Active Directory (AD) is the backbone of identity and access management in most business networks. These ten PowerShell scripts cover the tasks IT admins run most often — from looking up users to unlocking accounts and cleaning up group membership.
Scripts marked Read-Only only retrieve information and are safe to run anytime. Scripts marked Use with Caution change something in Active Directory — test them in a non-production OU first.
RSAT-AD-PowerShell
Fetches every user in Active Directory along with their full property set — useful for a quick review on screen.
Get-ADUser -Filter * -Properties *
Creates a new, enabled user account with a password set at creation. Prompting for the password keeps it out of your script and command history:
$SecurePassword = Read-Host -AsSecureString "Enter password for new user" New-ADUser -Name "John Doe" -GivenName "John" -Surname "Doe" ` -SamAccountName "jdoe" -UserPrincipalName "jdoe@domain.com" ` -Path "OU=Users,DC=domain,DC=com" ` -AccountPassword $SecurePassword -Enabled $true -ChangePasswordAtLogon $true
Without -AccountPassword and -Enabled $true, New-ADUser creates a disabled account with no password — it won't be usable until those are set.
-AccountPassword
-Enabled $true
New-ADUser
Resets a user's password as an administrator. Using Read-Host -AsSecureString avoids typing the new password in plain text, and -Reset tells PowerShell this is an admin-initiated reset rather than a self-service change:
Read-Host -AsSecureString
-Reset
$NewPassword = Read-Host -AsSecureString "Enter new password" Set-ADAccountPassword -Identity "jdoe" -NewPassword $NewPassword -Reset Set-ADUser -Identity "jdoe" -ChangePasswordAtLogon $true
The second line forces the user to choose their own new password at next sign-in — standard practice after any admin password reset.
Toggle whether an account can sign in — commonly used for offboarding or temporary suspension:
Enable-ADAccount -Identity "jdoe" Disable-ADAccount -Identity "jdoe"
Adds a user to a specified group — useful for granting access to shared resources or applications tied to group membership:
Add-ADGroupMember -Identity "GroupName" -Members "jdoe"
Removes a user from a group. -Confirm:$false skips the confirmation prompt — convenient for scripting, but double-check the group and username before running this against privileged groups like Domain Admins:
-Confirm:$false
Remove-ADGroupMember -Identity "GroupName" -Members "jdoe" -Confirm:$false
Retrieves every member of a specified group — a good habit before making changes to that group:
Get-ADGroupMember -Identity "GroupName"
Identifies every currently locked-out account and exports the details to a CSV for auditing or help desk triage:
# Find all locked-out AD accounts $LockedOutAccounts = Search-ADAccount -LockedOut # Export the locked-out users' details to CSV $LockedOutAccounts | Select-Object Name, SamAccountName, ObjectClass, LockedOut | Export-Csv -Path "C:\LockedOut_AD_Users.csv" -NoTypeInformation
Unlocks a specific account and exports the updated user details to CSV for your records:
$UserName = "jdoe" Unlock-ADAccount -Identity $UserName $UnlockedUser = Get-ADUser -Identity $UserName -Properties * $UnlockedUser | Select-Object Name, SamAccountName, Enabled, LockedOut | Export-Csv -Path "C:\Unlocked_AD_Users.csv" -NoTypeInformation
Exports every AD user and their full properties to a CSV file for offline analysis, reporting, or license audits:
Get-ADUser -Filter * -Properties * | Export-Csv -Path "C:\AD_Users.csv" -NoTypeInformation
-ChangePasswordAtLogon $true
When using any software or code, it is important to remember that there is always a certain level of risk involved. As a user, you are responsible for ensuring that the software or code you are using is suitable for your needs and that you are aware of any potential risks associated with its use.
If you are considering using any code or software provided by ITMS, we advise you to review our terms of service at https://www.itms-us.com/Website-Terms-Of-Use.
Any code provided by ITMS is provided "as is," without warranties or guarantees. By using our code, you acknowledge and accept the risks associated with its use and agree to hold ITMS harmless for any damages or losses that may result.
IT Master Services keeps your AD environment clean, secure, and audit-ready — so your team can focus on the business, not the directory.