Managing user accounts is one of the most common and time-consuming tasks for Active Directory (AD) administrators. Every day, they are responsible for provisioning new users, modifying existing user properties, managing group memberships, resetting passwords, disabling inactive accounts, and deprovisioning users who leave the organization.
Many admins rely on PowerShell to handle these day-to-day operations. Instead of manually performing time-consuming steps using AD's graphical interface, PowerShell enables admins to run precise commands that can create, modify, or remove multiple users simultaneously, saving hours of work. This article will guide you through a list of common PowerShell commands to manage AD users. If you'd prefer a simpler, GUI-driven approach, you'll also discover an easier way to handle all these operations using ADManager Plus.
Here's a list of PowerShell commands to help you manage AD users. Ensure you have the AD PowerShell module installed and imported before you run these commands.
This command creates a single user account named John Smith directly in AD. Admins can customize values for username, OU, password, and more. View the detailed steps to create a new AD user.
New-ADUser -Name "John Smith" `
-SamAccountName "jsmith" `
-GivenName "John" `
-Surname "Smith" `
-DisplayName "John Smith" `
-UserPrincipalName "jsmith@fabrikam.com" `
-Path "OU=Finance,OU=UserAccounts,DC=FABRIKAM,DC=COM" `
-AccountPassword (ConvertTo-SecureString "P@ssW0rd!" -AsPlainText -Force) `
-ChangePasswordAtLogon $true `
-Enabled $true
Use this command to create new AD user accounts from a CSV file. It allows you to set key attributes such as name, password, and organizational unit (OU), allowing precise and scalable onboarding without manual input. View the detailed steps to create AD users in bulk.
Import-CSV .\users.csv | ForEach-Object {
New-ADUser -SamAccountName $_.SamAccountName `
-Name $_.Name `
-GivenName $_.GivenName `
-Surname $_.Surname `
-Path "OU=Finance,OU=UserAccounts,DC=FABRIKAM,DC=COM" `
-AccountPassword (ConvertTo-SecureString $_.Password -AsPlainText -Force) `
-Enabled $true
}
Deactivate AD users to prevent login and resource access without deleting the account. This is a good practice when offboarding users, handling security breaches, or suspending inactive accounts while preserving their associated attributes for potential reactivation later. View the detailed steps to disable AD users.
Disable-ADAccount -Identity "testUser"
Activates a previously disabled user in AD. This is frequently used after onboarding new hires, reactivating returning employees, or restoring temporarily disabled accounts. Specify the target user through various identifiers such as the SAM account name, distinguished name, or object GUID. View the detailed steps to enable AD users.
Enable-ADAccount -Identity "testUser"
Quickly assign multiple users to one or more AD groups by importing names from a CSV file. This simplifies group membership updates and helps manage permissions and access policies efficiently. View the detailed steps to add users to an AD group.
Import-CSV .\users.csv | ForEach-Object {
Add-ADGroupMember -Identity "Domain Guests" -Members $_.SamAccountName
}
This script reads a list of users from a CSV file and removes each from the specified AD group without prompting for confirmation for every removal. View the detailed steps to remove users from an AD group.
Import-CSV .\users.csv | ForEach-Object {
Remove-ADGroupMember -Identity "Domain Guests" -Members $_.SamAccountName -Confirm:$false
}
Safely delete user accounts from AD when employees leave the organization or accounts become obsolete, keeping your directory clean and secure. View the detailed steps to remove an AD user account.
Remove-ADUser -Identity "testuser" -Confirm:$false
This script updates user properties like descriptions, job titles, or departments in bulk, helping you keep directory information accurate and up-to-date with minimal administrative effort. View the detailed steps to modify an existing AD user.
Import-CSV .\users.csv | ForEach-Object {
Set-ADUser -Identity $_.SamAccountName -Description $_.Description
}
Modify the User Account Control settings of an AD user to configure account behaviors such as password expiration, account lockout, and delegation permissions. This script disables password expiration and prevents the user from changing their password. View the detailed steps to modify account control values.
Set-ADAccountControl -Identity "testuser" -PasswordNeverExpires $true -CannotChangePassword $true
Set an expiration date on user accounts to automatically disable access after a specified date. This is helpful for managing temporary accounts like contractors or interns. View the detailed steps to set an expiration date.
