Active Directory


Import AD module

Import-Module ActiveDirectory

Reset AD password

Set-ADAccountPassword jfrost -NewPassword (ConvertTo-SecureString -AsPlainText -String P@ssw0rd1z3 -force)

Get group members

Get-adgroupmember WorkstationAccountsScheduledforDeletion | select name</h2>

Staff phone directory/contact list

get-aduser -filter {officephone -like "*"} -property * | where "enabled" -eq "yes" | select name, title, officephone, mobile, emailaddress, office | Out-Gridview

Assign a user rights to join a machine to a domain
Use the Delegate feature (right click the AD domain, Delegate Access)

Replicate/Sync AD

repadmin /syncall






Get-ADTrust -Filter *

Show all servers in domain

DSQUERY server

Show group membership and descriptions for a user

# Get AD user groups and group descriptions
Get-ADPrincipalGroupMembership ronald.mcdonald | Get-ADGroup -Properties * | select name, description


Search AD for computers matching multiple criteria

get-ADcomputer -filter '*' | ?{$ -match ("(SRV|WKS|SERVER)\-?P")} | Select Name | Sort-Object -Property Name

Reverse SID lookup

$objSID = New-Object System.Security.Principal.SecurityIdentifier `
$objUser = $objSID.Translate( [System.Security.Principal.NTAccount])

Unlock AD account

Unlock-ADAccount jfrost 

Query AD from a workstation

%SystemRoot%\SYSTEM32\rundll32.exe dsquery,OpenQueryWindow

Show members of a group

Get-ADGroupMember "Domain Admins"
get-aduser jfrost -property Memberof | Select -ExpandProperty memberOf

Show computers that haven’t checked in to AD since a specified date

get-adcomputer -filter "Passwordlastset -lt '1/1/2016'" -properties *| Select name,passwordlastset

Show users that haven’t checked in to AD since a specified date

get-aduser -Filter{enabled -eq $true} -properties * | select name, title, description, lastlogondate, whenchanged | Out-GridView

Search AD for enabled Computers with “PRO’ in the OS name

Get-ADComputer -Filter{(enabled -eq $true) -AND (OperatingSystem -like '*pro*')} | select name | clip</h2>

Search AD for all Windows servers

Get-ADComputer -Filter "OperatingSystem -like '*Server*'" -properties OperatingSystem,OperatingSystemServicePack | Select Name,Op* | format-list

Get-ADComputer -Filter {OperatingSystem -Like "*Server*"} -Property * | Select Name,OperatingSystem | out-gridview

Show all attributes for user

dsquery * -filter sAMAccountName=Erlich.Bachman* -attr *

Show resultant set of policy (requires hostname and username)


Get-Content example – Get pwdlastset attribute for AD computers

Get-Content .\computers.txt | ForEach-Object {Get-ADcomputer $_ -properties passwordLastSet} | Select Name, PasswordLastSet | Export-CSV .\Computers.csv

Show all members of an AD group by Name

Get-ADGroupMember "Block B Prisoners" | select name, objectclass

Show the groups a group is a Member Of

$memberOf = (Get-ADGroup "Alcoholics Anonymous Attendees" -property "MemberOf").memberOf | Sort-Object; foreach ($group in $memberOf) {(Get-ADGroup -Identity $group).Name}

Show AD computers running Windows Server OSes

Get-ADComputer -Filter {OperatingSystem -Like "*Server*"} -Property * | Format-Table Name,OperatingSystem,OperatingSystemServicePack -Wrap -Auto</h2>

Search AD for all computer objects with tst in the name

dsquery computer -name *tst*

Search AD for all computers

dsquery computer -name *

Move a computer to a different OU

#find the distinguished name first
Get-ADOrganizationalUnit -LDAPFilter "(name=WOL)"
# Move the object
get-adcomputer win7-PC | Move-ADObject -TargetPath OU=Computers,DC=domain,DC=com

Search AD for all groups with “role” in the name

dsquery group -name *role*

Display ALL computers in domain and OS, SP etc

Import-Module ActiveDirectory
Get-ADComputer -Filter * -Property * | Format-Table Name,OperatingSystem,OperatingSystemServicePack,OperatingSystemVersion -Wrap –Auto

Show all domain controllers (DCs)


