Tech Thursday: Active Directory Administration with PowerShell

Tech Thursday: Active Directory Administration with PowerShell

PowerShell is the future of Windows system administration. With Microsoft making drastic and sometimes confusing changes to the UI of administrative applications, now is as good a time as any to learn how to automate some common Active Directory administration tasks with PowerShell.

To get started, you’ll need to install the Remote Server Administration Tools for the Windows (client) version that you’re using. Then open up Programs and Features > Turn Windows Features On or Off, and find Active Directory Module for Windows PowerShell. Once that’s installed, just open up a PowerShell command prompt and type import-module ActiveDirectory. This will load the full suite of AD tools into your PowerShell session.

Reset a User’s Password with PowerShell

Resetting a user’s password is a three-line command in Powershell. First, get the new password as a SecureString variable:

$pw =  read-host -AsSecureString

This will prompt you to enter the new password. Then, change the user’s password using Set-ADAccountPassword:

Set-ADAccountPassword jsmith -NewPassword $pw

Finally, set the user’s password to expire, so that they will be prompted to enter a new one at next login:

Set-ADUser jsmith -ChangePasswordAtLogon $true

While it’s true that this can be done in just a few clicks from ADUC, these three lines could easily be turned into a script, saving you plenty of time if your users often forget their passwords.

Fix Account Lockouts

If you’ve implemented a proper password policy with account lockouts, you may have an uptick in users who lock themselves out, either by mistyping their password or trying an old password too many times. But again, PowerShell is here to help.

You can execute Search-ADAccount -LockedOut to return a list of all users whose accounts are currently locked out. Then, you can do a Unlock-ADAccount jsmith to let him back in.

Find Unused Computers and Users using PowerShell

Cleaning up unused computer and user accounts is a good way to improve the security of your AD environment. While ideally you’ll be informed of terminations, resignations, and retirements quickly, sometimes things slip through the cracks.

To find these accounts, use the command Search-ADAccount -AccountInactive numDays, where numDays is the number of days an account has been inactive before it shows up in your search. You can also add -ComputersOnly or -UsersOnly to narrow down your search.

If you’d like to disable these accounts, simply pipe the output of that command to Disable-ADAccount cmdlet.


These are just a few of the commands available in the ActiveDirectory PowerShell module. To find out what else you can do in Active Directory with PowerShell, check out Microsoft’s module reference.

E-N Computers is a full-service IT service provider serving Virginia, Maryland, and Washington, D.C. If you need help with your Windows network or Active Directory environment, contact us today!