Active Directory with PowerShell

passthru parameter is used to return the user object after creation of the account.

If this parameter is not specified, the cmdlet will not show any output after successful creation of the object


Import-Module ActiveDirectory

(Get-Command -Module ActiveDirectory).Count


Installing the Active Directory module


New-ADUser -Name gan
Get-Help New-ADUser -Detailed
$Password = Read-Host "Enter the password that you want to set" - AsSecureString
New-ADUser -Name James -Surname "Tang" -GivenName "James" - EmailAddress [email protected] -SamAccountName "james" - AccountPassword $password -DisplayName "James Tang" -Department "Sales" -Country "CN" -City "Ningbo" -Path "OU=NOS,DC=afd,DC=ink" -Enabled $true -PassThru
Get-ADUser -Identity James -Properties *

Creating bulk user accounts


$Password = Read-Host "Enter the password that you want to set" - AsSecureString

1..100 | foreach { New-ADUser -Name "Labuser$_" -AccountPassword $password -Path "OU=LAB,DC=afd,DC=ink"}


$Users = Import-CSV <path of the saved CSV file>
$Users | Format-Table
foreach($User in $Users) {
New-ADUser -Name $User.LoginName -Surname $User.LastName - GivenName $User.FirstName -EmailAddress $User.Email - SamAccountName $User.LoginName -AccountPassword $Password - DisplayName $User.DisplayName -Country $User.Country -City  $User.City -Path "OU=LAB,DC=afd,DC=ink" -Enabled $true -PassThru

Modifying user properties

Get-ADUser -Filter {Name -eq "gazh" }

Get-ADUser -Filter {Name -eq "gazh" } -Property *

Get-ADUser -Filter {Name -like "ga*" }

Get-ADUser -Filter * -SearchBase "OU=LAB,dc=afd,dc=ink"

Get-ADUser -Filter * -SearchBase "OU=NIPC Users,OU=Managed Users,OU=Nipc Lan,DC=nipc,DC=com,DC=cn"

Get-ADUser -Filter *  -SearchBase "OU=NIPC Users,OU=Managed Users,OU=Nipc Lan,DC=nipc,DC=com,DC=cn" |foreach {Set-ADUser -Identity $_.SamAccountName  -UserPrincipalName($_.SamAccountName+"")}


$UserObj = Get-ADUser -Filter {Name -eq "zhiyan gan" } -Properties *




Set-ADUser -Identity $UserObj -Description "Added new description via PowerShell"


$UserName = "ChrisB"
$NewDescription = "Delete this account after November"
$UserObj = Get-ADUser -Filter {Name -eq $UserName} -Properties *
Write-Host "Current description is : $($UserObj.Description)"
Set-ADUser -Identity $UserObj -Description $NewDescription
$UserObj = Get-ADUser -Filter {Name -eq $UserName} -Properties *
Write-Host "New description is : $($UserObj.Description)"
Get-ADUser -Identity ChrisB -Properties * | select HomePhone, OfficePhone, mobile
$OfficeNumber = "+65 12345678"
$HomeNumber = "+65 87654321"
$MobileNumber = "+65 13578642"
Set-ADUser -Identity ChrisB -OfficePhone $OfficeNumber -HomePhone $HomeNumber -MobilePhone $MobileNumber
Set-ADUser -Identity ChrisB -Clear telephonenumber, homephone, mobile
Set-ADUser -Identity ChrisB -Add @{telephonenumber = $OfficeNumber;  homephone = $HomeNumber ; mobile = $MobileNumber }

Set-ADUser cmdlet has parameters that can set these phone numbers. If the attribute that you are trying to set is not available as a parameter to the cmdlet then you can use the -Add parameter to directly specify the attribute name and the value. Similarly, you can use other parameters such as -Replace and -Clear to work with attributes directly.

Set-ADUser -Identity ChrisB -Clear telephonenumber, homephone, mobile
Set-ADUser -Identity ChrisB -Add @{telephonenumber = $OfficeNumber;  homephone = $HomeNumber ; mobile = $MobileNumber } 

we can extend this logic to multiple users using a for loop in PowerShell. Before doing this, store the user names and numbers 

you want to set in a CSV file and import it into PowerShell. The following screenshot shows how the contents of the CSV look:



$Users = Import-CSV c:\temp\usersPhoneNumbers.csv
foreach($User in $Users) {
Set-ADUser -Identity $User.UserName -OfficePhone $User.OfficeNumber -HomePhone $User.HomeNumber -MobilePhone $User.MobileNumber

Enabling or disabling user accounts


  • Enable-ADAccount: This cmdlet is used for enabling Active Directory user, computer, or service account objects
  • Disable-ADAccount: This cmdlet is used for disabling Active Directory user, computer, or service account objects
Disable-ADAccount -Identity ChrisB -Passthru
Get-ADUser -SearchBase "OU=LAB,DC=techibee,DC=AD" -Filter * | Disable-ADAccount
Get-Content C:\temp\users.txt | % { Disable-ADAccount -Identity $_ }
Get-ADUser -Filter 'Department -eq "sales"' | Disable-ADAccount

Moving user accounts to another OU

Move-ADObject -Identity "CN=ChrisB,OU=LAB,DC=techibee,DC=ad" - TargetPath "OU=Singapore,OU=LAB,DC=Techibee,DC=ad"


