PowerShell Reference

A growing library of PowerShell tools and patterns I've put together as a sysadmin. Public and open-source for anyone who wants to learn, copy, or contribute.

View on GitHub

๐Ÿ“ Active Directory PowerShell Reference

PowerShell commands and examples for managing Active Directory. Useful for sysadmins working with domain controllers, users, groups, OUs, and GPOs.

๐Ÿ› ๏ธ Prerequisites

Import-Module ActiveDirectory

๐Ÿ‘ค User Management

Create a New User

New-ADUser -Name "John Doe" -SamAccountName jdoe -UserPrincipalName jdoe@example.com -Path "OU=Staff,DC=example,DC=com" -AccountPassword (Read-Host -AsSecureString "Set Password") -Enabled $true

Reset Password

Set-ADAccountPassword -Identity jdoe -Reset -NewPassword (Read-Host -AsSecureString "New Password")

Enable/Disable Account

Enable-ADAccount -Identity jdoe
Disable-ADAccount -Identity jdoe

Move User to Another OU

Move-ADObject -Identity "CN=John Doe,OU=Staff,DC=example,DC=com" -TargetPath "OU=IT,DC=example,DC=com"

๐Ÿง‘โ€๐Ÿคโ€๐Ÿง‘ Group Management

Create a Group

New-ADGroup -Name "HR Staff" -GroupScope Global -GroupCategory Security -Path "OU=Groups,DC=example,DC=com"

Add/Remove User to/from Group

Add-ADGroupMember -Identity "HR Staff" -Members jdoe
Remove-ADGroupMember -Identity "HR Staff" -Members jdoe -Confirm:$false

๐Ÿข OU Management

Create OU

New-ADOrganizationalUnit -Name "IT" -Path "DC=example,DC=com"

Rename OU

Rename-ADObject -Identity "OU=OldName,DC=example,DC=com" -NewName "NewName"

๐Ÿ” Searching & Filtering

Find a User by Name

-> Match any name containing โ€œjohnโ€

Get-ADUser -Filter "Name -like '*john*'"

-> Match names starting with โ€œjohnโ€

Get-ADUser -Filter "Name -like 'john*'"

-> Match names ending with โ€œjohnโ€

Get-ADUser -Filter "Name -like '*john'"

-> Match exactly โ€œJohnโ€

Get-ADUser -Filter "Name -eq 'John'"

-> Return specific properties (faster than pulling them all)

Get-ADUser -Filter "Name -like '*john*'" -Properties SamAccountName |
    Select-Object Name, SamAccountName

List Disabled Accounts

Get-ADUser -Filter 'Enabled -eq $false' -Properties Enabled

Find Users Not Logged In for X Days

Search-ADAccount -AccountInactive -UsersOnly -TimeSpan 90.00:00:00

๐Ÿงช Testing & Validation

Check if User Exists

Get-ADUser -Identity jdoe

Test Group Membership

Get-ADUser jdoe | Get-ADUserMemberOf

Check AD trust relationship

Test-ComputerSecureChannel

Returns True if the trust relationship is intact, or False if its broken.

For verbose output: -Verbose
To force repair (if broken): Test-ComputerSecureChannel -Repair -Credential (Get-Credential)

Remote (if powershell remoting is enabled):

Invoke-Command -ComputerName RemotePCName -ScriptBlock { Test-ComputerSecureChannel }

๐Ÿ“„ Exporting Results

Export Users to CSV

Get-ADUser -Filter * -Property Name,EmailAddress | Select-Object Name,EmailAddress | Export-Csv -Path ".\Users.csv" -NoTypeInformation

๐Ÿ”’ Password & Account Policies

Force Password Change at Next Logon

Set-ADUser jdoe -ChangePasswordAtLogon $true

Unlock Account

Unlock-ADAccount -Identity jdoe

Tools

Install Active Directory Users and Computers (ADUC, Win 11)

Add-WindowsCapability -Online -Name "Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0"

Check installed RSAT tools

Get-WindowsCapability -Online | Where-Object Name -like "*RSAT*"