How to manage Active Directory users and groups using
Powershell
10:59 PM
1. How to get Active Directory Related PowerShell Commands
a. Open server manager > Select "Tools" > Select "Active Directory Module for Windows PowerShell"
b. Run "Get-Command -Module ActiveDirectory" PowerShell cmdlet for getting AD related commands
2. How to create Active Directory Users
a. Create Active Directory User in default location with password as "asd@123"
New-Aduser -Name Darshana -UserPrincipalName Darshana@asus.local -SamAccountName Darshana Accountpassword (ConvertToSecureString -AsPlainText "asd@123" -Force) -Enabled $True -DisplayName
Darshana -Department IT -Surname Jayathilake
New Section 1 Page 1
c. Create a user/s in specific location(Child ou),In this example im creating an user account in a child ou.
New-Aduser -Name Darshana -UserPrincipalName Darshana@asus.local -SamAccountName Darshana Accountpassword (ConvertToSecureString -AsPlainText "asd@123" -Force) -Enabled $True -DisplayName Darshana Department IT -Surname Jayathilake -Path "Ou=Admins,Ou=IT,DC=Asus,DC=local"
3. How to enable all disable AD Accounts
New Section 1 Page 2
• Note-in this command, it will not enable by default disabled user accounts such as Guest. Then we can ignore
that error
4. List Locked, Inactive, Expired Accounts, Manage Locked accounts
a. List down all the locked ad accounts
Search-ADAccount -UsersOnly -LockedOut
b. List all the inactive user accounts
Search-ADAccount -UsersOnly -AccountInactive
New Section 1 Page 3
c. These all commands display some of non-required attributes such as "ObjectGUID".Using Format-Table CMDLet
we can format the data and display only the required attributes
Search-ADAccount -UsersOnly -AccountInactive | Format-Table Name
d. How to unlock AdAccount
Unlock-ADAccount -Identity Darshana
New Section 1 Page 4
e. Disable ADAccount
Disable-ADAccount -Identity Darshana
f. Move all the disable account to the specific OU(In this example its DisabledUsers)
Search-ADAcount -UsersOnly -AccountDisabled | Move-ADObject -TargetPath "ou=disabledUsers,DC=Asus,DC=local"
5. Search,Find ADUser accounts
a. Search/Filter user accounts
With example 1 we can list down all the users those who are working for IT department
Get-ADUser -Filter {Deparmtnet -Like "IT*}
New Section 1 Page 5
With example 2 we can list down all the users those who have their names starting with letters SA.But using
FT(Format-Table) command we are getting only the name and surname
Get-ADUser -Filter {name -like "sa*"} | FT name,surname
With example 3 we are searching all the users in the IT ou. we can use parameter -Searchbase for that purposes
Get-ADUser -Filter * -SearchBase "ou=IT,dc=asus,dc=local"
6. Modify user account using powershell
New Section 1 Page 6
6. Modify user account using powershell
a. Edit active directory users department or job title using powershell
Set-ADUser -Identity Darshana -Department "IT Dept"
b. Modify multiple users attribute using powershell
With this example we are changing\adding department name of the all users in IT organization unit
Get-ADUser -Filter * -SearchBase "ou=it,dc=asus,dc=local" | Set-ADUser -Department "IT"
7. Manage ADGroup using PowerShell
a. Create new ADGroup using powershell
New-ADGroup -GroupCategory Security -GroupScope Global -Name IT_Users
b. Add members to ADGroup
Add-ADGroupMember -Identity IT_users -Members darshana,sanjaya
New Section 1 Page 7
8. Remove ADObject using powershell(Users,Groups)
a. Remove Aduser
Remove-ADUser -Identity sanjaya
b. Remove ADGroup
Remove-ADGroup -Identity IT_Users
*All the words which are marked as blue color are variable and it can be changed according to the enviorement
Darshanaj.wordpress.com
New Section 1 Page 8