PowerShell Active Directory Management in 2025: The Definitive Guide

Estimated reading time: 5 minutes

Mastering Active Directory with PowerShell

Active Directory (AD) is the backbone of Windows networks, and PowerShell 7.4 is your heavy artillery for running it like a boss in 2025. This isn’t a one-trick CSV export pony—it’s your full-on AD domination manual, covering user creation, group juggling, bulk automation, security audits, and troubleshooting on Server 2022 or Windows 11. Whether you’re an IT pro herding a domain or a rookie cracking the AD vault, it’s loaded with rugged scripts, granular steps, and fixes that stick. From slamming in teams to sniffing out weak spots, this is your AD command hub—deep, no-BS, and built to last.

Step 1: Power Up PowerShell for AD

Setup Basics: You’ll need a domain controller (DC) on Windows Server 2022 with AD DS, or Windows 11 Pro with RSAT hooked up. Install RSAT with this:

Add-WindowsCapability -Online -Name Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0

Still on PowerShell 5.1? Upgrade to 7.4 from GitHub—it’s got the guts 5.1 lacks.

Load the AD Engine: Kick off PowerShell 7.4 as admin and run:

Import-Module ActiveDirectory

Check it’s loaded with this—look for “ActiveDirectory” in the output:

Get-Module | Where-Object {$_.Name -eq "ActiveDirectory"}

Off-domain? Add -Server "dc01.domain.local" with your creds to connect.

Step 2: Everyday AD Moves

Add a User: Forge a new account with all the trimmings:

New-ADUser -Name "Max Payne" -GivenName "Max" -Surname "Payne" -SamAccountName "mpayne" -UserPrincipalName "mpayne@domain.local" -Path "OU=Agents,DC=domain,DC=local" -AccountPassword (ConvertTo-SecureString "NoirDetective77" -AsPlainText -Force) -Enabled $true -Department "Investigations" -Title "Detective" -Office "NYC" -MobilePhone "555-0132" -EmployeeID "MP007"

Plants “mpayne” in Agents OU—swap “domain.local” and pile on details.

Group Up: Hook him into a squad:

Add-ADGroupMember -Identity "FieldAgents" -Members "mpayne"

Scope it with this—case matters:

Get-ADGroupMember -Identity "FieldAgents" | Select-Object SamAccountName

Password Swap: Reset with grit:

Set-ADAccountPassword -Identity "mpayne" -NewPassword (ConvertTo-SecureString "BulletTime88" -AsPlainText -Force) -Reset

Force a login change with -ChangePasswordAtLogon $true—keeps it locked down.

Step 3: Bulk AD Power Plays

CSV User Blitz: Slam a crew in with a CSV (e.g., `squad.csv`):

Name,SamAccountName,OU,Department,Title
"Ellen Ripley","eripley","OU=Crew,DC=domain,DC=local","Space Ops","Warrant Officer"
"Rick Deckard","rdeckard","OU=Agents,DC=domain,DC=local","Investigations","Blade Runner"

Blast it out:

Import-Csv "C:\Scripts\squad.csv" | ForEach-Object { New-ADUser -Name $_.Name -SamAccountName $_.SamAccountName -Path $_.OU -Department $_.Department -Title $_.Title -AccountPassword (ConvertTo-SecureString "P@ssw0rd123" -AsPlainText -Force) -Enabled $true }

Scales big—test a couple rows first.

Cull the Dead: Purge idle accounts:

$cutoff = (Get-Date).AddDays(-90); Get-ADUser -Filter {LastLogonDate -lt $cutoff -and Enabled -eq $true} -Properties LastLogonDate | Disable-ADAccount

Targets 90-day ghosts—peek with -WhatIf.

Step 4: AD Data Mining

User Data Dump: Rip the full roster:

Get-ADUser -Filter * -Properties Name,SamAccountName,LastLogonDate,Enabled,Department,Title,Office,MobilePhone,EmployeeID | Select-Object Name,SamAccountName,LastLogonDate,Enabled,Department,Title,Office,MobilePhone,EmployeeID | Export-Csv "C:\Reports\ad_roster.csv" -NoTypeInformation

Thick CSV—slice it in Excel or Power BI.

