Active Directory automation scripts practical, ready-to-use examples

Active Directory (AD) automation scripts are typically written in PowerShell, since it integrates deeply with Windows Server and AD services. These scripts help automate repetitive admin tasks like user creation, group management, password resets, and reporting.


Before running any script: Make sure you are steps mentioned in below Link.
https://techstack-it.blogspot.com/2026/03/mandatory-prerequisites-and-checks.html

1.Import AD Module

Script:
Import-Module ActiveDirectory

2.Create Users in Bulk (from CSV)

CSV format (users.csv)

Name,GivenName,Surname,SamAccountName,UserPrincipalName,OU
John Doe,John,Doe,jdoe,jdoe@domain.com,"OU=Users,DC=domain,DC=com"

Script:
Import-Csv "C:\users.csv" | ForEach-Object {
    New-ADUser `
        -Name $_.Name `
        -GivenName $_.GivenName `
        -Surname $_.Surname `
        -SamAccountName $_.SamAccountName `
        -UserPrincipalName $_.UserPrincipalName `
        -Path $_.OU `
        -AccountPassword (ConvertTo-SecureString "P@ssw0rd123" -AsPlainText -Force) `
        -Enabled $true
}

3.Reset Password for All Users in an OU

Script:
Get-ADUser -Filter * -SearchBase "OU=Users,DC=domain,DC=com" | ForEach-Object {
    Set-ADAccountPassword -Identity $_ -Reset `
    -NewPassword (ConvertTo-SecureString "NewP@ss123" -AsPlainText -Force)
}

4.Disable Inactive Users (e.g., 90 days)

Script:
$days = 90
$date = (Get-Date).AddDays(-$days)

Search-ADAccount -AccountInactive -UsersOnly -TimeSpan "$days.00:00:00" |
    Disable-ADAccount

5.Add Users to Groups Automatically

Script:
Import-Csv "C:\groupusers.csv" | ForEach-Object {
    Add-ADGroupMember -Identity $_.Group -Members $_.User
}

6.Export AD Users Report

Script:
Get-ADUser -Filter * -Property DisplayName,EmailAddress,LastLogonDate |
Select-Object DisplayName,EmailAddress,LastLogonDate |
Export-Csv "C:\ADUsersReport.csv" -NoTypeInformation

7.Unlock Locked Accounts

Script:
Search-ADAccount -LockedOut | Unlock-ADAccount

8.Move Users Between OUs

Script:
Get-ADUser -Filter * -SearchBase "OU=OldOU,DC=domain,DC=com" | ForEach-Object {
    Move-ADObject -Identity $_.DistinguishedName `
    -TargetPath "OU=NewOU,DC=domain,DC=com"
}

9.Find Expired User Accounts

Script:
Search-ADAccount -AccountExpired -UsersOnly | 
Select Name,AccountExpirationDate

10.Set Account Expiry Date for Users

Script:
Get-ADUser -Filter * -SearchBase "OU=TempUsers,DC=domain,DC=com" | ForEach-Object {
    Set-ADUser $_ -AccountExpirationDate (Get-Date).AddDays(30)
}

11.Remove Users from a Group (Bulk)

Script:
Import-Csv "C:\removeusers.csv" | ForEach-Object {
    Remove-ADGroupMember -Identity $_.Group -Members $_.User -Confirm:$false
}

12.Get Users with Password Never Expires

Script:
Get-ADUser -Filter {PasswordNeverExpires -eq $true} -Properties PasswordNeverExpires |
Select Name,SamAccountName

13.Enable All Disabled Users in an OU

Script:
Search-ADAccount -AccountDisabled -UsersOnly -SearchBase "OU=Users,DC=domain,DC=com" |
Enable-ADAccount

14.Find Users Without Manager Assigned

Script:
Get-ADUser -Filter * -Properties Manager | 
Where-Object { -not $_.Manager } |
Select Name,SamAccountName

15.Export Group Members to CSV

Script:
Get-ADGroupMember -Identity "HR Team" | 
Select Name,SamAccountName |
Export-Csv "C:\HRTeamMembers.csv" -NoTypeInformation

16.Delete Inactive Computer Accounts (e.g., 60 days)

Script:
$days = 60
$time = (Get-Date).AddDays(-$days)

Get-ADComputer -Filter {LastLogonDate -lt $time} -Properties LastLogonDate |
Remove-ADComputer -Confirm:$false

