Syspirit Active Directory is Microsoft’s directory service for centralized management of users, computers, and resources in a Windows Server environment.
📦 Module Preparation
| 📌 Action | 🧠 PowerShell Command |
|---|---|
| 📦 Import AD module | Import-Module ActiveDirectory |
| ✅ Verify module | Get-Module ActiveDirectory |
| 🔍 List AD cmdlets | Get-Command -Module ActiveDirectory |
| 📋 Cmdlet help | Get-Help Get-ADUser -Examples |
👥 User Management
| 📌 Action | 🧠 PowerShell Command |
|---|---|
| 📋 List users | Get-ADUser -Filter * |
| 🔍 Search user | Get-ADUser -Identity "jsmith" |
| 👁️ Full details | Get-ADUser "jsmith" -Properties * |
| 🔍 Search by name | Get-ADUser -Filter "Name -like '*Smith*'" |
| 👤 Create user | New-ADUser -Name "John Smith" -SamAccountName "jsmith" |
| 🔧 Modify user | Set-ADUser -Identity "jsmith" -Description "IT Admin" |
| 🔒 Disable account | Disable-ADAccount -Identity "jsmith" |
| ✅ Enable account | Enable-ADAccount -Identity "jsmith" |
| 🗑️ Delete user | Remove-ADUser -Identity "jsmith" |
👥 Group Management
| 📌 Action | 🧠 PowerShell Command |
|---|---|
| 📋 List groups | Get-ADGroup -Filter * |
| 🔍 Search group | Get-ADGroup -Identity "Admins" |
| 👁️ Group members | Get-ADGroupMember -Identity "Admins" |
| ➕ Add member | Add-ADGroupMember -Identity "Admins" -Members "jsmith" |
| ➖ Remove member | Remove-ADGroupMember -Identity "Admins" -Members "jsmith" |
| 👤 User’s groups | Get-ADUser "jsmith" -Properties MemberOf |
| 🆕 Create group | New-ADGroup -Name "IT-Team" -GroupScope Global |
💻 Computer Management
| 📌 Action | 🧠 PowerShell Command |
|---|---|
| 📋 List computers | Get-ADComputer -Filter * |
| 🔍 Search PC | Get-ADComputer -Identity "PC-001" |
| 📊 PC with details | Get-ADComputer "PC-001" -Properties * |
| 🆕 Add PC | New-ADComputer -Name "PC-002" -Path "OU=Computers,DC=domain,DC=com" |
| 🗑️ Delete PC | Remove-ADComputer -Identity "PC-001" |
| ⏰ Last logon | Get-ADComputer -Filter * -Properties LastLogonDate |
🔍 Advanced Searches
🎯 Inactive users
# Users not logged in for 90 days
$date = (Get-Date).AddDays(-90)
Get-ADUser -Filter * -Properties LastLogonDate | Where-Object {$_.LastLogonDate -lt $date}🔒 Disabled accounts
Get-ADUser -Filter {Enabled -eq $false}👥 Users from a specific group
Get-ADGroupMember -Identity "Domain Admins" | Get-ADUser -Properties DisplayName🏢 Organizational Structure (OU)
| 📌 Action | 🧠 PowerShell Command |
|---|---|
| 📋 List OUs | Get-ADOrganizationalUnit -Filter * |
| 🆕 Create OU | New-ADOrganizationalUnit -Name "IT" -Path "DC=domain,DC=com" |
| 📦 OU contents | Get-ADObject -SearchBase "OU=IT,DC=domain,DC=com" -Filter * |
| 🔄 Move user | Move-ADObject -Identity "CN=jsmith,..." -TargetPath "OU=IT,..." |
🛠️ Script Examples
📊 Export a group with its members to Excel:
# Define the group name to analyze
$groupName = "GRP-accounting"
# Get the group and its members from the domain
$group = Get-ADGroup -Identity $groupName -Properties Members
# For each group member, retrieve full details
$members = $group.Members | ForEach-Object {
# Get-ADObject retrieves all AD object types (users, computers, etc.)
Get-ADObject -Identity $_ -Properties *
}
# Display a preview of members in the console
$members | Format-Table Name, ObjectClass, DistinguishedName
# Build the filename with today's date
$excelFilePath = "C:\folder\export_$($groupName)_$(Get-Date -Format 'yyyyMMdd').xlsx"
# Export to Excel (requires ImportExcel module)
$members | Select-Object Name, ObjectClass, DistinguishedName |
Export-Excel -Path $excelFilePath -AutoSize
Write-Host "Export completed: '$excelFilePath'"🔍 User account audit
# User report with essential info
Get-ADUser -Filter * -Properties DisplayName, LastLogonDate, PasswordLastSet |
Select-Object Name, DisplayName, Enabled, LastLogonDate, PasswordLastSet |
Export-Csv "C:\temp\users_audit.csv" -NoTypeInformation👥 Groups and members report
# List all groups with member count
Get-ADGroup -Filter * | ForEach-Object {
$memberCount = (Get-ADGroupMember -Identity $_ -ErrorAction SilentlyContinue).Count
[PSCustomObject]@{
GroupName = $_.Name
MemberCount = $memberCount
GroupScope = $_.GroupScope
}
} | Sort-Object MemberCount -Descending🔒 Problematic accounts
# Expired or locked accounts
Get-ADUser -Filter * -Properties LockedOut, PasswordExpired, AccountExpirationDate |
Where-Object {$_.LockedOut -eq $true -or $_.PasswordExpired -eq $true} |
Select-Object Name, LockedOut, PasswordExpired, AccountExpirationDate📈 Monitoring and Reports
📊 Domain statistics
# Domain overview
Write-Host "=== Active Directory Statistics ===" -ForegroundColor Green
Write-Host "Total users: $((Get-ADUser -Filter *).Count)"
Write-Host "Total groups: $((Get-ADGroup -Filter *).Count)"
Write-Host "Total computers: $((Get-ADComputer -Filter *).Count)"
Write-Host "Total OUs: $((Get-ADOrganizationalUnit -Filter *).Count)"⚠️ Security alerts
# Users with password never expires
Get-ADUser -Filter {PasswordNeverExpires -eq $true} -Properties PasswordNeverExpires |
Select-Object Name, PasswordNeverExpires🚨 Common Troubleshooting
| 🆘 Problem | 🧠 Solution |
|---|---|
| Missing AD module | Install-WindowsFeature RSAT-AD-PowerShell |
| Insufficient permissions | Use a domain admin account |
| DC connection error | Specify -Server "dc.domain.com" |
| Excel export fails | Install Install-Module ImportExcel |
| Slow search | Use -SearchBase "OU=..." to limit scope |