Lockout Patrol: Hunt lockouts:

Search-ADAccount -LockedOut | Select-Object Name,SamAccountName,LockedOutTime,LastLogonDate | Export-Csv "C:\Reports\locked_users.csv" -NoTypeInformation

Bust ’em free with Unlock-ADAccount -Identity "mpayne"—check logs for patterns.

Group Census: Map the turf:

Get-ADGroup -Filter * -Properties Members,Description | Select-Object Name,Description,@{Name="MemberCount";Expression={$_.Members.Count}} | Where-Object {$_.MemberCount -gt 0} | Sort-Object MemberCount -Descending

Ranks groups by size—cut the fat.

Step 5: Secure and Streamline

Empty OU Sweep: Clear the junk:

Get-ADOrganizationalUnit -Filter * | Where-Object { -not (Get-ADObject -Filter * -SearchBase $_.DistinguishedName -SearchScope OneLevel) } | Select-Object Name,DistinguishedName | Format-Table

Trash it with Remove-ADOrganizationalUnit -Identity "OU=OldJunk,DC=domain,DC=local" -Recursive—snapshot AD first.

Password Risk Scan: Sniff weak links:

Get-ADUser -Filter {PasswordNeverExpires -eq $true -or PasswordLastSet -lt (Get-Date).AddDays(-180)} -Properties Name,PasswordLastSet,PasswordNeverExpires | Select-Object Name,PasswordLastSet,PasswordNeverExpires

Tighten with Set-ADUser -Identity "mpayne" -PasswordNeverExpires $false.

GUI Lifeline

ADUC: RSAT’s your fallback—run “dsa.msc.” Right-click domain > New > User, or scope OUs and groups. It’s manual next to PowerShell, but clutch for quick fixes or eyeballing when scripts feel overkill.

Troubleshooting

Module AWOL: Slam it back:

Install-Module -Name ActiveDirectory -Force -Scope AllUsers

Perms Crash: Go admin:

Start-Process powershell -Verb RunAs

Script Tanks: Crack it:

$Error[0] | Format-List -Property * -Force

Pinpoints typos or OU slips.
Duplicate Drama: Scout:

Get-ADUser -Filter {SamAccountName -eq "mpayne"} -Properties DistinguishedName

Rename or axe doubles.

Best Practices

• Log Like a Boss: Wrap in:
  Start-Transcript "C:\Logs\ad_ops.txt"Seal with:
  Stop-TranscriptAudit-proof.
• Test Ground: Carve a “Lab” OU—prod’s no crash pad.
• Lock It Tight: Skip plaintext—use:
  $cred = Get-CredentialRoll with -Credential $cred.
• Sync Check: Peek:
  Get-ADReplicationPartnerMetadata | Select-Object Server,LastReplicationSuccessSpot DC lag.

FAQ

Q: PowerShell 7 over 5.1?
A: 7’s got speed and pipes—5.1 chokes on big AD.

Q: Off-domain rig?
A: RSAT + -Server "dc01"—VPN or creds bridge it.

Q: Bulk flops?
A: Toss in -ErrorAction Continue—logs fails, keeps rolling.

Q: Undo a delete?
A: Enable Recycle Bin:

Enable-ADOptionalFeature -Identity "Recycle Bin Feature" -Scope ForestOrConfigurationSet -Target "domain.local"

Restore with:

Get-ADObject -Filter {Deleted -eq $true} | Restore-ADObject

Glossary

• AD DS: Active Directory Domain Services—Windows identity core.
• DC: Domain Controller—AD’s nerve hub.
• RSAT: Remote Server Admin Tools—AD from your desk.
• DN: Distinguished Name—AD’s full map (e.g., OU=Agents,DC=domain,DC=local).