Scripting Windows Platform

Powershell command with Active directory,Organizational Units,SamAccountName


Powershell is a scripting language and command-line shell. It allows you to enter commands in a console and get an immediate result. It also offers the ability to write scripts in text files and execute them.  Powershell commands, called Cmdlet (read Command-let), allow you to create, modify, and delete Active directory user accounts. In short, a cmdlet uses a verb-noun pair.  Poweshell Cmdlet naming follows certain rules, that users can memorize them or do them easily. The verb defines the action that applies on the name, and the name defines in general the type of object handled.  Powershell command help you to control Active directory Organizational Units, manipulate Samaccountname and more.

Main Active Directory objects:

First, “Computer object” include all computers granted access to the domain,  to the network and  to the domain ressources. Also include, all servers and all domain controllers. Second, “Group object”, include all user groups objects, usually to simplify the administration. Example, you need to have the same right for a group of user in the RH. Third, “Organizational Units or OU object”, allow to create a organization tree, in other words, a domain hierarchy. Finally, “user object”, include user accounts who’s allow to authenticate to the domain, and access to ressources and computers.

Main attributes of a user account:

A user object has multiple attributes that store in Active directory.  Let take a look of the main one.

  • AccountExpirationDate : set the expiration date of the account.
  • AccountPassword : provides the user password.  Remember, user password are recorded using non-reversible encryption, so you will only be able to reset the password.
  • ChangePasswordAtLogon : Enables the option to change the password at the first login.
  • Enabled : Account is enabled. (true or false)
  • HomeDrive : Specified the driver  letter and a home folder to a user.
  • GivenName : First name
  • Surname : Username.
  • Path : Usually, the paths are distinguished names where the user is create. Exemple, CN=jean Audain,CN=Users,DC=audain,DC=net”).
  • SAMAccountName : the User’s login name, the one that will be used for authentication on the domain.
  • Description : Object description.
  • Mail : Object email address.
  • AdminCount : Equal to “1” if it is an “Administrator” account and “0” if it is not.
  • DisplayName : Display  full name
  • LogonCount : number of logon sessions performed by the object.


Now Using Powershell to Manage Active Directory Domain Services

1- Organizational Unit or OU, Management with Powershell:

Even more, organizational units are created to group together a set of objects to which a group policy is applied.

2- Organization Unit Creation: New-ADOrganizationalUnit

The New-ADOrganizationalUnit command it use to creates an organizational unit. Remember, when creating a OU the location (path) must be specified.

Example:  Let create an OU in the domain

New-ADOrganizationalUnit -Name “linux”  -Path “DC=audain,DC=net”

3- Editing properties of an organizational unit: : Set-ADOrganizationalUnit

Set-ADOrganizationalUnit ‘’OU=linux,DC=audain,DC=net’’ -Description ‘’Linux department’’

4- Display the properties of an organizational unit:

Get-ADOrganizationalUnit ‘’OU=linux,DC=audain,DC=net’’

5- Display all organizational unit properties :

Get-ADOrganizationalUnit -Filter * -Properties *

6- Delete an organizational unit:

Remove-ADOrganizationalUnit Remove-ADOrganizationalUnit ‘’OU=Logistique,DC=Formation,DC=local’’

User Account Management:

The New-ADUser command is used to create a user account. When creating the user, you can (or not) specify all the properties of the account. If the account is created without a password, the account will be disabled.

Exemple :

 New-ADUser -Name ‘’Jean Audain’’ -ChangePasswordAtLogon $True -DisplayName “Jean Audain”   -Enabled $True    -Path “OU=linux, DC=audain, DC=net” -SamAccountName jaudain  -Surname audain -UserPrincipalName jaudain -AccountPassword (Read-Host –AsSecureString “Password”) -GivenName jean

 At the execution of this command, we are asked to enter a password (Read-Host command). We could also enter the password directly : 

 New-ADUser -Name ‘’Jean Audain’’ -ChangePasswordAtLogon $True -DisplayName “Jean Audain”   -Enabled $True    -Path “OU=linux, DC=audain, DC=net” -SamAccountName jaudain  -Surname audain -UserPrincipalName jaudain -AccountPassword (ConvertTo-SecureString “Abcd1234” -AsPlainText -force) -GivenName jean

Display the list of users:

Get-ADUser –Filter *   -Properties *

This command displays all users with all account properties. This list is long. let redirect the display results in a file we could consult with Notepad

Get-ADUser –Filter * -Properties * >files

We can specify where to search, for example in a particular organizational unit:

Get-ADUser -Filter * -Properties * -SearchBase “OU=linux,DC=audain,DC=net”

This command will display a users in the IT organization unit of the domain

You can also display the properties of a user you know the login name:

Get-ADUser jaudain -Properties *

Modification d’une propriété d’un compte : Set-ADUser

Set-ADUser Set-ADUser dtrump -replace @{title=”President USA”} -Set-ADUser jcharest [email protected]{description=”New president of USA”}

Deleting a user account:  Remove-ADUser

Example: we want to delete the user Mike smith whose login name is msmith

Remove-ADUser msmith

Resetting a user’s password:Set-ADAccountPassword

Example: we want to change the password of the user Cham with the  login name is Cham

Set-ADAccountPassword  cham    –NewPassword $nouveau –reset

You will be prompted to enter the new password

Modification of the expiry date: : Set-ADAccountExpiration

For example, let put a new expiry date on the cham account: 

Set-ADAccountExpiration  cham   –DateTime   ‘12/31/2015 23 :59 :00’

Activate a user account : Enable-ADAccount

For example, the list of deactivated accounts could be displayed by the following command line:

Get-ADUser   -filter {Enabled   -eq   “false”} | fl   SamAccountName SamAccountName : jsmith

SamAccountName : bobama SamAccountName : mleclerc

Then in the list we obtained by login name, we could activate an account

Set-ADUser jsmith -Enable $True

Disabling a user account : Disable-ADAccount Disable-ADAccount jsmith

Set-ADUser jsmith –Enable $False


Group Management

Groups can be created to facilitate the definition of GPOs for sets of users

Parameters used to configure the different attributes of a group:


Name: group name

GroupScope: Group Scope (DomainLocal, Global or Universal)

GroupCategory: Group type: security or distribution. If it is not specified, a security group is created.

Path: Container that will store the object (domain and OU)

SamAccountName: Specifies the name of the group prior to Windows 2000.


Create a new group: New-ADGroup


We want to add the Students group with a global scope :

New-ADGroup  –Name students  –GroupScope Global     -GroupCategory Security  -Path ‘’OU=IT, DC=Audain, DC=net’’ –SamAccountName students


Edit group properties : Set-ADGroupe

Set-ADGroup students –Description ‘’Student group’’

Viewing group properties : Get-ADGroup -filter *

You can display all groups with different properties: Get-ADGroup -filter * -Properties *

Groups can be displayed by choosing certain properties only :  Get-ADGroup –Filter * | Name,SamAccountName

We can also display the list of groups by criterion as in the following example : Get-ADGroup –Filter {GroupScope –eq ‘’Global’’}

Deleting a group : Remove-ADGroup

Adding a member to a group: Add-ADGroupMember It is important to respect the following syntax:

Add-ADGroupMember group_name -Members ‘’CN= name,OU=OU name, DC=Domain name, DC=domain’’


Showing members of a group : Get-ADGroupMember

Deleting a member of a group : Remove-ADGroupMember