Active Directory is one of the most common uses for PowerShell. I have personally been building Active Directory scripts using VBScript and PowerShell for over a decade. Here’s a big sample of Active Directory PowerShell scripts to do all kinds of stuff!
Discover, report and prevent insecure Active Directory account passwords in your environment with Specops’ completely free Password Auditor Pro. Download it today!
All of the Active Directory scripts I’ll be listing here are in various stages of functionality. The point of this post isn’t to give you 100% tested, pristine scripts but rather give you a jumpstart on creating some of your own.
All of the scripts listed here are Active Directory PowerShell scripts. You can script things in Active Directory but if you’ve noticed, PowerShell is sorta my thing. Enjoy!
Table of Contents
Active Directory SPNs
- ActiveDirectorySPN PowerShell script
This is a PowerShell module that allows you to create, change, and remove Active Directory SPNs using commands like
Remove-AdComputerSpnand so on. This module is handy so you don’t have to remember how to use
Set-AdUserto change SPNs.
Here’s an example of how to create Active Directory users in bulk by reading from a text file.
Do you use template user accounts that you need to build other accounts from? Look no further! This script copies attributes from a user account and also all group memberships to create a new AD user.
Use this script to find Active Directory user accounts that aren’t used anymore and remove them. This script also create a CSV log file.
This script finds all logon and logoff times of all users on all computers in an Active Directory organizational unit. The appropriate audit policies must be enabled first because the appropriate event IDs will show up.
You’ve got a CSV file full of employee names and need to find their AD user accounts, however, nothing ever matches up 100%. Use this script to find AD user accounts from a CSV file and also get an example of using “fuzzy” searching.
Here’s a great example of how to pull the user account password age from lots of AD users at once.
Another example of how to pull employee information from a CSV and find their AD user accounts. This script was used to find inactive accounts.
Although not technically AD-related, the function in this script queries CIM on the local or a remote computer and returns the user (local or Active Directory) that is currently logged on.
Here’s another older script I built to find AD users that set their password a certain time ago.
Use the code in this script to find all AD users that have set their password. There’s some overlap between this one and GetAdUserWithPasswordLastSetOlderThan.ps1.
I remember this one! This was a script that took forever that allows you to delegate AD change responsibilities to other users. This was used to delegate HR access to create and change AD users.
This an example of a script that covers all the bases. This script does everything from create the user account, assign groups, add to the appropriate OU and even creates a home folder!
This script finds all logon, logoff and total active session times of all users on all computers specified. For this script to function as expected, the advanced AD policies; Audit Logon, Audit Logoff and Audit Other Logon/Logoff Events must be enabled and targeted to the appropriate computers via GPO.
Active Directory Groups
This script queries multiple Active Directory groups for new members in a domain. It records group membership in a CSV file in the same location as the script is located. On the script’s initial run it will simply record all members of all groups into this CSV file. On subsequent runs it will query each group’s member list and compare that list to what’s in the CSV file. If any differences are found (added or removed) the script will update the CSV file to reflect current memberships and notify an administrator of which members were either added or removed.
This function queries the Active Directory domain the initiating computer is in for all groups that have no members. This is common when attempting to find groups that can be removed. This does not include default AD groups like Domain Computers, Domain Users, etc.
I liked writing this script because it was a foray into security. This script actively monitors an Active Directory group for any membership changes. If any members are added or removed, it can notify you.
This is an old script but still useful I used to compare two GPOs. This script pulls registry information the GPOs set and compares them to see what the differences are.
This function queries the Active Directory domain the initiating computer is in for all GPOs that either have their computer, user or both settings disabled. This is common when attempting to find GPOs that can be removed.
Get-GPRegistryValueand some magic, this scripts pulls all of the registry settings one or more GPOs set when applied.
This is another good example of a script you can use when cleaning up AD. This one was used to find GPOs that weren’t doing anything at all because they were linked to empty OUs.
An OK example of finding GPO registry settings.
This script finds all GPOs in the current domain which have either the user or computer configuration section enabled yet have no settings enabled in that section. Good script for AD cleanup work.
Another example of how to pull GPOs that are not being used anymore.
This function queries the Active Directory domain the initiating computer is in for all GPOs that do not have a link to an object. This is common when attempting to find GPOs that can be removed.
This script retrieves the ACL from an Active Directory-integrated DNS record. This is a good script to use when troubleshooting issues with dynamic DNS.
Active Directory Troubleshooting
I love the old school dcdiag utility but it wasn’t properly PowerShellified. This is a script that parses dcdiag’s output and returns rich objects.
Use this script to test to ensure DCs are replicating. It makes a change on one DC and then polls all the other ones to see how long (if at all) that objects takes to replicate.
Another cleanup script to find all organizational units that are empty. Might as well clean those up!
Need to cleanup old Active Directory computer accounts? Not problem. Take a look at some good examples of using text files and AD to make it happen.
Sometimes AD clients find themselves not assigned to a site. This can lead to all kinds of problems. Use this script to find those AD computers that are no longer assigned to a site and are calling for help.
This script disjoins a computer from an Active Directory domain, performs a reboot and upon coming back up joins it to the domain again and performs another reboot.
That’s it! Those are a few of the Active Directory scripts I’ve built over the years. I sure wish I had been better at keeping track of all of them! I hope these scripts give you a jumpstart on creating some useful Active Directory scripts of your own.
More from Adam The Automator & Friends