Top 10 Essential Active Directory PowerShell Scripts

User, Group & Account Management

Ten Scripts Every AD Admin Should Know

Active Directory (AD) is the backbone of identity and access management in most business networks. These ten PowerShell scripts cover the tasks IT admins run most often — from looking up users to unlocking accounts and cleaning up group membership.

Scripts marked Read-Only only retrieve information and are safe to run anytime. Scripts marked Use with Caution change something in Active Directory — test them in a non-production OU first.

Top 10 Essential Active Directory PowerShell Scripts
Requires: Active Directory PowerShell module (RSAT-AD-PowerShell) and appropriate delegated or Domain Admin rights.

1. Get a List of All AD Users Read-Only

Fetches every user in Active Directory along with their full property set — useful for a quick review on screen.

Get-ADUser -Filter * -Properties *

2. Create a New AD User Use with Caution

Creates a new, enabled user account with a password set at creation. Prompting for the password keeps it out of your script and command history:

$SecurePassword = Read-Host -AsSecureString "Enter password for new user"

New-ADUser -Name "John Doe" -GivenName "John" -Surname "Doe" `
    -SamAccountName "jdoe" -UserPrincipalName "jdoe@domain.com" `
    -Path "OU=Users,DC=domain,DC=com" `
    -AccountPassword $SecurePassword -Enabled $true -ChangePasswordAtLogon $true

Without -AccountPassword and -Enabled $true, New-ADUser creates a disabled account with no password — it won't be usable until those are set.

3. Reset an AD User's Password Use with Caution

Resets a user's password as an administrator. Using Read-Host -AsSecureString avoids typing the new password in plain text, and -Reset tells PowerShell this is an admin-initiated reset rather than a self-service change:

$NewPassword = Read-Host -AsSecureString "Enter new password"

Set-ADAccountPassword -Identity "jdoe" -NewPassword $NewPassword -Reset
Set-ADUser -Identity "jdoe" -ChangePasswordAtLogon $true

The second line forces the user to choose their own new password at next sign-in — standard practice after any admin password reset.

4. Enable or Disable an AD Account Use with Caution

Toggle whether an account can sign in — commonly used for offboarding or temporary suspension:

Enable-ADAccount -Identity "jdoe"
Disable-ADAccount -Identity "jdoe"

5. Add a User to an AD Group Use with Caution

Adds a user to a specified group — useful for granting access to shared resources or applications tied to group membership:

Add-ADGroupMember -Identity "GroupName" -Members "jdoe"

6. Remove a User from an AD Group Use with Caution

Removes a user from a group. -Confirm:$false skips the confirmation prompt — convenient for scripting, but double-check the group and username before running this against privileged groups like Domain Admins:

Remove-ADGroupMember -Identity "GroupName" -Members "jdoe" -Confirm:$false

7. Get a List of Users in an AD Group Read-Only

Retrieves every member of a specified group — a good habit before making changes to that group:

Get-ADGroupMember -Identity "GroupName"

8. Find and Export Locked-Out AD Accounts Read-Only

Identifies every currently locked-out account and exports the details to a CSV for auditing or help desk triage:

# Find all locked-out AD accounts
$LockedOutAccounts = Search-ADAccount -LockedOut

# Export the locked-out users' details to CSV
$LockedOutAccounts | Select-Object Name, SamAccountName, ObjectClass, LockedOut |
    Export-Csv -Path "C:\LockedOut_AD_Users.csv" -NoTypeInformation

9. Unlock an AD Account and Log the Change Use with Caution

Unlocks a specific account and exports the updated user details to CSV for your records:

$UserName = "jdoe"

Unlock-ADAccount -Identity $UserName

$UnlockedUser = Get-ADUser -Identity $UserName -Properties *
$UnlockedUser | Select-Object Name, SamAccountName, Enabled, LockedOut |
    Export-Csv -Path "C:\Unlocked_AD_Users.csv" -NoTypeInformation

10. Export All AD Users to a CSV File Read-Only

Exports every AD user and their full properties to a CSV file for offline analysis, reporting, or license audits:

Get-ADUser -Filter * -Properties * |
    Export-Csv -Path "C:\AD_Users.csv" -NoTypeInformation
Best Practices Before You Run These
  • Never hardcode passwords in plain text. Use Read-Host -AsSecureString or a secrets manager instead.
  • Test in a non-production OU first — especially the scripts marked "Use with Caution."
  • After any admin password reset, set -ChangePasswordAtLogon $true so the user chooses their own new password.
  • Before bulk group changes, run the read-only "Get" script first to confirm you're targeting the right users and groups.

When using any software or code, it is important to remember that there is always a certain level of risk involved. As a user, you are responsible for ensuring that the software or code you are using is suitable for your needs and that you are aware of any potential risks associated with its use.

If you are considering using any code or software provided by ITMS, we advise you to review our terms of service at https://www.itms-us.com/Website-Terms-Of-Use.

Any code provided by ITMS is provided "as is," without warranties or guarantees. By using our code, you acknowledge and accept the risks associated with its use and agree to hold ITMS harmless for any damages or losses that may result.

Managing Active Directory Shouldn't Be a Guessing Game

IT Master Services keeps your AD environment clean, secure, and audit-ready — so your team can focus on the business, not the directory.

Managed IT Services