Top 5 Active Directory Powershell Scripts for Active Directory (Users / Groups). Are you a Windows SysAdmin looking to automate routine Active Directory (AD) management tasks and simplify your AD administration tasks? PowerShell scripts help you accomplish this quickly and efficiently.
This article explores top 5 Active Directory PowerShell commands for managing users, groups and other AD objects to get you started.
I explain the cmdlet syntax in my listed commands and give practical examples and applications of the cmdlet.
If you haven’t already done so, you must install the Active Directory PowerShell module before you run any of the commands discussed in this article. To install this module, install the Remote Server Administration Tools (RSAT) for Windows optional feature.
Let’s continue reading Top 5 Active Directory Powershell Scripts for Active Directory (Users / Groups)
Top 5 Active Directory Powershell Scripts
1. Get-ADUser
The Get-ADUser PowerShell command is arguably the most commonly used cmdlet from the Active Directory module. As its name suggests, this cmdlet gets one or more AD users.
Syntax of the Get-ADUser Cmdlet
This cmdlet has three syntaxes, showing you the various ways to combine available parameters of the Get-ADUser command. Here are the three syntaxes.
Get-ADUser
[-AuthType (ADAuthType)]
[-Credential (PSCredential)]
-Filter (String)
[-Properties (String[])]
[-ResultPageSize ]
[-ResultSetSize (Int32)]
[-SearchBase (String)]
[-SearchScope (ADSearchScope)]
[-Server (String)]
[(CommonParameters)]
Get-ADUser
[-AuthType (ADAuthType)]
[-Credential (PSCredential)]
[-Identity] (ADUser)
[-Partition (String)]
[-Properties (String[])]
[-Server (String)]
[(CommonParameters)]
Get-ADUser
[-AuthType (ADAuthType)]
[-Credential (PSCredential)]
-LDAPFilter (String)
[-Properties (String[])]
[-ResultPageSize (Int32)]
[-ResultSetSize (Int32)]
[-SearchBase (String)]
[-SearchScope (ADSearchScope)]
[-Server (String)]
[(CommonParameters)]
The first step to understanding the syntaxes is to note the parameters that differentiate them. In this regard, the Filter parameter is unique to the first syntax.
Similarly, the Identity parameter is only available in the second syntax, while LDAPFilter is the unique parameter in syntax 3. So, if I remove all other parameters, the three syntaxes are simplified as shown below.
Get-ADUser -Filter {PropertyName -eq "PropertyValue"}
Get-ADUser -Identity ADUserIdentity
Get-ADUser -LDAPFilter '(PropertyName=PropertyValue)'
So, to make it easy for readers new to PowerShell, start with these three simplified syntaxes. As a matter of fact, by supplying values for these parameters, you run the Get-ADUser command successfully.
Since you can work with these three parameters, I explain and show you how to use them in my examples subsection. To read about the other parameters, visit the Microsoft page for Get-ADUser.
Alternatively, run the Get-Help command shown below.
Get-Help Get-ADUSer
Earlier, I promised to explain the Filter, Identity, and LDAPFilter parameters.
Use the Identity parameter to specify the user’s identity you want the Get-ADUser command to search for.
Specify a user’s distinguished name (DN) or SamAccountName. In addition to the DN and SamAccountName, the Identity parameter accepts a user’s GUID and SID.
Unlike the Identity parameter that targets a single user, the Filter and LDAPFilter parameters target multiple users. What differentiates both parameters is how you structure them.
While the Filter parameter accepts the standard PowerShell Expression. Language, LDAPFilter accepts LDAP query strings.
Finally, before we dive into examples, I’ll like to mention that running the Get-ADUsers command with any of these three syntaxes returns the default properties. To return additional properties, use the Properties parameter, then list the additional non default properties you want the command to include in the result.
I have explained the parameters in the Get-ADUSer cmdlet in detail because you find these parameters in subsequent cmdlets in my list. So, if you understand the Get-ADUser cmdlet and its syntax, it will be easy for you to understand the same parameters in subsequent cmdlets in my list.
Common Examples and How to Use the Get-ADUser Cmdlet
To show you how to use this cmdlet that comes first in my top 5 Active Directory scripts list, I show how to run the command with the three syntaxes I explained earlier. The commands below find a user with a specified SamAccountName.
The first command uses the Identity parameter, while the second uses the Filter parameter. Finally, in the third command, I use the LDAPFilter parameter.
