Master Active Directory with These Powerful PowerShell One-Liners
Key Takeaways
- Efficiency: PowerShell one-liners drastically reduce the time and clicks needed for common Active Directory tasks like creating users or managing group memberships.
- Module Requirement: These commands require the
ActiveDirectoryPowerShell module. On Windows Server, it’s installed with the AD DS role. On client PCs, it must be installed as part of the Remote Server Administration Tools (RSAT). - Core Cmdlets: Most daily AD tasks revolve around a few key cmdlets:
Get-ADUser,New-ADUser,Set-ADUser,Get-ADGroupMember, andAdd-ADGroupMember. - Bulk Operations: PowerShell excels at performing actions on multiple objects at once, such as resetting passwords for an entire OU or finding all inactive accounts.
- Safety First: Always test potentially destructive commands (like
Set-,New-,Remove-,Disable-) in a development or lab environment. Use the-WhatIfparameter to preview changes before committing them.
Introduction: Supercharge Your AD Management
Active Directory is the core of identity and access management in most enterprise networks. While the graphical user interface (GUI) is familiar, it can be slow and inefficient for repetitive or bulk tasks. This is where PowerShell one-liners come in. By using single-line commands, you can instantly find, create, modify, and manage AD objects, helping you automate repetitive tasks and manage your environment with precision and speed.
How Do You Find Users in Active Directory with PowerShell?
The most common task in AD is retrieving user information. The Get-ADUser cmdlet is your primary tool for this, allowing you to find users based on almost any attribute.
A direct answer is to use the Get-ADUser cmdlet with the -Filter or -Identity parameter. The -Identity parameter finds a specific user, while -Filter allows you to search for users based on attributes like their department, name, or logon history.
Find a Specific User
To get the details for a single user by their username (SamAccountName):
Get-ADUser -Identity "jdoe"Find All Users
To retrieve a list of every user account in your domain:
Get-ADUser -Filter *Find Users in a Specific Department
Filter users based on their department attribute:
Get-ADUser -Filter 'Department -eq "Marketing"'Find All Disabled User Accounts
To get a list of all user accounts that are currently disabled:
Get-ADUser -Filter 'Enabled -eq $false' -Properties Name, SamAccountNameFind Inactive User Accounts
You can find users who have not logged on for a specific period. This command finds all enabled users who haven’t logged in for over 90 days and whose passwords are set to expire.
Get-ADUser -Filter {LastLogonTimeStamp -lt (Get-Date).AddDays(-90) -and Enabled -eq $true -and PasswordNeverExpires -eq $false} -Properties PasswordLastSet, LastLogonTimeStamp | Select-Object Name, SamAccountName, PasswordLastSetHow Can You Create and Modify AD Users with PowerShell?
Creating and updating users is a daily task for most administrators. The New-ADUser and Set-ADUser cmdlets make this process scriptable and instant, eliminating manual data entry. For more complex onboarding, see our guide to advanced user provisioning scripts.
Create a Simple User Account
This command creates a new user, sets a password, and enables the account:
$Password = Read-Host -AsSecureString -Prompt "Enter password for new user"
New-ADUser -Name "John Doe" -SamAccountName "jdoe" -AccountPassword $Password -Enabled $trueCreate a User with Multiple Attributes
You can set multiple properties during creation, such as name, UPN, password, and the destination OU:
$Password = Read-Host -AsSecureString -Prompt "Enter password for Jane Smith"
New-ADUser -Name "Jane Smith" -GivenName "Jane" -Surname "Smith" -SamAccountName "jsmith" -UserPrincipalName "[email protected]" -Department "Marketing" -AccountPassword $Password -Enabled $true -Path "OU=Marketing,DC=contoso,DC=com"Modify an Existing User’s Attributes
To change a property, like a user’s department or email address, use Set-ADUser:
# Change the department for user 'jdoe'
Set-ADUser -Identity "jdoe" -Department "Sales"
# Change the email address for user 'jdoe'
Set-ADUser -Identity "jdoe" -EmailAddress "[email protected]"Enable a Disabled User Account
To quickly re-enable an account:
Enable-ADAccount -Identity "jdoe"How Do You Manage User Passwords and Accounts?
PowerShell provides powerful cmdlets for managing account security, from resetting a single password to setting expiration dates.
Reset a Single User’s Password
This command forces a password reset for a specific user:
$NewPassword = Read-Host -AsSecureString -Prompt "Enter new password for jdoe"
Set-ADAccountPassword -Identity "jdoe" -NewPassword $NewPassword -ResetSet an Account Expiration Date
To set an expiration date for temporary or contract accounts:
Set-ADUser -Identity "jdoe" -AccountExpirationDate "12/31/2025"How Do You Manage AD Groups and Memberships?
Managing group memberships is critical for controlling access to resources. PowerShell allows you to create groups, add or remove members in bulk, and query memberships efficiently.
Create a New Security Group
To create a new group, simply provide a name and scope:
# Create a simple group
New-ADGroup -Name "Marketing Team" -GroupScope Global
# Create a group with a description
New-ADGroup -Name "Sales Team" -Description "Security group for the sales department" -GroupScope GlobalAdd a User to a Group
Use Add-ADGroupMember to add one or more users to a group:
Add-ADGroupMember -Identity "Marketing Team" -Members "jdoe"List All Members of a Group
To see who belongs to a group, use Get-ADGroupMember:
Get-ADGroupMember -Identity "Marketing Team" | Select-Object NameRemove a User from a Group
To revoke access, remove a user from a group:
Remove-ADGroupMember -Identity "Marketing Team" -Members "jdoe"Find All Groups a User Belongs To
Quickly check a user’s group memberships:
Get-ADPrincipalGroupMembership -Identity "jdoe" | Select-Object NameHow Can You Manage Computer Accounts in AD?
Managing computer objects is just as important as managing users. This includes finding, disabling, and organizing computer accounts to maintain a clean and secure directory. Properly managing these objects is a key part of maintaining Active Directory hygiene.
A direct answer is to use cmdlets like Get-ADComputer to find computers, Disable-ADAccount to disable them, and Move-ADObject to move them between OUs.
Find All Computers Running a Specific OS
To get a list of all computers running a version of Windows 10:
Get-ADComputer -Filter 'OperatingSystem -like "Windows 10*"' -Properties OperatingSystem | Select-Object Name, OperatingSystemFind and Disable Inactive Computer Accounts
This one-liner finds computer accounts that have been inactive for over 120 days and disables them:
Search-ADAccount -AccountInactive -ComputersOnly -TimeSpan "120.00:00:00" | Disable-ADAccount -WhatIfNote: The -WhatIf parameter shows what would happen without actually making changes. Remove it to perform the disable action.
Move a Computer to a Different OU
To reorganize your computers, you can move an object to a new OU:
Get-ADComputer "computer01" | Move-ADObject -TargetPath "OU=Workstations,DC=contoso,DC=com"Conclusion
These PowerShell one-liners are just the beginning. By mastering these fundamental commands, you can build more complex scripts to automate nearly any aspect of Active Directory management. This not only saves valuable time but also reduces the risk of human error, leading to a more secure and efficiently run environment.
Recent Comments