Managing Active Directory with PowerShell

Aaron Rothstein

1 year ago

PowerShell has transformed the way system administrators manage and automate tasks in Active Directory. With the Active Directory module for PowerShell, administrators can perform tasks such as user creation, modification, and group membership changes directly from the command line or by executing scripts. This article provides an introduction to managing Active Directory using PowerShell.

Setting Up the Active Directory module

Before we start, ensure that the Active Directory module for PowerShell is installed. It comes with the Remote Server Administration Tools (RSAT) on client operating systems or as a part of the Active Directory Domain Services (AD DS) role in server OS.

You can import the module using the Import-Module cmdlet:

Import-Module ActiveDirectory

Working with user accounts

Creating, modifying, and removing user accounts is a common task in Active Directory. Here are examples of how you can accomplish these tasks using PowerShell.

Creating a new user

The New-ADUser cmdlet creates a new user. Here is an example:

New-ADUser -SamAccountName jdoe -UserPrincipalName jdoe@example.com -Name "John Doe" -GivenName John -Surname Doe -Enabled $True -AccountPassword (ConvertTo-SecureString -AsPlainText "Pa$$w0rd" -Force)

This command creates a new user named “John Doe” with the specified SAM account name and User Principal Name (UPN). The account is enabled and assigned a password.

Modifying a user

The Set-ADUser cmdlet modifies properties of an existing user. Here is an example of changing a user’s title:

Set-ADUser jdoe -Title "IT Manager"

This command sets the title of the user with SAM account name “jdoe” to “IT Manager”.

Removing a user

The Remove-ADUser cmdlet removes a user. Here is an example:

Remove-ADUser jdoe

This command removes the user with SAM account name “jdoe”.

Working with groups

PowerShell makes it easy to manage group membership.

Adding a user to a group

The Add-ADGroupMember cmdlet adds a user to a group. Here is an example:

Add-ADGroupMember -Identity "IT Group" -Members jdoe

This command adds the user “jdoe” to the “IT Group”.

Removing a user from a group

The Remove-ADGroupMember cmdlet removes a user from a group. Here is an example:

Remove-ADGroupMember -Identity "IT Group" -Members jdoe

This command removes the user “jdoe” from the “IT Group”.

Best practices

Here are some best practices to consider when managing Active Directory with PowerShell:

Bulk Operations: PowerShell is excellent for performing bulk operations on many objects at once, such as creating users from a CSV file or updating attributes for a set of users.
Error Handling: Always include error handling in your PowerShell scripts to catch and manage errors.
Testing: Test your scripts in a controlled environment before running them in production.
Security: Be mindful of security, especially when dealing with user credentials.

Conclusion

Managing Active Directory with PowerShell can increase efficiency, reduce errors, and improve control over your IT environment. As we’ve seen, with just a few cmdlets, you can accomplish many common tasks.

More resources

ActiveDirectory module | learn.microsoft.com