Get-ADUser -Identity AnthonyRa
Get-ADUser -Filter {SamAccountName -eq "AnthonyRa"}
Get-ADUser -LDAPFilter '(SamAccountName=AnthonyRa)'
The three commands return the same result.
Earlier, I hinted that the Get-ADUser command returns the default properties of an AD user. In addition, I also said that you could use the Properties parameter to include additional properties you wish to get.
One common property not included in the default result is the MemberOf property. This property shows all the groups to which an AD user belongs. To display the Properties parameter in action I have modified the first command in my last example to include this parameter.
Get-ADUser -Identity AnthonyRa -Properties MemberOf
The command now includes the MemberOf property – highlighted in the screenshot below. This property lists the DN of the groups a user is a member of.
2. Set-ADUser
Next command in the article Top 5 Active Directory Powershell Scripts for Active Directory (Users / Groups) is Set-ADUser. While SysAdmins use the Get-ADUser cmdlet to retrieve properties of an Active Directory user object, they use the Set-ADUser cmdlet to modify the properties of a user.
Syntax of the Set-ADUser Cmdlet
The Set-ADUser cmdlet has two syntaxes. The first syntax uses the Identity parameter to get information about the AD user.
Moreover, in the second parameter, the cmdlet uses the Instance parameter to get the user from AD before modifying the user.
Below are the two trimmed-down syntaxes of the Set-ADUser cmdlet.
Set-ADUser
-Identity (ADUser)
[-Credential (PSCredential)]
[-Server (String)]
[-SamAccountName (String)]
[-Add (Hashtable)]
[-Remove (Hashtable)]
[-Replace (Hashtable)]
[-Clear (String[])]
[(CommonParameters)]
Set-ADUser
-Instance (ADUser)
[-Credential (PSCredential)]
[-Server (String)]
[-SamAccountName (String)]
[(CommonParameters)]
Earlier, I mentioned that what differentiates the two parameters are Identity and Instance parameters. So, you cannot use the two parameters in the same command.
To use the Identity parameter, specify a user’s SID, GUID, DN, or samAccountName. On the contrary, the Instance parameter allows you to modify a user by applying changes to a copy of the user object.
To get a copy of a user object, use the Get-ADUser command.
I explain how the Instance parameter works by showing you how to use it in the example’s subsection later.
Before I move on to the examples subsection, I like to provide you with some additional essential information about the Identity parameter.
Modifying an AD user’s property with Set-ADUser’s Identity parameter is as simple as calling the property’s parameter, then specifying a new value for the parameter. As mentioned, I did not include the various property parameters in the Identity syntax to keep it simple.
To see a complete list of all the parameters for each property you modify, visit the Set-ADUser cmdlet page.
Talking about properties, some properties do not have parameters in the Set-ADUser command. To modify these properties, Microsoft provided four general-purpose parameters – Add, Remove, Replace, and Clear.
Use these four parameters to modify any property that does not have its parameter. An excellent example of a user property that does not have an explicit parameter is the user telephoneNumber property.
So, to update this property with a new value, you must use the Replace parameter – more in the examples subsection later. It is essential to mention that you can also modify properties with the Add, Remove, Replace, and Clear parameters.
Common Examples and How to Use the Set-ADUser Cmdlet
Let’s start with a simple example of modifying the description of a user whose SamAccountName is AnthonyRa.
Set-ADUser -Identity AnthonyRa -Description "This is a sample 'Description'"
After running the above command, I ran the one below to confirm that I updated the user’s Description property successfully.
Get-ADUser -Identity AnthonyRa -Properties description
Finally, run the Set-ADUser with the Instance parameter as shown below
Also you perform this task using the Replace parameter. If you prefer this, here is the command.
Set-ADUser -Identity AnthonyRa -Replace @{Description='This is a sample "Description" -'}
Apply one of these examples to modify any AD user’s properties.
These two examples used the Identity parameter to find the user. However, if you wish to use the Instance parameter, the first step is to use the Get-ADUser command to get the user and save the information in a variable.
My examples change the Description and telephone number for the user.
$userinfo = Get-ADUser -Identity AnthonyRa -Properties description,telephoneNumber
After saving the user in the variable, the next step is to modify the properties you want to update in the saved variable.
