Common PowerShell Commands for AD

A list of common PowerShell commands for AD.

Retrieve AD user(s)

# get AD user - basic attributes
Get-ADUser "JohnDo"
# get AD user - all attributes
Get-ADUser "JohnDo" -Properties *
# get AD user - additional attribute(s)
Get-ADUser "JohnDo" -Properties PasswordLastSet
Get-ADUser "JohnDo" -Properties whenChanged,whenCreated
# get AD user - output specific attribute
Get-ADUser "JohnDo" -Properties * | Select sAMAccountName, DisplayName
(Get-ADUser "JohnDo" -Properties *).PasswordLastSet
(Get-ADUser "JohnDo" -Properties whenChanged).whenChanged
# computed password expiry date - single user
(Get-ADUser "JohnDo" -Properties PasswordLastSet).PasswordLastSet.`

# computed password expiry date - all enabled users
Get-ADUser -filter {Enabled -eq $True -and PasswordNeverExpires -eq $False} `
-Properties "DisplayName", "msDS-UserPasswordExpiryTimeComputed" | `
Select-Object -Property "Displayname", @{Name="ExpiryDate";Expression={[datetime]::FromFileTime($_."msDS-UserPasswordExpiryTimeComputed")}} | `
sort-object displayname | export-csv c:\expiringPasswords-yyyy-mm-dd.csv
# computed password age
(New-TimeSpan -Start (Get-ADUser "JohnDo" -Properties *).passwordlastset `
-End (Get-Date)).Days
# account lockout info
Get-ADUser "JohnDo" -Properties * | Select-Object `
# list AD user(s) - Filter
Get-ADUser -Filter 'sAMAccountName -eq "JohnDo"'
Get-ADUser -Filter 'sAMAccountName -like "john*"'
Get-ADUser -Filter 'sAMAccountName -notlike "john*"'
Get-ADUser -Filter 'department -Like "finance*"'
# list AD user(s) - LDAPFilter
Get-ADUser -LDAPFilter '(sAMAccountName=JohnDo)'
Get-ADUser -LDAPFilter '(sAMAccountName=john*)'
Get-ADUser -LDAPFilter '(!(sAMAccountName=john*))'
Get-ADUser -LDAPFilter '(department=finance*)'
# get all AD users with Password never expires set to true
get-aduser -filter * -properties Name, PasswordNeverExpires | where { $_.passwordNeverExpires -eq "true" } | where {$_.enabled -eq "true"}


Check AD user existence

# check if AD user exists
$userID = "JohnDo" #enter userID
$exists = $false
try {
        $user = Get-ADUser $userID -ErrorAction SilentlyContinue
        $exists = $true
catch { }
write-host($userID + "|" + $exists)

# check if multiple AD users exist
$users = Get-ADUser -Filter 'name -like "john*"'
write-host("UserName|Exists in AD")
foreach($user in $users) {
    $exists = $false
    try {
            $user = Get-ADUser $userID -ErrorAction SilentlyContinue
            $exists = $true
    catch { }
    write-host($userID + "|" + $exists)


Retrieve AD Security Groups

# retrieve AD group - basic attributes
Get-ADGroup 'domain users'

# retrieve AD group - all attributes
Get-ADGroup 'domain users' -Properties *

# retrieve AD group members
Get-ADGroupMember 'domain users'
Get-ADGroupMember 'domain users' | Select Name
(Get-ADGroupMember 'domain users').Name

# list all empty groups
Get-ADGroup -Filter * -Properties Members | `
where {-not $_.members} | select Name


Modify AD Security Groups

# add member(s) to AD security group
Add-ADGroupMember -Identity SecurityGroupName -Members distinguishedName1,distinguishedName12,...

# remove member from AD security group
Remove-ADGroupMember -Identity SecurityGroupName -Members distinguishedName #-confirm:$false

# copy AD group members from one group to another
Get-ADGroupMember -Identity "SourceADGroup" | ForEach-Object {Add-ADGroupMember -Identity "DestinationADGroup" -Members $_.distinguishedName}


AD Cleanup

# get all empty organizational units
(Get-ADOrganizationalUnit -Filter * | Where-Object {-not ( Get-ADObject -Filter * -SearchBase $_.DistinguishedName -SearchScope OneLevel -ResultSetSize 1 )} | Select DistinguishedName

# get all empty security groups
Get-ADGroup -Filter * -Properties Members | where {-not $_.members} | select Name


FSMO Roles

# list FSMO role
Get-ADDomainController -Filter 'OperationMasterRoles -notlike ""' | `
Select Name, OperationMasterRoles

# transfer FSMO roles
Move-ADDirectoryServerOperationMasterRole “destinationDC” `
–OperationMasterRole 0,1,2,3,4

# seize FSMO roles
Move-ADDirectoryServerOperationMasterRole “destinationDC” `
–OperationMasterRole 0,1,2,3,4 -Force

<# where 0=PDCEmulator 1=RIDMaster 2=InfrastructureMaster 3=SchemaMaster 4=DomainNamingMaster #>



# list all domain GPOs
Get-GPO -All

# Search GPO by name (partial match)
Get-GPO -All | ? {$_.DisplayName -Match "Default Domain"}

One thought on “Common PowerShell Commands for AD

Leave a Reply

Your email address will not be published. Required fields are marked *