top of page

PowerShell Active Directory Management

Proper Management of Active Directory Using PowerShell 

Active Directory (AD) is a critical component in many organizations, serving as the backbone for identity and access management. Ensuring its proper management is essential for maintaining security, compliance, and efficiency within an IT environment. PowerShell, a powerful scripting language developed by Microsoft, provides an extensive set of tools for automating and managing Active Directory effectively. This article delves into best practices for managing Active Directory using PowerShell, highlighting key techniques and commands that can streamline administrative tasks.

Understanding Active Directory and PowerShell

Active Directory is a directory service developed by Microsoft for Windows domain networks. It stores information about objects on the network and makes this information available to administrators and users. Proper management of AD involves tasks such as user provisioning, group management, and policy enforcement.

PowerShell is a task automation and configuration management framework consisting of a command-line shell and scripting language. It is designed especially for system administration and provides full access to COM and WMI, enabling administrators to perform administrative tasks on both local and remote Windows systems.

Setting Up PowerShell for Active Directory

To manage Active Directory using PowerShell, you need the Active Directory module for PowerShell. This module is part of the Remote Server Administration Tools (RSAT) for Windows. To install it, you can use the following steps:

PowerShell Server Farm
Add-ADGroupMember by SamAccoutName

​ #-------------Import User SAM Accounts-------------

$UserAccounts = Get-Content C:\temp\Test_Accounts.txt        

#-------Input from Console----------

$ADGroup = Read-Host "Enter AD Group"        

#----------------Da Loop----------------

Foreach ($UserAccount in $UserAccounts) {       

    $UserAccount = $UserAccount.Trim()                

    #---Error Trapping---

    Try {        

        Add-ADGroupMember $ADGroup $UserAccount -ErrorAction Stop      

    }

    catch {        

        Write-Host $_.Exception.Message        

    }     

}        

#-------- Cleanup ---------

Clear-Variable ADGroup

Clear-Variable UserAccounts

Clear-Variable UserAccount

PowerShell on Computer

<#
Summary:  
          Get list of OU from Searchbase
          Get OU's where Protect from Deletion is enabled

          Display OU's out to screen

          Change accidental deletion setting 
Author:   Scott Head
Date:     05/09/2022
Version:  1.0 
#>

 

# Path to search in for OU's
$searchbase = 'OU=Domain Devices,DC=YourDomain,DC=net'

# Get all the OU's that are protected
$protectedOrganizationalUnits = Get-ADOrganizationalUnit -searchbase $searchbase -filter * -Properties ProtectedFromAccidentalDeletion | where {$_.ProtectedFromAccidentalDeletion -eq $true}

# Display OU's that are protected
$protectedOrganizationalUnits | Select DistinguishedName, ProtectedFromAccidentalDeletion, Name

# Disable protection
$protectedOrganizationalUnits | Set-ADOrganizationalUnit -ProtectedFromAccidentalDeletion $false

Disable OU Accidental Deletion Warning 

<#
Summary:  
          Get list of Policies from File
          Loop through items in file

          Create folder with policy name

          Export Group Policy to unique directory 

Author:   Scott Head
Date:     05/09/2022
Version:  1.0 
#>

$GroupPolicyName = Get-Content "C:\GroupPolicies\All-Group-Policies.txt"

Foreach($Policy in $GroupPolicyName){

    New-Item C:\GroupPolicies\$Policy -ItemType Directory 

    Backup-GPO -Name $Policy -Path C:\GroupPolicies\Policy\$Policy -Comment "$Policy"

}

Backup-GPO | Backup Group Policy Objects

Get-ADobject Record and Export BitLocker Keys

<#
Summary:  
          Query AD for enabled Windows 10 computer objects
          Loop through items and query computer ADObject for Bitlocker Key
          Export computer name and key created time to text file
          Created so that we can see if Computers don't have recovery key 

Author:   Scott Head
Date:     02/09/2022
Version:  1.0
#>

#Get Computer List From AD
$Computer = Get-ADComputer -Properties * -Filter {(Enabled -eq $True) -and (OperatingSystem -Like "WIndows 10*") -and (OperatingSystemVersion -ne "10.0 (17134)")} | Select Name,DistinguishedName

#Loop through comptuers
Foreach($Comp in $Computer){    
    $Info =""

    #Get Bitlocker Recovery Key
    $Info=Get-ADObject -Filter 'objectClass -eq "msFVE-RecoveryInformation"' -SearchBase $comp.DistinguishedName -Properties whenCreated, msFVE-RecoveryPassword  | Select -ExpandProperty whenCreated
   
#Export to Text File 
    "$($Comp.Name) | $($Info)" | Tee-Object C:\temp\Keys.txt -Append
}

New-OrganizationalUnit Create Multiple OU's

<#
Summary:  
          Get list of OU paths from file
          Loop and create each Sub OU           
                            
Author:   Scott Head
Date:     02/09/2022
Version:  1.0 
#>

$OUS=Get-Content C:\temp\Test.txt

Foreach($OU in $OUS){   
    
    New-ADOrganizationalUnit -Name "Assigned Wireless" -Path $OU 
}

bottom of page