Active Directory PowerShell

Active Directory PowerShell cmdlets for domain and user management.

DC Shutdown Procedure

Step 1: Check FSMO roles

Transfer roles if needed before shutdown

netdom query fsmo

Display FSMO role holders

Step 2: Force replication

Ensure changes are replicated

repadmin /syncall /AdeP

Force sync with all partners

Step 3: Notify users

Warn of maintenance window

Step 4: Graceful shutdown

Shutdown or restart DC

Stop-Computer -Force

Shutdown computer

Restart-Computer -Force

Restart computer

shutdown /s /t 60 /c "DC Maintenance"

Shutdown with 60s warning

Module Setup

Import-Module ActiveDirectory

Import Active Directory PowerShell module

Get-Module -ListAvailable ActiveDirectory

Check if AD module is installed

Install-WindowsFeature RSAT-AD-PowerShell

Install AD PowerShell module (Server)

Get-Command -Module ActiveDirectory

List all AD cmdlets

Get-Help Get-ADUser -Full

Get detailed help for AD cmdlet

User Management

Get-ADUser -Filter *

Get all AD users

Get-ADUser -Identity username

Get specific user by username

Get-ADUser -Filter {Enabled -eq $true}

Get all enabled users

Get-ADUser -Filter * -Properties *

Get all users with all properties

New-ADUser -Name "John Doe" -SamAccountName jdoe -UserPrincipalName jdoe@domain.com

Create new AD user

Set-ADUser -Identity username -Description "New description"

Modify user properties

Set-ADAccountPassword -Identity username -Reset -NewPassword (ConvertTo-SecureString "Password123" -AsPlainText -Force)

Reset user password

Enable-ADAccount -Identity username

Enable user account

Disable-ADAccount -Identity username

Disable user account

Unlock-ADAccount -Identity username

Unlock locked user account

Remove-ADUser -Identity username -Confirm:$false

Delete user account

Search-ADAccount -LockedOut

Find all locked out accounts

Search-ADAccount -AccountDisabled

Find all disabled accounts

Search-ADAccount -AccountExpired

Find all expired accounts

Search-ADAccount -PasswordExpired

Find accounts with expired passwords

Group Management

Get-ADGroup -Filter *

Get all AD groups

Get-ADGroup -Identity "Group Name"

Get specific group

Get-ADGroupMember -Identity "Group Name"

Get group members

Get-ADGroupMember -Identity "Group Name" -Recursive

Get group members recursively

New-ADGroup -Name "New Group" -GroupScope Global -GroupCategory Security

Create new security group

Add-ADGroupMember -Identity "Group Name" -Members username

Add user to group

Remove-ADGroupMember -Identity "Group Name" -Members username -Confirm:$false

Remove user from group

Get-ADPrincipalGroupMembership -Identity username

Get user group memberships

Remove-ADGroup -Identity "Group Name" -Confirm:$false

Delete group

Computer Management

Get-ADComputer -Filter *

Get all AD computers

Get-ADComputer -Identity computername

Get specific computer

Get-ADComputer -Filter {Enabled -eq $true}

Get all enabled computers

Get-ADComputer -Filter * -Properties *

Get all computers with all properties

New-ADComputer -Name "COMPUTER01" -Path "OU=Computers,DC=domain,DC=com"

Create new computer object

Set-ADComputer -Identity computername -Description "New description"

Modify computer properties

Remove-ADComputer -Identity computername -Confirm:$false

Delete computer object

Test-ComputerSecureChannel -Server computername

Test computer trust relationship

Reset-ComputerMachinePassword -Server DC01

Reset computer account password

Organizational Unit (OU) Management

Get-ADOrganizationalUnit -Filter *

Get all OUs

Get-ADOrganizationalUnit -Identity "OU=Users,DC=domain,DC=com"

Get specific OU

New-ADOrganizationalUnit -Name "New OU" -Path "DC=domain,DC=com"

Create new OU

Set-ADOrganizationalUnit -Identity "OU=Users,DC=domain,DC=com" -Description "New description"

Modify OU properties

Remove-ADOrganizationalUnit -Identity "OU=Test,DC=domain,DC=com" -Confirm:$false

Delete OU

Set-ADOrganizationalUnit -Identity "OU=Users,DC=domain,DC=com" -ProtectedFromAccidentalDeletion $true