Set-ADUser -Identity "testuser" -AccountExpirationDate "2025-12-31"
Add or update proxy email addresses (aliases) for a user, commonly used in Exchange and Microsoft 365 environments to support multiple email addresses per user. View the detailed steps to add proxy addresses.
Set-ADUser -Identity "testuser" -Add @{proxyAddresses="SMTP:jsmith@fabrikam.com","smtp:john.smith@fabrikam.com"}
Reorganize your directory structure by moving users between OUs. This is useful for reflecting departmental changes or restructuring without recreating user accounts. View the detailed steps to move AD users to another OU.
Move-ADObject -Identity "CN=testuser1,DC=Domain,DC=com" `
-TargetPath "OU=TestOU,DC=Domain,DC=com"
Run this script to reset passwords or enforce new ones securely. This helps admins comply with password rotation policies and resolve access issues instantly. View the detailed steps to change an AD user's password.
Set-ADAccountPassword -Identity "testuser" `
-NewPassword (ConvertTo-SecureString "NewP@ssw0rd" -AsPlainText -Force) `
-Reset
Unlock user accounts that have been locked due to repeated failed login attempts. This allows admins to quickly restore access to employees while maintaining security policies. View the detailed steps to unlock an AD user.
Unlock-ADAccount -Identity "testuser"
Use the Microsoft Graph PowerShell SDK to create a new Microsoft 365 user with specified display name, user principal name, mail nickname, and password. This script sets a temporary password requiring reset at first sign-in and enables the account immediately.
Connect-MgGraph -Scopes "User.ReadWrite.All"
New-MgUser -DisplayName "Test User" `
-UserPrincipalName "testuser@yourdomain.onmicrosoft.com" `
-MailNickname "testuser" `
-PasswordProfile @{ forceChangePasswordNextSignIn = $true; password = "P@ssw0rd!" } `
-AccountEnabled $true
In large environments, real-world user management rarely involves single-line PowerShell commands. Admins often need to manage hundreds or thousands of user objects, making scripting accuracy and repetitive execution time-consuming and error-prone.
ADManager Plus, an AD management solution, automates these tasks through a web-based console that eliminates the need for coding altogether. The result? Faster, error-free management, and easy delegation of user-related operations.
Template-based user provisioning
Create preconfigured AD user templates to streamline user creation with the right attributes, assign group memberships, email settings, and predefined OU placement.
Rule-based user provisioning
Define conditional rules to auto-populate attribute values (like Department or Manager) during user creation. Easily bulk-create users without repeated efforts and cross-checking.
Non-invasive delegation
Securely delegate user management tasks to HR or help desk staff without elevating their native privileges in AD.
Error-free execution
Reduce the risk of syntax errors or misconfigured scripts with intuitive point and click operations. Import CSVs and review all user attributes visually to confirm before bulk creation, minimizing errors and rework.
Multi-platform account provisioning
Provision user accounts simultaneously across AD, Microsoft 365, Exchange, Google Workspace, and Skype for Business. Manage users across platforms in a single console.
Automation
Automate repetitive tasks like provisioning, deprovisioning, and report generation without manual intervention or scheduled script runs.
AD user management involves tasks like creating, modifying, and deleting user accounts, as well as managing group memberships and permissions for network resources. This is typically done using tools like ADUC on a domain controller to perform basic functions, and more advanced management or bulk operations using PowerShell. Third-party tools like ADManager Plus offer a script-free, GUI-based interface to help admins manage AD users with a comprehensive feature list.
The Get-ADUser cmdlet is used to retrieve a list of all users in your Active Directory domain. The Filter * parameter specifies what user properties should be returned. Here's a sample script:
Get-ADUser -Filter * | Select-Object Name, SamAccountName, UserPrincipalName, Enabled, LastLogonDate
View detailed steps on listing AD users, comparing PowerShell and ADManager Plus.
You can manage users on AD using native tools like ADUC and PowerShell. However, these tools are time-consuming and prone to error. Third-party tools like ADManager Plus helps overcome these limitations and enable you to manage AD users with a script-free, GUI-based console.
This Get-ADUser cmdlet allows you to query various attributes of a user account. You can specify the user using different identifiers like SamAccountName, DistinguishedName, GUID, or SID. The script below retrieves all the properties for a specific user:
Get-ADUser -Identity "johndoe" -Properties *
For a script-free approach, see how ADManager Plus helps you retrieve information about AD users.