Most Sysadmins are used to utilising the Active Directory Users and Computers MMC to manage user accounts and groups. PowerShell commands can be used to reduce the time it takes to perform the same tasks by helping you to perform repeated tasks and scripting multiple tasks together to perform these tasks in one action. Before we get to that stage we need to learn some of the basics first. This blog post is an introduction to AD management through a few basic Powershell commands.
The Powershell AD module is not automatically enabled within Powershell. The first thing we need to do is enable a module that will allow running the commands to make changes in Active Directory:
Open a PowerShell session and import the module with the following command
PS C:\> Import-Module ActiveDirectory
To view the available commands you can use and are available in the module:
PS C:\> get-command -module ActiveDirectory
Reset a user password
Let’s start with one of the most common I.T tasks which is resetting a user’s password. We can easily accomplish this by using the Set-ADAccountPassword cmdlet.
The Set-ADAccountPassword cmdlet sets the password for a user, computer, or service account.
PS C:\> Set-ADAccountPassword -Identity ……………. -Reset -NewPassword (ConvertTo-SecureString -AsPlainText “……..” -force)
Example script
PS C:\> Set-ADAccountPassword -Identity ‘CN=Johnathan.Brown,OU=Accounts,DC=mydomain,DC=com’ -Reset -NewPassword (ConvertTo-SecureString -AsPlainText “p@ssw0rd” -Force)
Disable and enable a user account
Next, let’s disable an account. To disable the account you will use the Disable-ADAccount cmdlet.
PS C:\> Disable-ADAccount -Identity ‘CN=Johnathan.Brown,OU=Accounts,DC=mydomain,DC=com’
When the time comes to enable the account simply just change the syntax slightly by using the Enable-ADAccount cmdlet.
PS C:\> Enable-ADAccount -Identity ‘CN=Johnathan.Brown,OU=Accounts,DC=mydomain,DC=com’
Unlock a user account
You can unlock accounts by using the Unlock-ADAccount cmdlet:
PS C:\> Unlock-ADAccount -Identity ‘CN=Johnathan.Brown,OU=Accounts,DC=mydomain,DC=com’
Delete a user account
Deleting user accounts is easy with the Remove-ADUser cmdlet.
PS C:\> Remove-ADUser -Identity ‘CN=Johnathan.Brown,OU=Accounts,DC=mydomain,DC=com’
Or use the pipe to filter a bunch of users and delete them with one simple command:
PS C:\> get-aduser -filter “enabled -eq ‘false'” -property WhenChanged -SearchBase “OU=Employees, DC=mydomain,DC=com” | where {$_.WhenChanged -le (Get-Date).AddDays(-180)} | Remove-ADuser -whatif
This handy one-line command would find and delete all disabled accounts in the Employees organisational unit (OU) that haven’t been changed in at least 180 days.
Find empty groups
Group management can be never ending and you will no doubt end up with many more groups then you expected. Some of these groups over time can become empty and redundant. This command is handy to use to find all groups in the domain, including built-in groups:
PS C:\> get-adgroup -filter * | where {-Not ($_ | get-adgroupmember)} | Select Name
If you have groups with hundreds of members, then using this command might be time-consuming; Get-ADGroupMember checks every group. If you can limit or fine-tune your search, so much the better.
Here’s another approach:
PS C:\> get-adgroup -filter “members -notlike ‘*’ -AND GroupScope -eq ‘Universal'” -SearchBase “OU=Groups,OU=Employees,DC=mydomain, DC=com” | Select Name,Group*
This command finds all universal groups that don’t have any members in my Groups OU and that display a few properties.
Add members to a group
Here is a command that will add a user to a group. This will add the user JBrown to the group BrisbaneLionsTeam
PS C:\> add-adgroupmember -Identity BribaneLionsTeam -Members JBrown
See members of a particular group
Use the Get-ADGroupMember command to see members of a particular group. Below will show a list of users that are a member of the Domain Admins group
PS C:\> Get-ADGroupMember -Identity Domain Admins
Start experimenting
Now that I have given you some of the basic commands i encourage you to jump straight in and try a few out. I hope this blog post has shown you that using PowerShell isn’t complicated or frightening and encourages you to go and start experimenting with a few commands. Understanding basic commands like these is just the beginning. Eventually this will lead you to learn to use more complex scripts to help automate tasks and in turn save time. “It isn’t a matter of if you’ll use PowerShell, only a matter of when.” Sure, you can manage AD without using PowerShell, but if you want maximum efficiency with minimal effort, you’ll be glad you started using it today.