AD Users & Computers shortcut


Check if account is locked out (can be run from client machine)

NET USER James.Beam /DOMAIN | FIND /I "Account active"

unlock-adaccount captain.morgan

Troubleshoot Domain Trust issues

Netdom query dc
Test-ComputerSecureChannel –Server *dc name* -Verbose
Test-ComputerSecureChannel –Server *dc name* -Repair -Verbose

Display Canonical name/object path of a user

Get-ADUser -Filter {SamAccountName -Like "rid*"} -Properties Canonicalname

$exportfile = “C:\temp\Domain_info.txt”

Get-ADForest | out-file $exportfile -append

Get-ADRootDSE | out-file $exportfile -append

Get-DnsServer | out-file $exportfile -append

Get-ADDomain | out-file $exportfile -append

Get-ADDomainController | out-file $exportfile -append

Get-ADTrust -Filter * | out-file $exportfile -append

Find home folders that belong to staff that are disabled etc

foreach ($folder in ls -path \\server\x$\users ) {
get-aduser -identity $ -properties enabled | ?{$_.enabled -eq $FALSE} | select samaccountname, enabled
nltest /dsgetsite

Get FSMO roles


Find password expiry for an account

Get-ADUser Victor.Meldrew –Properties “DisplayName”, “msDS-UserPasswordExpiryTimeComputed” | Select-Object -Property “Displayname”,@{Name=”ExpiryDate”;Expression={[datetime]::FromFileTime($_.”msDS-UserPasswordExpiryTimeComputed”)}}


Get pwdlastset attribute for a computer

Get-ADcomputer "Grandma's Unix PC" -properties passwordLastSet | select PasswordLastSet

Get all properties for a computer

Get-ADComputer Fabrikam-SRV1 -Properties *

Rename AD Group

get-adgroup -Identity "old_ long Name" | Rename-ADObject -NewName New_Name -verbose

Add members to AD group

Add-ADGroupMember -Identity "Redundant staff" -Member Jsmith -Verbose

Gather info without headers

Can be used to output to a file without headers, spaces or empty lines

get-aduser -filter * | ?{$ -eq "$user"} | select SamAccountName -ExpandProperty SamAccountName

Add user to group by full name

# Adds user to AD group, when you only have a list of their full names (eg "John Smith")
# AKA garbage in, quality out (GIQO)

# Find users in users.txt by their full name and return SamAccountName to shortnames.txt
# also removes any header info and lines/spaces from the file
$users = get-content c:\temp\users.txt
foreach ($user in $users) {
get-aduser -filter * | ?{$ -eq "$user"} | select SamAccountName -ExpandProperty SamAccountName | out-file C:\temp\shortnames.txt -Append

# Now add the users to the AD group
$users = get-content C:\temp\shortnames.txt
foreach ($user in $users) {
add-adgroupmember -Identity "Group_1" -Members $user -Verbose
search-adaccount -lockedout
# requires Admin privileges!
# invalid logon attempts: 4625
# Lockouts: 4740
# 4777 The domain controller failed to validate the credentials for an account.

function Get-LogonFailure
Get-EventLog -LogName security -EntryType FailureAudit -InstanceId 4771 -ErrorAction Stop @PSBoundParameters |
ForEach-Object {
$domain, $user, $client = $_.ReplacementStrings[5,0,6]
$time = $_.TimeGenerated
Write-Host "Logon Failure (4771): $user from $client at $time" -foregroundcolor yellow
Get-EventLog -LogName security -EntryType FailureAudit -InstanceId 4625 -ErrorAction Stop @PSBoundParameters |
ForEach-Object {
$domain, $user, $client = $_.ReplacementStrings[5,6,13]
$time = $_.TimeGenerated
Write-Host "Logon Failure (4625): $domain\$user from $client at $time" -foregroundcolor yellow
# catch
# {
# if ($_.CategoryInfo.Category -eq 'ObjectNotFound')
# {
## Write-Host "No logon failures found." -ForegroundColor Green
# }
# else
# {
# Write-Warning "Error occured: $_"
# }


Show 10 oldest AD accounts

get-aduser -filter * -properties *| select name, created | sort created | select -first 10

Show 10 newest AD accounts

get-aduser -filter * -properties *| select name, created | sort created | select -last 10