Active Directory Skill
When to Activate
- •User mentions: AD, Active Directory, user account, group membership, domain, OU, GPO
- •User asks to find/create/modify AD objects
- •User needs to check group memberships or locked accounts
Prerequisites Check
powershell
# Verify AD module is available
if (-not (Get-Module -ListAvailable ActiveDirectory)) {
Write-Warning "ActiveDirectory module not installed. Install RSAT or run on a DC."
# Alternative: Use ADSI queries
}
Import-Module ActiveDirectory -ErrorAction SilentlyContinue
Common Queries
Find User
powershell
# By name (partial match) Get-ADUser -Filter "Name -like '*$searchTerm*'" -Properties DisplayName, EmailAddress, Enabled, LastLogonDate | Select-Object SamAccountName, DisplayName, EmailAddress, Enabled, LastLogonDate # By email Get-ADUser -Filter "EmailAddress -eq '$email'" -Properties *
Check Account Status
powershell
$user = Get-ADUser -Identity $username -Properties LockedOut, Enabled, PasswordExpired, LastLogonDate, PasswordLastSet
[PSCustomObject]@{
User = $user.SamAccountName
Enabled = $user.Enabled
Locked = $user.LockedOut
PasswordExpired = $user.PasswordExpired
LastLogon = $user.LastLogonDate
PasswordAge = (New-TimeSpan -Start $user.PasswordLastSet).Days
}
Unlock Account
powershell
Unlock-ADAccount -Identity $username # Verify (Get-ADUser -Identity $username -Properties LockedOut).LockedOut
Group Membership
powershell
# User's groups Get-ADPrincipalGroupMembership -Identity $username | Select-Object Name, GroupCategory # Group's members Get-ADGroupMember -Identity $groupName | Select-Object Name, ObjectClass
Find Inactive Accounts
powershell
# Users not logged in for 90 days
$cutoff = (Get-Date).AddDays(-90)
Get-ADUser -Filter {LastLogonDate -lt $cutoff -and Enabled -eq $true} -Properties LastLogonDate |
Select-Object SamAccountName, LastLogonDate | Sort-Object LastLogonDate
Computer Objects
powershell
# Find computer
Get-ADComputer -Filter "Name -like '*$hostname*'" -Properties OperatingSystem, LastLogonDate |
Select-Object Name, OperatingSystem, LastLogonDate, Enabled
# Stale computers (90 days)
Get-ADComputer -Filter {LastLogonDate -lt $cutoff} -Properties LastLogonDate |
Select-Object Name, LastLogonDate
OU Structure
powershell
# List OUs Get-ADOrganizationalUnit -Filter * | Select-Object Name, DistinguishedName # Objects in specific OU Get-ADUser -SearchBase "OU=Sales,DC=contoso,DC=com" -Filter *
GPO Status
powershell
# Applied GPOs gpresult /r # Detailed GPO report gpresult /h "$env:TEMP\gpo-report.html"
ADSI Fallback (No Module Required)
powershell
# Find user via ADSI
$searcher = [adsisearcher]"(samaccountname=$username)"
$searcher.FindOne().Properties
# Find all users in domain
$searcher = [adsisearcher]"(&(objectCategory=person)(objectClass=user))"
$searcher.FindAll() | ForEach-Object { $_.Properties.samaccountname }
Safety Notes
- •⚠️ Always confirm before modifying AD objects
- •⚠️ Use
-WhatIffor destructive operations - •⚠️ Document changes for audit compliance