Moving all users from LAB OU to PROD OU

Get-ADUser -Filter * -SearchBase "OU=LAB,DC=techibee,DC=ad" |  Move-ADObject -TargetPath "OU=Prod,DC=techibee,DC=ad"
Get-ADUser -Filter 'department -eq "Sales"' | Move-ADObject -TargetPath "OU=Sales,OU=PROD,DC=techibee,DC=AD"

Deleting user accounts

Remove-ADUser -Identity ChrisB

Remove-ADUser -Identity ChrisB -Confirm:$false

Get-Content C:\temp\users.txt | % { Remove-ADUser -Identity $_ - Confirm:$false}


Managing computer accounts

Creating computer accounts

Get-Help New-ADComputer -Full

New-ADComputer -Name SRVMEM2 -PassThru

New-ADComputer -Name SRVMEM2 -Path "OU=Computers,OU=PROD,DC=techibee,DC=AD" -PassThru

New-ADComputer -Name SRVMEM2 -Path "OU=Computers,OU=PROD,DC=techibee,DC=AD" -Enabled $false -PassThru

Set-ADComputer –identity SRVMEM1 –description "Member Server"

Moving computer accounts to a different OU

Move-ADObject -Identity "CN=SRVMEM1,CN=Computers,DC=techibee,DC=ad" - TargetPath "OU=Computers,OU=PROD,DC=techibee,DC=ad" -PassThru
Get-ADComputer -Filter "name -eq 'SRVMEM1'" | Move-ADObject - TargetPath "OU=Computers,OU=PROD,DC=techibee,DC=ad" -PassThru
Get-ADComputer -Filter "description -like '*server*'" | Move-ADObject -TargetPath "OU=Computers,OU=PROD,DC=techibee,DC=ad" -PassThru
Get-ADComputer -Identity COMP1 | Enable-ADAccount
Get-ADComputer -Filter "*" -SearchBase "OU=Computers,OU=PROD,DC=techibee,DC=ad" | Enable-ADAccount - PassThru

you can use filters in conjunction with the Get-ADComputer or Search-ADAccount cmdlets

Get-ADComputer -Filter "*" -SearchBase "OU=Computers,OU=PROD,DC=techibee,DC=ad" | Disable-ADAccount - PassThru

Deleting computer accounts

Remove-ADComputer -Identity COMP1

most common use case is searching for computers older than x days and removing them. You can achieve this using the following command:

$Computers = Get-ADComputer -Filter * -Properties LastLogonDate | ?  {$_.LastLogonDate -lt (get-date).Adddays(-10) }
$Computers | Remove-ADComputer
Get-ADComputer –filter 'Location –eq "OFFICE1"' | Remove-ADComputer – confirm:$false
Get-ADComputer –SearchBase "OU=DisabledComp,DC=techibee,DC=ad" | Remove-ADComputer –confirm:$false

Creating different types of security groups

New-ADGroup -Name "Test Group1" -Path "OU=Groups,OU=Prod,DC=techibee,DC=ad" -groupScope domainlocal

New-ADGroup -Name "Test Group Global" -Path "OU=Groups,OU=Prod,DC=techibee,DC=ad" -groupScope global

New-ADgroup -Name "Test Group Universal" -Path "OU=Groups,OU=Prod,DC=techibee,DC=ad" -groupScope universal

Searching and modifying group object information

Get-ADGroup -Filter * | select Name

Get-ADGroup -Filter "Name -eq 'Test Group1'"

Get-ADGroup -LDAPFilter "(Name=Test Group1)"

Get-ADGroup -Filter {Name -like '*test*'}

Get-ADGroup -Filter {Name -like '*test*' -or Name -like '*Domain*'}

$Groups = Get-Content c:\temp\Groups.txt
foreach($Group in $Groups) {
  $GroupObj = Get-ADGroup -Filter {Name -eq $Group}
  if($GroupObj) {
    "{0} : Group Found" -f $Group
  } else {
        "{0} : Group NOT Found" -f $Group
Get-ADGroup -Filter {Name -eq "TestGroup" } | Set-ADGroup - Description "This Group Created for testing purpose only"
Get-ADGroup -Filter {Name -like "*Test*" } | Set-ADGroup - Description "This Group is created for testing purpose"
Get-ADGroup -Filter {Name -eq "TestGroup" } | Set-ADGroup 
Get-ADGroup -Identity TestGroup | select Name, GroupCategory, GroupScope
Get-ADGroup -Filter {Name -like "*Test*" } | Set-ADGroup - GroupCategory Distribution

Adding members to a group

Add-ADGroupMember –Identity "Group1-Read" –Members LabUser1

Add-ADGroupMember –Identity "Group1-Read" –Members LabUser1,LabUser2,LabUser3

"TestGroup","Group1-Read" | % {Add-ADGroupMember -Identity $_ - Members LabUser3 }

$Users = Get-Content C:\temp\users.txt
Add-ADGroupMember -Identity TestGroup -Members $Users
$Users = Get-ADUser -SearchBase "OU=LAB,DC=techibee,dc=ad" -Filter  {objectclass -eq "User" }
Add-ADGroupMember -Identity TestGroup -Members $Users
$members = Get-ADGroupMember -Identity TestGroup
Add-ADGroupMember -Identity TestGroup-Copy -Members $members

Adding computer accounts to groups

還沒有人評論,想成為第一個評論的人麼? 請在上方評論欄輸入並且點擊發布.