Menu

Top 8 Active Directory Powershell Scripts

Share Button

Working with Active Directory there are a number of powershell commands and scripts that you can use to manage Active Directory. I have put together a list of the top scripts that you can use to complete the most common tasks that i have come across supporting AD.

1.) Create Active Directory Users Based On Excel Input

This script will allow you to create users using data from an excel /CSV file. You can enter all the different attributes within the excel file of the data you want created on the users account during the creation (e.g department, manager, telephone number, etc).  It uses the New-ADUser powershell Cmdlet

Please download from Technet gallery 

2.) Active Directory Password Expiry Email Notification

This is a great script that will email your users when their password is due to expire. Help reduce those helpdesk calls to reset users passwords when their account gets locked out from expiration.  Simply run the script as a scheduled task and it will check AD for any accounts near expiration and send them an email to remind them

Download from Technet Gallery

3.) Get Active Directory User Account Last Logged On Time

This is a useful script to find out when a user last logged onto a computer in the domain. You can also import users from CSV if you want to check a list of users.

Example 1: Type Get-OSCLastLogonTime -SamAccountName “lindawang”,”doris” command in the Windows PowerShell Console.

Example 2: Type Get-OSCLastLogonTime -CsvFilePath “C:\SamAccountName.csv” command in the Windows PowerShell Console.

This command will list user’s last logon time info from your specified csv file.

Note: the CSV File format must follow the format below:

Download from Technet Gallery

4.) Find Out What Computer Locked Users Account Get-LockedOutLocation

This script will query the PDC looking for event (4740) and find out which computer caused a users account to become locked out. The function will display the BadPasswordTime attribute on all of the domain controllers to add in further troubleshooting. Works with domain controllers running Windows Server 2008 SP2 and up.

.EXAMPLE 
    PS C:\>Get-LockedOutLocation -Identity Joe.Bloggs 

Download From Technet Gallery

5.) Active Directory Audit Report

This is a powershell script that will generate a report and gather information about your Active Directory environment and export the results as a html or pdf

The list of items that the audit report will generate are as follows:

Forest Level Audit Report

  • Forest Information
    • Forest Summary
      • Name/Functional Level
      • Domain/Site/DC/GC/Exchange/Lync/Pool counts
    • Forest Features
      • Tombstone Lifetime
      • Recycle Bin Enabled
      • Lync AD Container
    • Exchange Servers
      • Organization/Administrative Group/Name/Roles/Site
      • Serial/Product ID
    • Lync
      • Element (Server/Pool)
      • Type (Internal/Edge/Backend/Pool)
      • Name/FQDN
  • Site Information
    • Summary
      • Site Name/Location/Domains/DCs/Subnets
    • Details
      • Site Name/Options/ISTG/Links/Bridgeheads/Adjacencies
    • Subnets
      • Subnet/Site Name/Location
    • Site Connections
      • Enabled/Options/From/To
    • Site Links *new*
      • Name/Replication Interval/Sites
  • Domain Information
    • Domains
      • Name/NetBIOS/Functional Level/Forest Root/RIDs Issued/RIDs Remaining *new*
    • Domain Password Policies
      • Name/NetBIOS/Lockout Threshold/Pass History Length/Max Pass Age/Min Pass Age/Min Pass Length
    • Domain Controllers
      • Domain/Site/Name/OS/Time/IP/GC/FSMO Roles
    • Domain Trusts
      • Domain/Trusted Domain/Direction/Attributes/Trust Type/Created/Modified
    • Domain DFS Shares
      • Domain/Name/DN/Remote Server
    • Domain DFSR Shares *new*
      • Domain/Name/Content/Remote Servers
    • AD Integrated DNS Zones
    • Group Policy Object Information

 

Domain Level Audit Report

  • Account Statistics (count) 1
    • Total User Accounts
    • Enabled
    • Disabled
    • Locked
    • Password Does Not Expire
    • Password Must Change
  • Account Statistics (count) 2
    • Password Not Required
    • Dial-in Enabled
    • Control Access With NPS
    • Unconstrained Delegation
    • Not Trusted For Delegation
    • No Pre-Auth Required
  • Group Statistics
    • Total Groups
    • Built-in
    • Universal Security
    • Universal Distribution
    • Global Security
    • Global Distribution
    • Domain Local Security
    • Domain Local Distribution
  • Privileged Group Statistics
    • Default Priv Group Name
    • Current Group Name (if it were changed)
    • Member Count
  • Privileged Group Membership for the following groups
    • Enterprise Admins
    • Schema Admins
    • Domain Admins
    • Administrators
    • Cert Publishers
    • Account Operators
    • Server Operators
    • Backup Operators
    • Print Operators
  • Account information for the prior sections:
    • Logon ID
    • Name
    • Password Age (Days)
    • Last Logon Date
    • Password Does Not Expire
    • Password Reversable
    • Password Not Required

 

Screenshots of diagrams and reports which can be generated from the script

DCs-Screenshot

domains-screenshot

ForestSummary-screenshot

Trusts-screenshot

Download from Technet Gallery

6.) Generate Excel report based on Active Directory user objects

This script will generate a report in excel and show details about user objects.  The report will generate the following:

  • Active / Inactive User Accounts
  • Accounts Locked Out
  • Accounts Disabled
  • Expired Passwords
  • Passwords older then set amount of days
  • Passwords set to never expire
  • Password not required flag set
  • And many more options

This can run against your domain or entire forest

Download from Technet Gallery

7.) Get Inactive User in Domain based on Last Logon Time Stamp

A script to find inactive / old users in your domain and export the results to csv.  Simply put how many days you want to check since the last time a user logged in.

PowerShell
# Gets time stamps for all User in the domain that have NOT logged in since after specified date 
# Mod by Tilo 2014-04-01 
import-module activedirectory  
$domain = "domain.mydom.com"  
$DaysInactive = 90  
$time = (Get-Date).Adddays(-($DaysInactive)) 
  
# Get all AD User with lastLogonTimestamp less than our time and set to enable 
Get-ADUser -Filter {LastLogonTimeStamp -lt $time -and enabled -eq $true-Properties LastLogonTimeStamp | 
  
# Output Name and lastLogonTimestamp into CSV  
select-object Name,@{Name="Stamp"; Expression={[DateTime]::FromFileTime($_.lastLogonTimestamp).ToString('yyyy-MM-dd_hh:mm:ss')}} | export-csv OLD_User.csv -notypeinformation 

Download From Technet Gallery

8.) List Group Members in Active Directory

Run this script to find out a list of members in your groups in AD.  Simply add a list of groups you would like to check in a csv and run the script against this and will will export a list of members in your groups

image

image

image

Download From Technet Gallery

 

 

Infrastructure consultant from London. 16 years experience working in IT. Areas of expertise are Active Directory, Systems Center 2012R2 Suite (SCOM, SCORCH, SCCM, SCVMM, SCDPM, SCSM) Private Cloud, Vmware, Hyper-V.