Manage Active Directory User Accounts with PowerShell -- Microsoft Certified Professional Magazine Online

Manage Active Directory User Accounts with PowerShell

By Adam Bertram
01/17/2019

Microsoft's Active Directory (AD) is a popular service that many organizations use for identity management today. If you're just managing a few employees with user accounts, you could get by with the AD Users and Computers (ADUC) or AD Administrative Center (ADAC).

But if you're in a large organization, you've got to look for a way to automate this process. And the best way to do that is with PowerShell.

Managing AD user accounts with PowerShell requires a freely available PowerShell module aptly named ActiveDirectory. This module comes with the Remote Server Administration Toolkit (RSAT). If you don't have this already, you'll need to download and install it.

Also, you'll need to be working on a computer that's joined to your AD domain with appropriate privileges to read and modify to follow along with this article.

Once you've got the PowerShell module installed on a domain-joined Windows computer, you're good to go!

Using Get-ADUser
To get started, let's first pull a list of all AD users in your domain. I don't want all of the users, since I'm just testing a few things, so I'll limit the number to five with the Select-Object command.

If I open up my PowerShell console and use the Get-Aduser command, I should immediately get back a list of user accounts in my domain.

PS> Get-Aduser -Filter * | Select-Object -First 5

That's all well and good, but most of the time, I'm not looking for all of the user accounts. Instead, I'm only searching for a single user account or a few at a time. To limit the number of user accounts returned, I can use the Filter parameter. This parameter allows me to create an AD filter that will only return user accounts matching the criteria I use.

For example, perhaps I'd like to see all of the user accounts with a last name of Jones. To do that, I can craft a filter that only returns this information. The Filter syntax is a lot like PowerShell's Where-Object filter but a little different. If you run into problems, be sure to refer to the help on the Get-AdUser command or online.

PS> Get-Aduser -Filter 'SurName -eq "Jones"'

DistinguishedName : CN=jjones,OU=PowerLab Users,DC=techsnips,DC=local
Enabled : False
GivenName : Joe
Name : jjones
ObjectClass : user
ObjectGUID : b9db15cc-d059-46f6-8527-a1556da67f12
SamAccountName : jjones
SID : S-1-5-21-2376398361-1233344334-642980347-1106
Surname : Jones
UserPrincipalName :

You will now notice that the use of Select-Object wasn't necessary anymore since Get-AdUser only returns a subset of user accounts!

Using Set-ADUser
Perhaps you need to modify existing AD accounts rather than just read them. This is no problem with PowerShell and the Set-AdUser account. As an example, maybe that Bertram guy changed departments recently and I, as the administrator, need to reflect that in AD. To do that, I can simply pipe the user account I receive from Get-AdUser directly to Set-AdUser while using the parameter name of Department. Parameters' names typically are the same as the AD attribute names.

PS> Get-Aduser -Filter 'SurName -eq "Jones"' | Set-AdUser -Department 'Accounting'

Once I do this, I can then use Get-AdUser again and this time use the Properties parameter since Department isn't a property that's returned by default.

PS> Get-Aduser -Filter 'SurName -eq "Jones"' -Properties Department


Department : Accounting
DistinguishedName : CN=jjones,OU=PowerLab Users,DC=techsnips,DC=local
Enabled : False
GivenName : Joe
Name : jjones
ObjectClass : user
ObjectGUID : b9db15cc-d059-46f6-8527-a1556da67f12
SamAccountName : jjones
SID : S-1-5-21-2376398361-1233344334-642980347-1106
Surname : Jones
UserPrincipalName :

We just touched on some of the handy tasks you can do around AD user accounts and PowerShell. If you'd like to really dive into this topic and learn just about everything you can do with AD and PowerShell, I encourage you to check out the Udemy course Managing and Automating Active Directory with PowerShell. It covers, in depth, everything you need to know to work in AD with PowerShell. If courses aren't your thing, TechSnips.io has dozens of free videos to help you, as well.

About the Author

Adam Bertram is a 20-year veteran of IT. He's an automation engineer, blogger, consultant, freelance writer, Pluralsight course author and content marketing advisor to multiple technology companies. Adam also founded the popular TechSnips e-learning platform. He mainly focuses on DevOps, system management and automation technologies, as well as various cloud platforms mostly in the Microsoft space. He is a Microsoft Cloud and Datacenter Management MVP who absorbs knowledge from the IT field and explains it in an easy-to-understand fashion. Catch up on Adam's articles at adamtheautomator.com, connect on LinkedIn or follow him on Twitter at @adbertram or the TechSnips Twitter account @techsnips_io.