$userinfo.description = "This is the new description with the 'Instance' parameter"
$userinfo.telephoneNumber = "+44 16674355665789"
Finally, run the Set-ADUser with the Instance parameter as shown below
Set-ADUser -Instance $userinfo
To confirm that the commands updated the Description and telephonenumber properties successfully, I called the information in the $userinfo variable, and bingo, it worked!
Try our Active Directory and Azure AD Reporting & Auditing SaaS
Try us out for Free, Access to all features. – 200+ AD Report templates Available. Easily customise your own AD reports.
3. Get-ADGroup
Another important Active Directory task is managing groups. When administering AD groups, the Get-ADGroup cmdlet is your go to command.
This cmdlet gets the properties of one or multiple Active Directory groups.
Syntax of the Get-ADGroup Cmdlet
There are three syntaxes of the Get-ADGroup cmdlet. Here are the syntaxes that show the parameters that differentiate the syntaxes – Filter, Identity, and LDAPFilter.
Get-ADGroup
-Filter (String)
[-AuthType (ADAuthType)]
[-Credential (PSCredential)]
[-Properties (String[])]
[-ResultPageSize (Int32)]
[-ResultSetSize (Int32)]
[-SearchBase (String)]
[-SearchScope (ADSearchScope)]
[-Server (String)]
[-ShowMemberTimeToLive]
[(CommonParameters)]
Get-ADGroup
[-Identity] (ADGroup)
[-AuthType (ADAuthType)]
[-Credential (PSCredential)]
[-Partition (String)]
[-Properties (String[])]
[-Server (String)]
[-ShowMemberTimeToLive]
[(CommonParameters)]
Get-ADGroup
-LDAPFilter (String)
[-AuthType (ADAuthType)]
[-Credential (PSCredential)]
[-Properties (String[])]
[-ResultPageSize (Int32)]
[-ResultSetSize (Int32)]
[-SearchBase (String)]
[-SearchScope (ADSearchScope)]
[-Server (String)]
[-ShowMemberTimeToLive]
[(CommonParameters)]
The Get-ADGroup cmdlet is similar to Get-ADUser. So, if you understand how the Get-ADUser works, you have no problem using Get-ADGroup.
However, to make it easy for you to differentiate the three syntaxes, I have simplified them below.
Get-ADGroup -Filter {PropertyName -eq "PropertyValue"}
Get-ADUser -Identity ADGroupIdentity
Get-ADUser -LDAPFilter '(PropertyName=PropertyValue)'
Common Examples and How to Use the Get-ADGroup Cmdlet
My first example shows you how to use the three syntaxes I explained earlier to get the properties of an Active Directory group. In this example, I want to get the properties of a group called “Writers.”
Get-ADGroup -Filter {Name -eq "Writers"}
Get-ADGroup -Identity Writers
Get-ADGroup -LDAPFilter '(Name=Writers)'
As expected, the three commands produce the same result.
The similarity between Get-ADUser and Get-ADGroup does not stop in their syntaxes. Like the Get-ADUser cmdlet, Get-ADGroup does not return all available properties by default.
If you’re wondering about the default properties returned by this command, look at my last screenshot. Talking about properties not returned by default, to return these commands – you guessed it – use the Properties parameter!
One easy way to use the Properties parameter is to return all available group properties by adding the asterisk (*) wildcard next to Properties. In the screenshot below, I modified one of the commands and included the Properties parameter with the asterisk (*) wildcard.
Get-ADGroup -Identity Writers -Properties *
The command returns all available properties!
Now that I have seen all the properties, I use the Properties parameter to select the properties I wish to return that are not displayed by default. In the modified command below, I want to include Members, Created, and Modified.
Get-ADGroup -Identity Writers -Properties Members, Created, Modified
The modified command now returns the default properties plus the properties I included.
4. Get-ADOrganizationalUnit
You cannot manage Active Directory well without Organizational Units (OUs). I have included the Get-ADOrganizationalUnit cmdlet in my top 5 commands for administering AD.
If you need to get the properties of an OU with PowerShell, you need the Get-ADOrganizationalUnit cmdlet.
Syntax of the Get-ADOrganizationalUnit Cmdlet
Having read my first three AD PowerShell cmdlets in this list, you would have noticed an emerging pattern regarding their syntaxes. Apart from the Set-ADObject cmdlet, whose two syntaxes are differentiated by Identity and Instanced parameters, the Get-ADUser and Get-ADGroup have three syntaxes, distinguished by Identity, Filter, and LDAPFilter.
