PowerShell: Active Directory Module

The Active Directory (AD) module in PowerShell is a powerful tool for managing and automating tasks in Active Directory environments. Whether you’re handling user accounts, groups, or organizational units (OUs), this module simplifies complex administrative tasks.

Prerequisites for Using the Active Directory Module

Before diving into the cmdlets, ensure that the following prerequisites are met:

Install the RSAT Tools:
- On Windows Server, the AD module is included as part of the server roles.
- On Windows 10/11, you can install the Remote Server Administration Tools (RSAT) via the Settings app or PowerShell: Add-WindowsCapability -Online -Name RSAT:ActiveDirectory
Import the Module:
- Ensure the Active Directory module is loaded in your PowerShell session: Import-Module ActiveDirectory
Ensure Connectivity:
- You must have network connectivity to a domain controller.
- You need appropriate permissions to execute AD-related tasks.

Common Cmdlets in the Active Directory Module

The Active Directory module provides a rich set of cmdlets. Here are some commonly used categories and examples:

User Management

Creating a User: New-ADUser -Name "John Doe" -GivenName "John" -Surname "Doe" -SamAccountName "jdoe" -UserPrincipalName "[email protected]" -Path "OU=Users,DC=domain,DC=com" -AccountPassword (ConvertTo-SecureString "P@ssw0rd" -AsPlainText -Force) -Enabled $true
Retrieving User Details: Get-ADUser -Identity "jdoe" -Properties *
Modifying a User: Set-ADUser -Identity "jdoe" -Title "Senior Developer" -Office "New York"
Disabling a User Account: Disable-ADAccount -Identity "jdoe"

Group Management

Creating a Group: New-ADGroup -Name "DevTeam" -GroupScope Global -GroupCategory Security -Path "OU=Groups,DC=domain,DC=com"
Adding a User to a Group: Add-ADGroupMember -Identity "DevTeam" -Members "jdoe"
Removing a User from a Group: Remove-ADGroupMember -Identity "DevTeam" -Members "jdoe" -Confirm:$false
Retrieving Group Members: Get-ADGroupMember -Identity "DevTeam"

Organizational Units (OUs)

Creating an OU: New-ADOrganizationalUnit -Name "IT_Department" -Path "DC=domain,DC=com"
Moving an Object to an OU: Move-ADObject -Identity "CN=John Doe,CN=Users,DC=domain,DC=com" -TargetPath "OU=IT_Department,DC=domain,DC=com"
Retrieving OUs: Get-ADOrganizationalUnit -Filter *

Computer Management

Retrieving Computer Details: Get-ADComputer -Filter "Name -like 'PC*'" -Properties *
Adding a Computer to a Group: Add-ADGroupMember -Identity "IT_Computers" -Members "PC01"
Disabling a Computer Account: Disable-ADAccount -Identity "PC01"

Advanced Features and Scripting

Bulk Operations

For tasks involving multiple users, groups, or computers, you can leverage PowerShell’s pipeline capabilities:

Creating Multiple Users from a CSV: Import-Csv -Path "users.csv" | ForEach-Object { New-ADUser -Name $_.Name -SamAccountName $_.SamAccountName -UserPrincipalName $_.UserPrincipalName -Path $_.OU -AccountPassword (ConvertTo-SecureString $_.Password -AsPlainText -Force) -Enabled $true }

Custom LDAP Filters

The -Filter parameter allows you to use LDAP syntax to refine your queries:

# Find all disabled user accounts
Get-ADUser -Filter "Enabled -eq $false" -Properties DisplayName

Auditing and Reporting

Generate detailed reports for auditing purposes:

# Export all users in a specific OU to a CSV
Get-ADUser -Filter * -SearchBase "OU=IT_Department,DC=domain,DC=com" -Properties DisplayName,Title,EmailAddress | Export-Csv -Path "IT_Users.csv" -NoTypeInformation

Best Practices for Using the Active Directory Module

Run PowerShell as an Administrator: Many AD cmdlets require elevated permissions.
Test Before Applying: Use -WhatIf or -Confirm to simulate changes.
Backup Before Major Changes: Always back up your AD environment before performing bulk or critical operations.
Use Secure Password Handling: Avoid hardcoding plaintext passwords in scripts.
Audit Logs: Track changes and activity in your AD environment to ensure compliance.

More PowerShell posts found here.