In this article, we will discuss ways to manage active directory using PowerShell.
You will need an Active Directory Module for PowerShell to be installed on a machine. Follow this link to install the AD module.
User Account Management
To verify the current state of a user account
To verify the current state of a user account and check if its locked out or not
get-aduser -Identity thomasa -Properties Lockedout | Select-Object samaccountName,Lockedout| ft -AutoSize
If the account is locked, you can unlock it using the command
Get-ADUser -Identity thomasa | Unlock-ADAccount
Create an Active Directory OU
Organizational Units are essentially logical containers in AD to group contents based on an admins choice. This may include departments, groups and so on
Create an OU
In order to create an OU in our domain use this approach
New-ADOrganizationalUnit -Name "London"
Create Sub-OU
To create a sub OU in our London container we can run the command
New-ADOrganizationalUnit -Name WestLondon -Path "OU=London,DC=ash,DC=local" -Description "West London zone" –PassThru
Remove an OU
To delete the OU from the Active Directory using PowerShell, we need to use the command Remove-ADOrganizationUnit
Sometimes protected mode will be enabled on the OU to prevent it from accidental deletion, so we first disable the protected mode using the Set-ADOrganizationalUnit command and then need to run the remove command as shown below.
Get-ADOrganizationalUnit -filter "Name -eq 'WestLondon'"| Set-ADOrganizationalUnit -ProtectedFromAccidentalDeletion $False Finally remove the OU. Get-ADOrganizationalUnit -filter "Name -eq 'WestLondon'"| Remove-ADOrganizationalUnit
Determine last logged in user
This is the same as #3 above but using a PowerShell Script:
Get-ChildItem "\\<Name-of-Computer>\c$\Users" | Sort-Object LastWriteTime -Descending | Select-Object Name, LastWriteTime -first 1 | out-file \\<Your-Server-Name>\C$\temp\TheList.txt
Be sure to change:
<Name-of-Computer>to the name of a server on your network that everyone can write to and ensure the folder you choose has permissions like AUTHENTICATED USERS = FULL CONTROL<Your-Server-Name>to the name of a server
If you want to run this as a script against many machines use this:
$ArrComputers = @("PC1", "PC2", "PC3", "PC4")
foreach ($Computer in $ArrComputers) {
Get-ChildItem "\\$Computer\c$\Users" | Sort-Object LastWriteTime -Descending | Select-Object Name, LastWriteTime -first 1 | out-file \\<Your-Server-Name>\share\$Computer.txt}
Be sure to change:
- the names of the computers from PC1, PC2… to whatever your computer names are
<Your-Server-Name>to the name of a server<Share>is a folder shared so everyone can write to it, perhaps with permissions like AUTHENTICATED USERS = FULL CONTROL
dism /online /get-features /format:table
Command Line To Find Out When a User Last Changed Their Password in Active Directory
if you’re not a fan of using the GUI or you’re trying to do something through a script you might want to use a command line to figure out the last time a user changed their password in Active Directory.
- Launch a CMD window or a PowerShell or Windows Terminal.
- This does not have to be run as it administrator but can be
- Type NET USER USERNAME and press the ENTER key
- sub in the real name of the user for USERNAME above (i.e. net user imatthews)
How To Remotely Log Someone Off
- Right click on the START button of any machine on the same LAN, and select CMD (ADMIN), or POWER SHELL (ADMIN) or WINDOWS TERMINAL (ADMIN)
- Type
quser /server:<server-host-name>and press ENTER - Notice the number in the ID column
- Type
logoff <#> /server:<server-host-name> - If there is more than one user logged in repeat this process for each ID