Most system administrators are familiar with managing user accounts and groups through the Active Directory Users and Computers (ADUC) MMC snap-in. While the GUI is intuitive, it can become inefficient when managing a large environment. Enter PowerShell — a powerful scripting tool that can streamline and automate many Active Directory (AD) administrative tasks.
In this article, we’ll explore how to use PowerShell to manage Active Directory, covering basic yet essential commands that every Windows administrator should know. If you’re new to scripting or PowerShell, this is the perfect starting point.
Why Use PowerShell for Active Directory Management?
PowerShell allows admins to:
- Perform repetitive tasks quickly and consistently
- Automate multi-step processes
- Query, filter, and manipulate AD objects in bulk
- Improve operational efficiency and reduce human error
Before diving into commands, we need to ensure the Active Directory module is available.
Setting Up the PowerShell AD Module
The Active Directory PowerShell module isn’t loaded by default. To get started:
Import the Active Directory module:
powershellCopyEditImport-Module ActiveDirectory
View available commands in the module:
powershellCopyEditGet-Command -Module ActiveDirectory
This will list all the AD-specific cmdlets like Get-ADUser, Set-ADAccountPassword, Add-ADGroupMember, and many more.
Resetting a User’s Password
One of the most common help desk tasks is resetting passwords. With PowerShell, this can be done instantly:
powershellCopyEditSet-ADAccountPassword -Identity 'CN=Johnathan.Brown,OU=Accounts,DC=mydomain,DC=com' -Reset -NewPassword (ConvertTo-SecureString -AsPlainText "p@ssw0rd" -Force)
This uses ConvertTo-SecureString to create a secure password string and applies it directly to the user object.
Disable and Enable a User Account
Disable an account:
powershellCopyEditDisable-ADAccount -Identity 'CN=Johnathan.Brown,OU=Accounts,DC=mydomain,DC=com'
Re-enable it:
powershellCopyEditEnable-ADAccount -Identity 'CN=Johnathan.Brown,OU=Accounts,DC=mydomain,DC=com'
This is particularly useful for offboarding or temporary suspensions.
Unlock a Locked Account
powershellCopyEditUnlock-ADAccount -Identity 'CN=Johnathan.Brown,OU=Accounts,DC=mydomain,DC=com'
Use this when users get locked out after too many failed login attempts.
Delete a User Account
powershellCopyEditRemove-ADUser -Identity 'CN=Johnathan.Brown,OU=Accounts,DC=mydomain,DC=com'
Bulk delete inactive accounts:
powershellCopyEditGet-ADUser -Filter "enabled -eq 'false'" -Property WhenChanged -SearchBase "OU=Employees,DC=mydomain,DC=com" |
Where-Object {$_.WhenChanged -le (Get-Date).AddDays(-180)} |
Remove-ADUser -WhatIf
This command finds and safely simulates deletion (-WhatIf) of all disabled accounts inactive for 180+ days.
Find Empty Groups in Active Directory
Basic empty group scan:
powershellCopyEditGet-ADGroup -Filter * | Where-Object { -Not ($_ | Get-ADGroupMember) } | Select Name
Targeted scan (Universal groups only in a specific OU):
powershellCopyEditGet-ADGroup -Filter "members -notlike '*' -AND GroupScope -eq 'Universal'" -SearchBase "OU=Groups,OU=Employees,DC=mydomain,DC=com" |
Select Name, GroupScope
This is helpful for cleaning up stale or unused groups.
Add a User to a Group
powershellCopyEditAdd-ADGroupMember -Identity "BrisbaneLionsTeam" -Members "JBrown"
You can also add multiple users by passing a list or pipeline of usernames.
View Members of a Group
powershellCopyEditGet-ADGroupMember -Identity "Domain Admins"
This command lists all users and nested groups that are members of “Domain Admins”.
Start Experimenting with PowerShell AD Commands
This introduction just scratches the surface of what you can do with PowerShell and Active Directory. Once you become comfortable with basic commands, you’ll be ready to build more powerful scripts that automate complex admin tasks and save you time.
“It’s not a question of if you’ll use PowerShell to manage AD — it’s a question of when.”
Final Thoughts and SEO Keywords
PowerShell offers an efficient, scriptable, and repeatable way to manage Active Directory. Whether you’re resetting passwords, disabling accounts, or managing groups, these commands form the foundation of modern AD administration.