The Get-ADOrganizationalUnit cmdlet follows this pattern with three syntaxes. I have summarized the three syntaxes by including only the parameters that differentiate them.
Get-ADOrganizationalUnit -Filter {PropertyName -eq "PropertyValue"}
Get-ADOrganizationalUnit -Identity ADGroupIdentity
Get-ADOrganizationalUnit -LDAPFilter '(PropertyName=PropertyValue)'
Specify the OU’s distinguished name or GUID to use the syntax with the Identity parameter. While you use the Identity parameter to search for a single OU, to return multiple OUs, use wither the Filter or LDAPFilter parameters.
Common Examples and How to Use the Get-ADOrganizationalUnit Cmdlet
I start this examples subsection by showing you how to get information about an OU using the Filter parameter of the Get-ADOrganizationalUnit cmdlet.
Get-ADOrganizationalUnit -Filter {name -eq "writers"}
The command returns the default properties shown in the screenshot below.
To get the Get-ADOrganizationalUnit command to display non-default properties, use the Properties parameter to specify those parameters. However, to see all parameters, use the asterisk (*) wildcard.
Get-ADOrganizationalUnit -Filter {name -eq "writers"} -Properties *
The command now returns all the available properties of the OUs based on the Filter pattern specified.
The first example is about getting the properties of one OU. To get all OUs in an AD domain, modify the Filter patter as shown in the command below.
Get-ADOrganizationalUnit -Filter {name -like "*"}
Not surprisingly, the command now returns the default properties of all OUs.
5. Get-ADGroupMember
The Get-ADGroupMember is the last cmdlet in my list of the top 5 cmdlets for administering Active Directory with PowerShell. This cmdlet gets the members of an AD group.
Syntax of the Get-ADGroupMember Cmdlet
While all the cmdlets I have discussed in this list have multiple syntaxes, the Get-ADGroupMember has just one syntax.
Here it is.
Get-ADGroupMember
[-Identity] (ADGroup)
[-AuthType (ADAuthType)]
[-Credential (PSCredential)]
[-Partition (String)]
[-Recursive]
[-Server (String)]
[(CommonParameters)]
The Identity specifies the AD group you wish to return its group members. An AD group’s Identity is the object’s GUID, samAccountName, or distinguished name.
Apart from the Identity parameter, the Get-ADGroupMember cmdlet has another parameter worth noting – Recursive. If you’ve been working with PowerShell for a while, you may know that you use the Recursive parameter to return information about child objects.
When you specify the Recursive parameter, the Get-ADGroupMember command gets all members of the group you specified and any child group. A child group is a group that is a member of another group.
Common Examples and How to Use the Get-ADGroupMember Cmdlet
I have a group called “Writers” in my test AD environment. The “Writers” group has users as members.
In addition to having users as members, the “Writers” group also has the “Accounts” group as its member. The “Accounts” group has users as members, although I have not shown this in the screenshot below.
To use the Get-ADGroupMember command to list all members of the “Writers” AD group, I use the command below.
Get-ADGroupMember writers
The command lists all users and groups that are members of the “Writers” group. I have highlighted the names and object classes of the group members to make it easy for you to spot and confirm that the command gets both users and groups.
See what happens if I include the Recursive parameter.
Get-ADGroupMember writers -Recursive
This time, the Get-ADGroupMember command excludes the child group but includes the members of the child group in its place. I highlighted the members of the “Accounts” child group in the screenshot below.
Thank you for reading Top 5 Active Directory Powershell Scripts for Active Directory (Users / Groups). We shall conclude this article now.
Top 5 Active Directory Powershell Scripts for Active Directory (Users / Groups) Conclusion
Whether you’re a pro or a beginner user of the Active Directory PowerShell module, you’ll find my top 5 cmdlets for administering users, groups, and other objects a handy tool.
While the first cmdlet in my list, Get-ADUser, gets AD user properties, the second, Set-ADUser, updates the properties of an AD user object. This list also has some other powerful cmdlets – Get-ADGroup, Get-ADOrganizationalUnit, and Get-ADGroupMember – that you find helpful as you manage your AD environment with PowerShell.
This list is no exhaustive. If you have other cmdlets you’ve used often to manage AD, kindly share them with us using the comments form below.
Try InfraSOS for FREE
Invite your team and explore InfraSOS features for free
- Free 15-Days Trial
- Easy Setup
- Full Access to Enterprise Plan
