James Thew - Fotolia

Tip

Automate Active Directory jobs with PowerShell scripts

Much of what admins do in Active Directory is not exactly cutting-edge, and they don't want to waste time on mundane tasks. A dash of PowerShell can speed things along.

Most IT professionals have some experience with Active Directory, whether they use it to create new users, reset passwords or generate child domains. Tools like Active Directory Users and Computers and Active Directory Administrative Center get the job done, but they're based on a GUI and require a lot of manual manipulation.  

Active Directory is suitable for automation -- it's an area where admins make constant, and often repetitive modifications, such as creating users, computers and organizational units. With the right tools in place, you can use PowerShell to automate Active Directory tasks and eliminate a lot of these recurring steps.

Install the AD module

There are a few steps to take before you can automate Active Directory. First, install the Remote Server Administration Tools package, which is specific to your OS version.

After the installation, enable the AD module. Go to Programs and Features in the Control Panel and follow this path: Remote Server Administration Tools > Role Administration Tools > AD DS and AD LDS Tools > Active Directory Module for Windows PowerShell.

Once the AD module is enabled, open the PowerShell console and use the Get-Command cmdlet to check that every command is available to you.

PS> Get-Command -Module ActiveDirectory

CommandType     Name                                               Version    Source
-----------     ----                                               -------    ------
Cmdlet          Add-ADCentralAccessPolicyMember                    1.0.0.0    ActiveDirectory
Cmdlet          Add-ADComputerServiceAccount                       1.0.0.0    ActiveDirectory
Cmdlet          Add-ADDomainControllerPasswordReplicationPolicy    1.0.0.0    ActiveDirectory
Cmdlet          Add-ADFineGrainedPasswordPolicySubject             1.0.0.0    ActiveDirectory
....

Active Directory is suitable for automation -- an area where admins make constant, and often repetitive modifications, such as creating users, computers and organizational units.

Next, run the Update-Help command to download the latest documentation for each PowerShell command. Microsoft regularly updates the comprehensive PowerShell help system. Running the Update-Help command is a worthwhile step for administrators who are new to PowerShell, especially when exploring a new module.

Now that the AD module is ready to go, there are a few common ways to automate Active Directory jobs.

How to find users

To adjust settings for a user, you need to find the user. There are several ways to do this in Active Directory, but the most common is with the Get-AdUser cmdlet. This cmdlet enables you to search based either on the name of the user or via a filter that locates several users at once. The following example uses a filter to find users with the first name Joe:

PS> Get-AdUser -Filter 'givenName -eq "Joe"'

If you know the user's name, you could use the Identity parameter:

PS> Get-AdUser -Identity 'jjones'

Create new users

The New-AdUser cmdlet creates new users and lets you specify the majority of the attributes. For example, if you want to create a new user called David Jones with a password of p@$$w0rd10, use PowerShell's splatting feature to package several parameters to pass them to the New-AdUser cmdlet.

$NewUserParameters = @{
    'GivenName' = 'David'
    'Surname' = 'Jones'
    'Name' = 'djones'
    'AccountPassword' = (ConvertTo-SecureString 'p@$$w0rd10' -AsPlainText -Force)
    'ChangePasswordAtLogon' = $true
}

New-AdUser @NewUserParameters

Add users to groups

Another common administrative task is to add new users to groups. This is easily done with the Add-AdGroupMember cmdlet. The example below adds the user David Jones to an Active Directory group called Accounting:

Add-AdGroupMember -Identity 'Accounting' -Members 'djones'

Automate creation of users

We can combine these commands when the human resources department provides a CSV file that lists new users to create in Active Directory. The CSV file might look like this:

"FirstName","LastName","UserName"
"Adam","Bertram","abertram"
"Joe","Jones","jjones"

To create these users, write a script that invokes the New-AdUser command for each user in the CSV file. Use the built-in Import-Csv command and a foreach loop in PowerShell to go through the file and give users the same password.

Import-Csv -Path C:\Employees.csv | foreach {
    $NewUserParameters = @{
        'GivenName' = $_.FirstName
        'Surname' = $_.LastName
        'Name' = $_.UserName
        'AccountPassword' = (ConvertTo-SecureString 'p@$$w0rd10' -AsPlainText -Force)
    }

    New-AdUser @NewUserParameters
}

These are a few basic examples of how an admin can automate Active Directory tasks with PowerShell. The Active Directory PowerShell module has many commands that enable admins to execute more complex jobs, such as permission delegation for groups. 

Next Steps

Use PowerShell to assign Office 365 licenses

Top PowerShell commands for admins

Test PowerShell scripts to code more efficiently

Dig Deeper on Microsoft messaging and collaboration

Cloud Computing
Enterprise Desktop
Virtual Desktop
Close