5 PowerShell Commands to Better Manage Active Directory

Philip Robinson by   05.16.2019   Auditing

PowerShell was developed so that IT operations and administrative tasks in operating systems like Active Directory could be drastically simplified and automated to save huge amounts of time and effort.

PowerShell is able to integrate with services and applications to help administrators get complete control over the management of both clients and servers. With every new update of the underlying framework, PowerShell becomes more advanced and more features become available.

With that in mind, let’s take a look at some of the PowerShell cmdlets that can help you simplify and automate the management of your Active Directory.

Before We Begin

Before you get started, you’re going to have to import Module Active Directory. Without importing the corresponding module into the PowerShell session, you will not be able to run any of the cmdlets in the below list.

1. How to Create a Computer Object with PowerShell

The below cmdlet will allow you to create a new computer object in a particular organizational unit of AD:

New-ADComputer -Name "ComputerName" -SamAccountName "ComputerName" -Path "OU=Computers,DC=Domain,DC=com"

Don’t forget that you will need to specify the Computer Name and the Sam Account Name for this script to work. After the path perimeter, you will need to specify the distinguished name in quotes (where the object is to be created).

This script is useful when it comes to managing multiple domains and sites or when scripting changes like account creations to AD.

2. How to Create Security Groups with PowerShell

See cmdlet below:

New-ADGroup -Name "Security Group Name" -SamAccountName "SecurityGroupName" -GroupCategory Security -GroupScope Global -DisplayName "Security Group Name" -Path "CN=Groups,DC=Domain,DC=com" -Description "Brief description of what the security group is used for"

Security Groups allow you to better manage computers and accounts through role-based permissions. Without security groups, you would have to go into each account and object individually in order to do this which would waste a huge amount of time.

3. How to Create a New User Account with PowerShell

See cmdlet below:

New-ADUser -Name "User Account Name" -SamAccountName "UserAccountName" -AccountPassword (ConvertTo-SecureString "password" -AsPlainText -Force) -DisplayName "User Name" -Enabled $True -GivenName "FirstName" -Path "CN=Users,,DC=Domain,DC=com" -Server "controller.domain.com" -Surname "LastName" -UserPrincipalName "username@domain.com"

If you’re using AD as the heart of your IT infrastructure, then knowing how to create a new user account is fundamental. If you want to add more attributes to a user account, then simply add the -OtherAttributes parameter and specify the attribute you would like to add, such as: @[mail=name@domain.com]

4. How to Create a New OU with PowerShell

See cmdlet below:

New-ADOrganizationalUnit -Name "OU Name" -Path "DC=Domain,DC=com"

OUs (Organizational Units) are subdivisions within an AD into which you can organize users, groups, computers and other OUs. Well organized Active Directories will feature an OU structure that mirrors the business in a functional or strategic way.

Any cmdlet that begins with the parameter “New” means that you are creating something. The same cmdlets can be used to remove an OU from the Active Directory, you will simply need to replace the “New” prefix with “Remove”. You can also modify an OU by using the prefix “Set” in place of “New”.

5. How to Add/Remove Users or Computer Objects to/From Groups with PowerShell

See cmdlet below:

Add-ADGroupMember SecurityGroupName -Members Username01

Remove-ADGroupMember SecurityGroupName -Members Username01

Create or remove user accounts and computer objects as per your requirements. Created user accounts or computer objects can be added to existing security groups to help you better manage them. You can do this using the -Members parameter. If you wish to add multiple accounts to an existing security group, you can do so by separating them with a comma.

Conclusion

These five PowerShell commands should help you improve the basic management of your Active Directory. If you want more visibility into changes taking place in your AD, come and take a look at our Active Directory Auditing Solution.