The ActiveDirectory Module
The ActiveDirectory PowerShell module, installed via the Remote Server Administration Tools (RSAT) feature or present natively on Domain Controllers, exposes cmdlets like Get-ADUser, Get-ADGroup, and Get-ADComputer to query directory objects, and New-/Set-/Remove- variants to manage their lifecycle. These cmdlets communicate with Active Directory Web Services (ADWS), which must be running on at least one reachable domain controller. Nearly every cmdlet accepts a -Filter parameter using PowerShell's expression-based filter syntax (not LDAP syntax directly), plus -Properties to request additional attributes beyond the small default set returned.
Cricket analogy: Get-ADUser is like querying a cricket board's player registry by criteria such as 'all bowlers registered after 2020,' rather than manually flipping through paper registration forms.
# Find all enabled users in the Sales OU with a specific title
Get-ADUser -Filter "Department -eq 'Sales' -and Enabled -eq \$true" `
-SearchBase 'OU=Sales,DC=contoso,DC=com' `
-Properties Title, Department, LastLogonDate |
Select-Object Name, Title, LastLogonDate
# Find accounts that haven't logged on in 90 days
$cutoff = (Get-Date).AddDays(-90)
Get-ADUser -Filter { LastLogonTimeStamp -lt $cutoff -and Enabled -eq $true } -Properties LastLogonTimeStampCreating and Modifying Objects
New-ADUser creates accounts with mandatory parameters like -Name and -SamAccountName, and important safety details like -AccountPassword (as a SecureString) and -Enabled; by default new accounts are disabled until explicitly enabled to avoid accidentally provisioning live, unsecured logins. Set-ADUser modifies existing attributes, while Add-ADGroupMember and Remove-ADGroupMember manage group membership without touching other user attributes. Bulk operations are common: piping a CSV import through ForEach-Object with New-ADUser is the standard pattern for onboarding many users at once, and should always be wrapped with -WhatIf during testing to preview changes before committing them.
Cricket analogy: Creating a new AD user disabled by default is like registering a new player with the board but keeping their playing clearance pending until documentation is verified — no live matches until formally enabled.
Always test bulk AD modification scripts with -WhatIf first, and run against a small pilot OU before applying to production. A misconfigured -Filter or CSV mapping in New-ADUser/Set-ADUser can silently affect far more accounts than intended.
$securePwd = ConvertTo-SecureString 'TempP@ssw0rd!' -AsPlainText -Force
New-ADUser -Name 'Alicia Torres' -SamAccountName 'atorres' `
-UserPrincipalName 'atorres@contoso.com' `
-Path 'OU=Sales,DC=contoso,DC=com' `
-AccountPassword $securePwd -Enabled $true -ChangePasswordAtLogon $true
Add-ADGroupMember -Identity 'Sales-Team' -Members 'atorres'Auditing and Reporting
PowerShell excels at generating compliance reports impossible to produce efficiently through the GUI, such as listing all users with PasswordNeverExpires set, computers with stale passwords, or nested group membership chains via Get-ADGroupMember -Recursive. Combining Get-ADUser or Get-ADGroup output with Export-Csv produces auditable reports for security reviews, and Search-ADAccount specifically surfaces locked-out, disabled, or expired accounts in one call without needing a custom -Filter expression.
Cricket analogy: Search-ADAccount for locked-out users is like a board compliance officer running a single report listing every player currently suspended, rather than checking each player's status individually.
Search-ADAccount -LockedOut, -AccountDisabled, and -AccountExpired are purpose-built parameter sets that avoid hand-writing LDAP-style filter expressions for these common audit scenarios.
- The ActiveDirectory module talks to Active Directory Web Services (ADWS) and requires RSAT or a Domain Controller to be present.
- Get-AD* cmdlets use PowerShell filter syntax with -Filter, and -Properties fetches attributes beyond the small default set.
- New-ADUser creates accounts disabled by default as a safety measure; -Enabled must be set explicitly.
- Add-ADGroupMember and Remove-ADGroupMember manage group membership independently of other attributes.
- Always test bulk changes with -WhatIf and a pilot OU before running against production.
- Search-ADAccount surfaces locked-out, disabled, or expired accounts without custom filter syntax.
- Export-Csv combined with Get-AD* cmdlets is the standard way to produce auditable compliance reports.
Practice what you learned
1. What service must be reachable for the ActiveDirectory module cmdlets to function?
2. By default, how is a new user account created with New-ADUser?
3. Which cmdlet is purpose-built for finding locked-out or expired accounts without writing a custom filter?
4. What parameter must you add to Get-ADUser to retrieve attributes beyond the small default set?
5. What should you always do before running a bulk Set-ADUser/New-ADUser script in production?
Was this page helpful?
You May Also Like
Desired State Configuration (DSC)
Learn how PowerShell DSC declaratively defines and enforces the configuration state of servers and services.
PowerShell for Azure
Use the Az PowerShell module to authenticate, provision, and automate Azure resources at scale.
Modules and the PowerShell Gallery
Learn how PowerShell packages reusable code into modules and how to discover, install, and publish them via the PowerShell Gallery.
Related Reading
Related Study Notes in Programming
Browse all study notesApache Spark Study Notes
Programming · 30 topics
ProgrammingApache Flink Study Notes
Programming · 30 topics
ProgrammingHadoop Study Notes
Programming · 30 topics
ProgrammingSnowflake Study Notes
Programming · 30 topics
ProgrammingApache Airflow Study Notes
Programming · 30 topics
Programmingdbt (Data Build Tool) Study Notes
Programming · 30 topics