargetPath "OU=Computers,OU=PROD,DC=techibee,DC=ad" -PassThru
Get-ADComputer -Filter "description -like '*server*'" | Move-ADObject -TargetPath "OU=Computers,OU=PROD,DC=techibee,DC=ad" -PassThru
Get-ADComputer -Identity COMP1 | Enable-ADAccount
Get-ADComputer -Filter "*" -SearchBase "OU=Computers,OU=PROD,DC=techibee,DC=ad" | Enable-ADAccount - PassThru
you can use filters in conjunction with the Get-ADComputer or Search-ADAccount cmdlets
Get-ADComputer -Filter "*" -SearchBase "OU=Computers,OU=PROD,DC=techibee,DC=ad" | Disable-ADAccount - PassThru
Deleting computer accounts
Remove-ADComputer -Identity COMP1
most common use case is searching for computers older than x days and removing them. You can achieve this using the following command:
$Computers = Get-ADComputer -Filter * -Properties LastLogonDate | ? {$_.LastLogonDate -lt (get-date).Adddays(-10) }
$Computers | Remove-ADComputerGet-ADComputer –filter 'Location –eq "OFFICE1"' | Remove-ADComputer – confirm:$false
Get-ADComputer –SearchBase "OU=DisabledComp,DC=techibee,DC=ad" | Remove-ADComputer –confirm:$false
Creating different types of security groups
New-ADGroup -Name "Test Group1" -Path "OU=Groups,OU=Prod,DC=techibee,DC=ad" -groupScope domainlocal
New-ADGroup -Name "Test Group Global" -Path "OU=Groups,OU=Prod,DC=techibee,DC=ad" -groupScope global
New-ADgroup -Name "Test Group Universal" -Path "OU=Groups,OU=Prod,DC=techibee,DC=ad" -groupScope universal
Searching and modifying group object information
Get-ADGroup -Filter * | select Name
Get-ADGroup -Filter "Name -eq 'Test Group1'"
Get-ADGroup -LDAPFilter "(Name=Test Group1)"
Get-ADGroup -Filter {Name -like '*test*'}
Get-ADGroup -Filter {Name -like '*test*' -or Name -like '*Domain*'}
$Groups = Get-Content c:\temp\Groups.txt
foreach($Group in $Groups) {
$GroupObj = Get-ADGroup -Filter {Name -eq $Group}
if($GroupObj) {
"{0} : Group Found" -f $Group
} else {
"{0} : Group NOT Found" -f $Group
}
}Get-ADGroup -Filter {Name -eq "TestGroup" } | Set-ADGroup - Description "This Group Created for testing purpose only"Get-ADGroup -Filter {Name -like "*Test*" } | Set-ADGroup - Description "This Group is created for testing purpose"Get-ADGroup -Filter {Name -eq "TestGroup" } | Set-ADGroup Get-ADGroup -Identity TestGroup | select Name, GroupCategory, GroupScope
Get-ADGroup -Filter {Name -like "*Test*" } | Set-ADGroup - GroupCategory Distribution
Adding members to a group
Add-ADGroupMember –Identity "Group1-Read" –Members LabUser1
Add-ADGroupMember –Identity "Group1-Read" –Members LabUser1,LabUser2,LabUser3
"TestGroup","Group1-Read" | % {Add-ADGroupMember -Identity $_ - Members LabUser3 }
$Users = Get-Content C:\temp\users.txt Add-ADGroupMember -Identity TestGroup -Members $Users
$Users = Get-ADUser -SearchBase "OU=LAB,DC=techibee,dc=ad" -Filter {objectclass -eq "User" }
Add-ADGroupMember -Identity TestGroup -Members $Users$members = Get-ADGroupMember -Identity TestGroup Add-ADGroupMember -Identity TestGroup-Copy -Members $members