Protect OU from deletion

Domain & Forest Management

Get-ADDomain

Get current domain information

Get-ADForest

Get forest information

Get-ADDomainController

Get all domain controllers

Get-ADDomainController -Discover

Discover nearest domain controller

Get-ADDomainController -Filter *

Get all DCs in domain

Test-ComputerSecureChannel

Test domain trust

Get-ADReplicationSite -Filter *

Get all AD sites

Get-ADReplicationSubnet -Filter *

Get all AD subnets

Get-ADTrust -Filter *

Get all domain trusts

Group Policy Management

Get-GPO -All

Get all Group Policy Objects

Get-GPO -Name "GPO Name"

Get specific GPO

New-GPO -Name "New GPO"

Create new GPO

Set-GPLink -Name "GPO Name" -Target "OU=Users,DC=domain,DC=com"

Link GPO to OU

Get-GPOReport -Name "GPO Name" -ReportType Html -Path C:\report.html

Generate GPO report

Invoke-GPUpdate -Force

Force group policy update

gpresult /r

Display applied group policies

gpresult /h C:\gpreport.html

Generate HTML GPResult report

Password & Security Policies

Get-ADDefaultDomainPasswordPolicy

Get default password policy

Set-ADDefaultDomainPasswordPolicy -Identity domain.com -MaxPasswordAge 90

Set password max age

Get-ADFineGrainedPasswordPolicy -Filter *

Get all fine-grained password policies

New-ADFineGrainedPasswordPolicy -Name "Policy Name" -Precedence 10 -MinPasswordLength 12

Create fine-grained password policy

Add-ADFineGrainedPasswordPolicySubject -Identity "Policy Name" -Subjects "Group Name"

Apply password policy to group

Get-ADUserResultantPasswordPolicy -Identity username

Get effective password policy for user

Reporting & Auditing

Get-ADUser -Filter * -Properties LastLogonDate | Select Name,LastLogonDate

Get user last logon dates

Get-ADUser -Filter {LastLogonDate -lt (Get-Date).AddDays(-90)}

Find inactive users (90 days)

Get-ADComputer -Filter {LastLogonDate -lt (Get-Date).AddDays(-90)}

Find inactive computers (90 days)

Get-ADUser -Filter * -Properties PasswordLastSet | Select Name,PasswordLastSet

Get password last set dates

Get-ADUser -Filter * -Properties Created | Select Name,Created

Get user creation dates

Get-ADGroup -Filter * | Measure-Object

Count total groups

Get-ADUser -Filter * | Measure-Object

Count total users

Get-ADComputer -Filter * | Measure-Object

Count total computers

Bulk Operations

Import-Csv users.csv | ForEach-Object {New-ADUser -Name $_.Name -SamAccountName $_.Username}

Bulk create users from CSV

Get-ADUser -Filter * | Set-ADUser -City "New York"

Bulk update user attribute

Get-ADUser -Filter * -SearchBase "OU=ToDisable,DC=domain,DC=com" | Disable-ADAccount

Bulk disable users in OU

Get-ADUser -Filter {Enabled -eq $false} | Remove-ADUser -Confirm:$false

Bulk delete disabled users

Get-ADComputer -Filter {OperatingSystem -like "*Windows 7*"} | Remove-ADComputer -Confirm:$false

Bulk remove computers by OS

LDAP Queries

Get-ADUser -LDAPFilter "(mail=*@domain.com)"

Find users by email domain

Get-ADUser -LDAPFilter "(department=IT)"

Find users by department

Get-ADObject -LDAPFilter "(objectClass=*)"

Get all AD objects

Get-ADUser -Filter * -SearchBase "OU=Users,DC=domain,DC=com"

Search within specific OU

Get-ADUser -LDAPFilter "(&(objectCategory=person)(objectClass=user)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))"

Find all enabled users (LDAP)

Replication & Troubleshooting

repadmin /showrepl

Display replication status

repadmin /replsummary

Display replication summary

repadmin /syncall /AdeP

Force replication across all DCs

dcdiag /v

Run domain controller diagnostics

dcdiag /test:dns

Test DNS on domain controller

nltest /dsgetdc:domain.com

Locate domain controller

Get-ADReplicationFailure -Target DC01

Get replication failures for DC

Get-ADReplicationPartnerMetadata -Target DC01

Get replication partner info

© 2026 CHAI WEN TAH
Last build: Jan 13, 2026