5 More PowerShell Commands to Better Manage Active Directory

Philip Robinson by   05.20.2019   Auditing

Recently we published a blog about five key PowerShell commands that you need to help you better manage Active Directory. As this blog was so well received, we decided to do a follow up. If you want to read the original blog, then click here.

Before We Begin

Before you get started, you’re going to have to import Module Active Directory. Without importing the corresponding module into the PowerShell session, you will not be able to run any of the cmdlets in the below list.

1. How to Find Locally Stored Password from a Computer Object with PowerShell

See below cmdlet:

Get-AdmPwdPassword -ComputerName "computer.domain.net"

For this those that want a simpler way to search for passwords stored in the computer object in AD, you will need to have implemented the Local Administrator Password Solution (LAPS) from Microsoft. It’s free and it’s an excellent way of displaying the details in a single report as opposed to having to go through each object to get the password.

2. How to Join a Computer to a Domain with PowerShell

See below cmdlet:

Add-Computer -DomainName "domain.com" -Credential Domain\Username -Restart –Force

This is a task that the average sys admin will perform hundreds, if not thousands of times during the course of their career. Joining a computer to a domain from the machine itself only takes a short amount of time but PowerShell will help you automate it altogether.

3. How to Enable/Disable Users, Computers and Service Accounts with PowerShell

See below cmdlet:

Enable-ADAccount -Identity "ComputerName"

Disable-ADAccount -Identity "Username"

This cmdlet is pretty self-explanatory in all honesty. You can use this command to allow or prevent any user or computer account from being able to authenticate with the network.

4. How to Unlock User Accounts with PowerShell

See below cmdlet:

Unlock-ADAccount -Identity "Username"

We all know the story here. The vast majority of helpdesk calls are related to users being locked out of their accounts. This leads to an inordinate amount of time required to reset the passwords of users who have forgotten them. The above cmdlet specifically applies to those accounts that have exceeded the allowed number of password entries and have been therefore locked out.

5. How to Find Inactive Users with PowerShell

See below cmdlet:

Search-ADAccount –AccountInActive –TimeSpan 90:00:00:00 –ResultPageSize 2000 –ResultSetSize $null | ?{$_.Enabled –eq $True} | Select-Object Name, SamAccountName, DistinguishedName | Export-CSV “C:\Temp\InActiveUsers.CSV” –NoTypeInformation

A large number of inactive users can seriously increase the potential attack surface of your organization. Attackers often use these accounts to leverage the permissions and move laterally across the network. The above cmdlet allows you to identify these inactive users. This cmdlet has a time frame to determine which users have been inactive for the last 90 days and exports the list into a CSV file.

These five more PowerShell commands should help you improve the basic management of your Active Directory even further. If you want more visibility into changes taking place in your AD, come and take a look at our Active Directory Auditing Solution.

If you liked this, you might also like...