17.Get Locked-Out User Details(Very Useful)

Script:
Search-ADAccount -LockedOut | 
Select Name,SamAccountName,LastLogonDate

18.Get All Users in a Specific Group

Script:
Get-ADGroupMember -Identity "Domain Admins" | Select Name,SamAccountName

19.Find Empty AD Groups

Script:
Get-ADGroup -Filter * | Where-Object {
    (Get-ADGroupMember $_.DistinguishedName -ErrorAction SilentlyContinue).Count -eq 0
} | Select Name

20.List Users Created in Last 7 Days

Script:
$days = 7
Get-ADUser -Filter * -Properties WhenCreated |
Where-Object { $_.WhenCreated -ge (Get-Date).AddDays(-$days) } |
Select Name,WhenCreated

21.Force Password Change at Next Logon

Script:
Get-ADUser -Filter * -SearchBase "OU=Users,DC=domain,DC=com" |
Set-ADUser -ChangePasswordAtLogon $true

22.Get All Computers in AD

Script:
Get-ADComputer -Filter * | Select Name,OperatingSystem

23.Find Computers Not Logged In (90 days)

Script:
$days = 90
Get-ADComputer -Filter * -Properties LastLogonDate |
Where-Object { $_.LastLogonDate -lt (Get-Date).AddDays(-$days) } |
Select Name,LastLogonDate

24.Add Description to All Users

Script:
Get-ADUser -Filter * | ForEach-Object {
    Set-ADUser $_ -Description "Company Employee"
}

25.Rename AD User

Script:
Rename-ADObject -Identity "CN=OldName,OU=Users,DC=domain,DC=com" -NewName "NewName"

26.Get Users by Department

Script:
Get-ADUser -Filter {Department -eq "IT"} -Properties Department |
Select Name,Department

27.Update User Department (Bulk)

Script:
Import-Csv "C:\dept.csv" | ForEach-Object {
    Set-ADUser $_.User -Department $_.Department
}

28.Find Duplicate User Names

Script:
Get-ADUser -Filter * | Group-Object Name | Where-Object { $_.Count -gt 1 }

29.Get Disabled Computers

Script:
Search-ADAccount -AccountDisabled -ComputersOnly | Select Name


30.Enable Computer Accounts

Script:
Search-ADAccount -AccountDisabled -ComputersOnly | Enable-ADAccount

31.List All OUs

Script:
Get-ADOrganizationalUnit -Filter * | Select Name,DistinguishedName


32.Create New OU

Script:
New-ADOrganizationalUnit -Name "NewOU" -Path "DC=domain,DC=com"

33.Delete Empty OUs

Script:
Get-ADOrganizationalUnit -Filter * | Where-Object {
    (Get-ADObject -Filter * -SearchBase $_.DistinguishedName).Count -le 1
} | Remove-ADOrganizationalUnit -Confirm:$false

34.Get Users Without Email Address

Script:
Get-ADUser -Filter * -Properties EmailAddress |
Where-Object { -not $_.EmailAddress } |
Select Name

35.Set Email Address (Bulk)

Script:
Import-Csv "C:\emails.csv" | ForEach-Object {
    Set-ADUser $_.User -EmailAddress $_.Email
}

36.Find Users with Expired Passwords

Script:
Search-ADAccount -PasswordExpired | Select Name

37.Get Last Logon of Specific User

Script:
Get-ADUser username -Properties LastLogonDate | Select Name,LastLogonDate


38.Add Users to OU Based on CSV

Script:
Import-Csv "C:\moveusers.csv" | ForEach-Object {
    Move-ADObject -Identity $_.UserDN -TargetPath $_.TargetOU
}

39.Get Domain Controllers

Script:
Get-ADDomainController -Filter * | Select HostName,Site

40.Restart Remote Computer (from AD list)

Script:
Get-ADComputer -Filter * | ForEach-Object {
    Restart-Computer -ComputerName $_.Name -Force
}

41.Find Stale Passwords (Not Changed in 180 Days)

Script:
$days = 180
Get-ADUser -Filter * -Properties PasswordLastSet |
Where-Object { $_.PasswordLastSet -lt (Get-Date).AddDays(-$days) } |
Select Name,PasswordLastSet

42.Get Group Membership of User

Script:
Get-ADUser username -Properties MemberOf | Select -ExpandProperty MemberOf

43.Copy Group Membership from One User to Another

Script:
$source = "user1"
$target = "user2"

