Powershell Modules for Active Directory

This section of the document will briefly discuss Powershell Modules for Active Directory.


Within PowerShell you can import the Active-Directory Modules to automate your process for creating and maintaining objects. On a Windows 10 machine, after download RSAT run the following:

Enable-WindowsOptionalFeature -FeatureName RSATClient-Roles-AD-Powershell -Online

Once enabled, you are able to use the AD command-lets, documented as Get-Command *-AD*. From here, managing objects becomes possible via the use of scripts.

Disabling Active Directory Accounts

To disable an Active Directory account, the following module should be used:

NAME
 Disable-ADAccount

SYNTAX
 Disable-ADAccount [-Identity] <ADAccount> [-WhatIf] [-Confirm] [-AuthType {Negotiate | Basic}] [-Credential
 <pscredential>] [-Partition <string>] [-PassThru] [-Server <string>] [<CommonParameters>]

So, to disable an account labelled “ExampleUser” the syntax would be:

Disable-ADAccount -Identity ExampleUser

To run a process to disable users under the OU “Disabled Users”, “UsersAccount” in the domain labelled “LocalDom” the following filter can be run:

Get-ADUser -Filter 'Name -like "*"' -SearchBase "OU=Disabled Users,OU=UserAccount,DC=LOCALDOM,DC=COM" | Disable-ADAccount

Note, always use the -whatif switch if you’re unsure on the command you’re about to run.

Enabling Active Directory Accounts

The same process goes for Enabling Active Directory accounts via Powershell:

NAME
 Enable-ADAccount

SYNTAX
 Enable-ADAccount [-Identity] <ADAccount> [-WhatIf] [-Confirm] [-AuthType {Negotiate | Basic}] [-Cre
 <pscredential>] [-Partition <string>] [-PassThru] [-Server <string>] [<CommonParameters>]

Again the command would be:

Enable-ADAccount -Identity ExampleUser

Again, to enable users under the OU “Disabled Users”, “UsersAccount” in the domain labelled “LocalDom” the following filter can be run:

Get-ADUser -Filter 'Name -like "*"' -SearchBase "OU=Disabled Users,OU=UserAccount,DC=LOCALDOM,DC=COM" | Enable-ADAccount

Lock Active Directory Accounts

The same syntax is used to lock and unlock AD accounts with this module:

Unlock-ADAccount -Identity ExampleUser


There is no real need to drill down into the OUs and Domains, if you have a unique identifier.

Reset Active Directory Account Passwords

Probably the most useful function (unless you have a script, this is slower than the GUI however…) would be to Set-ADAccountPassword:

Set-ADAccountPassword -Identity ExampleUser

This command simply prompts the user to enter the new password for the identity “ExampleUser”.

If you’d prefer to do it in one string, you can use the following commandlet:

Set-ADAccountPassword ‘CN=ExampleUser,OU=Accounts,DC=LocalDomain,DC=com’ -Reset -NewPassword (ConvertTo-SecureString -AsPlainText “p@55w(ord!)” -Force)

Active Directory Account Control Access

Set-ADAccountControl [-Identity] <ADAccount> [-AccountNotDelegated <bool>] [-AllowReversiblePasswordEncryption <bool>] [-AuthType {<Negotiate> | <Basic>}] [-CannotChangePassword <bool>] [-Credential <PSCredential>] [-DoesNotRequirePreAuth <bool>] [-Enabled <bool>] [-HomedirRequired <bool>] [-MNSLogonAccount <bool>] [-Partition <string>] [-PassThru] [-PasswordNeverExpires <bool>] [-PasswordNotRequired <bool>] [-Server <string>] [-TrustedForDelegation <bool>] [-TrustedToAuthForDelegation <bool>] [-UseDESKeyOnly <bool>] [-Confirm] [-WhatIf] [<CommonParameters>

This command-let is rather useful, yet complex. The Set-ADAccountControl is responsible for a number of functions that may be beneficial for accounts that run services (not that they cannot be used on standardized accounts).

For example, preventing the user from resetting their password:

-CannotChangePassword $true

Then we can ensure the password never expires:

-PasswordNeverExpires $true