These PowerShell scripts for Active Directory can help you automate and streamline your AD management tasks. Whether you’re working with users, groups, computers, or other AD objects, these scripts provide essential functionality for daily administration.
Here’s a list of PowerShell scripts for Active Directory (AD) to help with a variety of administrative tasks, from user management to group policies and security.
1. Create a New Active Directory User
This script creates a new user account in Active Directory.
$Password = ConvertTo-SecureString "P@ssw0rd!" -AsPlainText -Force
New-ADUser -SamAccountName "jdoe" -UserPrincipalName "jdoe@domain.com" -Name "John Doe" -GivenName "John" -Surname "Doe" -Path "OU=Users,DC=domain,DC=com" -AccountPassword $Password -Enabled $true2. Disable an Active Directory User
This script disables a user account.
Disable-ADAccount -Identity "jdoe"3. Enable an Active Directory User
This script enables a disabled user account.
Enable-ADAccount -Identity "jdoe"4. Reset User Password
This script resets the password for an Active Directory user.
$NewPassword = ConvertTo-SecureString "NewP@ssw0rd!" -AsPlainText -Force
Set-ADUser -Identity "jdoe" -Password $NewPassword5. Search for Locked Out Accounts
This script searches for all locked-out user accounts in the domain.
Search-ADAccount -LockedOut6. Unlock User Account
This script unlocks a user account that has been locked out.
Unlock-ADAccount -Identity "jdoe"7. List All Active Directory Users
This script retrieves all users in Active Directory.
Get-ADUser -Filter * -Properties DisplayName, EmailAddress | Select-Object DisplayName, EmailAddress8. Add User to a Group
This script adds an existing user to a specific AD group.
Add-ADGroupMember -Identity "Admins" -Members "jdoe"9. Remove User from a Group
This script removes a user from a specific AD group.
Remove-ADGroupMember -Identity "Admins" -Members "jdoe" -Confirm:$false10. Get Group Membership of a User
This script lists all the groups a specific user belongs to.
Get-ADUser "jdoe" | Get-ADUserMemberOf11. Find Users in a Specific Organizational Unit (OU)
This script lists all users in a specific OU.
Get-ADUser -Filter * -SearchBase "OU=Sales,DC=domain,DC=com"12. Get User Last Logon Time
This script retrieves the last logon date for a specific user.
Get-ADUser -Identity "jdoe" -Properties LastLogonDate | Select-Object Name, LastLogonDate13. Create a New Active Directory Group
This script creates a new group in Active Directory.
New-ADGroup -Name "Marketing" -GroupScope Global -Path "OU=Groups,DC=domain,DC=com"14. Delete an Active Directory User
This script deletes a user from Active Directory.
Remove-ADUser -Identity "jdoe" -Confirm:$false15. Create a New Organizational Unit (OU)
This script creates a new Organizational Unit in Active Directory.
New-ADOrganizationalUnit -Name "Marketing" -Path "DC=domain,DC=com"16. Move AD User to Another OU
This script moves a user to a different organizational unit.
Move-ADObject -Identity "CN=John Doe,OU=Users,DC=domain,DC=com" -TargetPath "OU=Managers,DC=domain,DC=com"17. Check Group Membership for Multiple Users
This script checks if multiple users are members of a specific group.
Get-ADUser -Filter {SamAccountName -in ("jdoe", "asmith")} | Get-ADUserMemberOf18. Get All Active Directory Groups
This script lists all Active Directory groups in the domain.
Get-ADGroup -Filter * | Select-Object Name19. Export Active Directory Users to CSV
This script exports all users to a CSV file.
Get-ADUser -Filter * -Properties DisplayName, EmailAddress | Select-Object DisplayName, EmailAddress | Export-Csv "C:\ADUsers.csv" -NoTypeInformation20. Get All Computers in Active Directory
This script retrieves all computers in the domain.
Get-ADComputer -Filter * | Select-Object Name, OperatingSystem21. Get Active Directory User by Email
This script retrieves a user by their email address.
Get-ADUser -Filter {EmailAddress -eq "jdoe@domain.com"}22. Set User Description
This script sets or updates a user’s description.
Set-ADUser -Identity "jdoe" -Description "Updated description"23. Check Active Directory Replication Status
This script checks the replication status of domain controllers.
Get-ADReplicationFailure -Scope Domain24. Get Domain Controllers
This script retrieves all domain controllers in the domain.
Get-ADDomainController -Filter * | Select-Object Name, IPv4Address25. Change Group Type (Security to Distribution)
This script changes a group from a security group to a distribution group.
Set-ADGroup -Identity "Marketing" -GroupCategory Distribution26. Export Group Members to CSV
This script exports all members of a group to a CSV file.
Get-ADGroupMember -Identity "Marketing" | Select-Object Name | Export-Csv "C:\GroupMembers.csv" -NoTypeInformation27. Create a Managed Service Account
This script creates a managed service account (MSA).
New-ADServiceAccount -Name "SQLService" -RestrictToSingleComputer28. Get AD User’s Group Membership
This script retrieves all group memberships for a user.
Get-ADUser -Identity "jdoe" | Get-ADUserMemberOf29. Check for Disabled Accounts
This script finds all disabled user accounts in Active Directory.
Get-ADUser -Filter {Enabled -eq $false}30. Get Password Policy
This script retrieves the password policy for the domain.
Get-ADDefaultDomainPasswordPolicy31. Export Active Directory Groups to CSV
This script exports all AD groups to a CSV file.
Get-ADGroup -Filter * | Select-Object Name | Export-Csv "C:\ADGroups.csv" -NoTypeInformation32. List Expiring Passwords
This script lists users with passwords expiring in the next 30 days.
Get-ADUser -Filter {Enabled -eq $true} -Properties "msDS-UserPasswordExpiryTimeComputed" | Where-Object {$_.msDS-UserPasswordExpiryTimeComputed -lt (Get-Date).AddDays(30)} | Select-Object SamAccountName, msDS-UserPasswordExpiryTimeComputed33. Get User SID
This script retrieves the SID (Security Identifier) of a user.
(Get-ADUser -Identity "jdoe").SID34. Get Organizational Units in AD
This script lists all organizational units (OUs) in the domain.
Get-ADOrganizationalUnit -Filter * | Select-Object Name35. List Computers with a Specific Operating System
This script lists all computers running a specific operating system.
Get-ADComputer -Filter {OperatingSystem -eq "Windows Server 2016"} | Select-Object Name, OperatingSystem36. Get User Group Memberships with SID
This script gets all groups for a user and includes the SID.
Get-ADUser -Identity "jdoe" | Get-ADUserMemberOf | Select-Object Name, SID37. Search for a Specific User in AD
This script searches for a user in Active Directory.
Get-ADUser -Filter {SamAccountName -eq "jdoe"}38. Set User Logon Script
This script sets a logon script for a user.
Set-ADUser -Identity "jdoe" -ScriptPath "LogonScript.bat"39. List All Domain Trusts
This script lists all domain trusts in Active Directory.
Get-ADTrust -Filter *40. Delete Active Directory Group
This script deletes an Active Directory group.
Remove-ADGroup -Identity "Marketing" -Confirm:$falseThese PowerShell scripts for Active Directory can help you automate and streamline your AD management tasks.