Get-ADUser $source -Properties MemberOf | Select -Expand MemberOf | ForEach-Object {
    Add-ADGroupMember -Identity $_ -Members $target
}

44.Remove All Group Memberships from User

Script:
Get-ADPrincipalGroupMembership username | Where-Object { $_.Name -ne "Domain Users" } |
ForEach-Object {
    Remove-ADGroupMember -Identity $_ -Members username -Confirm:$false
}

45.Get GPO List

Script:
Get-GPO -All | Select DisplayName

46.Backup All GPOs

Script:
Backup-GPO -All -Path "C:\GPOBackup"

47.Find Users Logged On to Computer

Script:
Get-WmiObject -Class Win32_ComputerSystem -ComputerName PC1 | Select Username

48.Check AD Replication Status

Script:
Get-ADReplicationPartnerMetadata -Target * | Select Server,LastReplicationSuccess

49.Get FSMO Roles

Script:
Get-ADDomain | Select InfrastructureMaster,RIDMaster,PDCEmulator
Get-ADForest | Select SchemaMaster,DomainNamingMaster

50.List All Service Accounts

Script:
Get-ADUser -Filter {ServicePrincipalName -like "*"} -Properties ServicePrincipalName |
Select Name,ServicePrincipalName

Important Tips:

  • Always test scripts in a lab before production.
  • Use -WhatIf to simulate actions:
    Script:    
    Disable-ADAccount -Identity user1 -WhatIf

  • Use logging:
    Script:    
    Start-Transcript -Path "C:\log.txt"

Subscribe to my YouTube channel: www.youtube.com/@Stack_Tech

Comments

Post a Comment

Popular posts from this blog

Active Directory Overview (Windows Server) for Interview Preparation

Image
What is Active Directory ? Active Directory (AD) is Microsoft's directory service used to Manage below Network objects and Resources Manage users Manage Computers Manage Groups Control access to resources apply security policies     We can call AD as : A centralized brain of windows network Without AD: Every computer has its own users Passwords aren't Shared Policies must be configured one-by-one. With AD: one login works everywhere. Permission are controlled centrally. Security is enforced automatically. Active Directory Web Services Port number : 9389 Why Active Directory Exists ? Imagine a company having 1000 Employees: Without AD 1000 local accounts per Server. Manual access control. No central security. Difficult to Manage. With AD: One user account per employee login from any company PC Central password rules Easy onboarding or Offboarding Core Components of Active Directory ? Domain Domain Controller (DC) Objects Organizational units (OUs) Domain : A domain is a logica...
Read more

Desktop Support Interview Q&A (Beginner Level)

Image
1) What is active directory? Active directory authorizes and authenticates all users and computers in a window domain network, ensuring the security of the computer and software. Through active directory various functions can be managed like creating admin users, connecting to printers or external hard drives.   2) What is DHCP and what it is used for? DHCP stands for dynamic host configuration protocol. It is used to allocate IP addresses to a large number of the computer system in a network.   It helps in managing the large number of IPs very easily.   3) What is scope and super scope? Scope consists of an IP address like gateway IP, subnet mask, DNS server IP. It can be used to communicate with the other PCs in the network. The super scope becomes when you combine two or more scopes together.   4) What is DNS? DNS mean Domain Naming Service, and it is used for resolving IP addresses to name and names to IP address. DNS is like a translator for ...
Read more

IT Abbreviations Explained for Beginners | Most Asked in Interviews

Image
Important IT & computer-related words with their full forms — useful for S chool, College, Competitive Exams, and Interviews . COMPUTER - Common Operating Machine Purposely Used for Technological and Educational Research IT – Information Technology CPU – Central Processing Unit ALU – Arithmetic Logic Unit CU – Control Unit RAM – Random Access Memory ROM – Read Only Memory HDD – Hard Disk Drive SSD – Solid State Drive JPG/JPEG – Joint Photographic Experts Group PNG – Portable Network Graphics USB – Universal Serial Bus VDU – Visual Display Unit UPS – Uninterruptible Power Supply BIOS – Basic Input Output System CMOS – Complementary Metal Oxide Semiconductor CD – Compact Disc DVD – Digital Versatile Disc LED – Light Emitting Diode LCD – Liquid Crystal Display SMPS – Switched Mode Power Supply NIC – Network Interface Card GPU – Graphics Processing Unit OCR –...
Read more