Powershel icon

Userfull Powershell Commands to help you better manage Active Directory

Most Sysadmins are used to utilising the Active Directory Users and Computers MMC to manage user accounts and groups.  PowerShell can be used to reduce the time it takes to perform the same tasks by helping you to perform repeated tasks and scripting multiple tasks together to perform these tasks in one action. Before we get to that stage we need to learn some of the basics first.  This blog post is an introduction to AD management through a few basic Powershell commands.

The AD module is not automatically enabled within powershell. The first thing we need to do is enable module which will allow to run the commands to make changes in Active Directory:

Open a PowerShell session and import the module with the following command

PS C:\> Import-Module ActiveDirectory

To view the available commands you can use and are available in the module:

PS C:\> get-command -module ActiveDirectory

Reset a user password

Let’s start with one of the most common I.T task which is resetting a user’s password. We can easily accomplish this by using the Set-ADAccountPassword cmdlet.

The Set-ADAccountPassword cmdlet sets the password for a user, computer, or service account.

PS C:\> Set-ADAccountPassword -Identity ……………. -Reset  -NewPassword (ConvertTo-SecureString -AsPlainText “……..” -force)

Example script

PS C:\> Set-ADAccountPassword -Identity ‘CN=Johnathan.Brown,OU=Accounts,DC=mydomain,DC=com’ -Reset -NewPassword (ConvertTo-SecureString -AsPlainText “p@ssw0rd” -Force)

 

Disable and enable a user account

Next, let’s disable an account.  To disable the account you will use the Disable-ADAccount cmdlet.

PS C:\> Disable-ADAccount -Identity ‘CN=Johnathan.Brown,OU=Accounts,DC=mydomain,DC=com’

When the time comes to enable the account simply just change the syntax slightly by using the Enable-ADAccount cmdlet.

PS C:\> Enable-ADAccount -Identity ‘CN=Johnathan.Brown,OU=Accounts,DC=mydomain,DC=com’

Unlock a user account

You can unlock accounts by using the Unlock-ADAccount cmdlet:

PS C:\> Unlock-ADAccount -Identity ‘CN=Johnathan.Brown,OU=Accounts,DC=mydomain,DC=com’

 

Delete a user account

Deleting user accounts is easy with the Remove-ADUser cmdlet.

PS C:\> Remove-ADUser -Identity ‘CN=Johnathan.Brown,OU=Accounts,DC=mydomain,DC=com’

Or use the pipe to filter a bunch of users and delete them with one simple command:

PS C:\> get-aduser -filter “enabled -eq ‘false'” -property WhenChanged -SearchBase “OU=Employees, DC=mydomain,DC=com” | where {$_.WhenChanged -le (Get-Date).AddDays(-180)} | Remove-ADuser -whatif

This handy one-line command would find and delete all disabled accounts in the Employees organisational unit (OU) that haven’t been changed in at least 180 days.

 

Find empty groups

Group management can be never ending and you will no doubt end up with many more groups then you expected.  Some of these groups over time can become empty and redundant. This command is handy to use to find all groups in the domain, including built-in groups:

PS C:\> get-adgroup -filter * | where {-Not ($_ | get-adgroupmember)} | Select Name

If you have groups with hundreds of members, then using this command might be time-consuming; Get-ADGroupMember checks every group. If you can limit or fine-tune your search, so much the better.

Here’s another approach:

PS C:\> get-adgroup -filter “members -notlike ‘*’ -AND GroupScope -eq ‘Universal'” -SearchBase “OU=Groups,OU=Employees,DC=mydomain, DC=com” | Select Name,Group*

This command finds all universal groups that don’t have any members in my Groups OU and that display a few properties.

 

Add members to a group

Here is a command that will add a user to a group. This will add the user JBrown to the group BrisbaneLionsTeam

PS C:\> add-adgroupmember -Identity BribaneLionsTeam -Members JBrown

 

See members of a particular group

Use the Get-ADGroupMember command to see members of a particular group.  Below will show a list of users that are a member of the Domain Admins group

PS C:\> Get-ADGroupMember -Identity Domain Admins

 

Start experimenting

Now that I have given you some of the basic commands i encourage you to jump straight in and try a few out. I hope this blog post has shown you that using PowerShell isn’t complicated or frightening and encourages you to go and start experimenting with a few commands.  Understanding basic commands like these is just the beginning. Eventually this will lead you to learn to use more complex scripts to help automate tasks and in turn save time.  “It isn’t a matter of if you’ll use PowerShell, only a matter of when.” Sure, you can manage AD without using PowerShell, but if you want maximum efficiency with minimal effort, you’ll be glad you started using it today.

Leave a Reply

Your email address will not be published. Required fields are marked *