Managing Active Directory (AD) is a core responsibility for IT admins, and a crucial aspect of that role involves tracking user activity; auditing changes; and producing accurate, real-time reports for compliance purposes. For many IT teams, PowerShell continues to be the preferred tool for both AD management and reporting. From tracking user logons and overseeing group memberships to analyzing Microsoft 365 user activity, PowerShell offers the flexibility and precision needed to maintain a secure, compliant, and well-managed AD environment.
While PowerShell offers powerful capabilities for these tasks, it also presents several challenges. Crafting and maintaining complex scripts can be incredibly time-consuming, demanding advanced scripting knowledge. Furthermore, PowerShell lacks centralized reporting features, which increases the risk of human error and potential security gaps. ADManager Plus, an AD reporting solution, offers predefined AD user reports that provide complete visibility on AD users in just a few clicks, eliminating the need for complex scripting.
Understanding the core PowerShell cmdlets is the first step towards mastering AD reporting. Here are some fundamental commands you'll frequently use:
Here is a collection of essential AD PowerShell scripts that can help you manage and report on your user environment effectively.
This foundational script is vital for baseline auditing, directory cleanups, or migrating user data. It retrieves a comprehensive list of all AD users along with their key properties, and also exports AD users to a CSV for easy analysis.
Get-ADUser -Filter * -Properties * |
Select-Object Name, sAMAccountName, userPrincipalName, Enabled, department, title, LastLogonDate |
Export-Csv -Path "C:\AllADUsers.csv" -NoTypeInformation
While finding disabled users is key for cleanup, getting a list of all active and enabled accounts is essential for daily management, licensing audits, and security base lining. This script filters for all user accounts that are currently enabled and ready for use.
Get-ADUser -Filter 'Enabled -eq $true' -Properties DisplayName, sAMAccountName, LastLogonDate | Select-Object name, displayName, sAMAccountName, LastLogonDate | Export-Csv -Path "C:\Reports\EnabledUsers.csv" -NoTypeInformation
Identifying inactive accounts is a critical security measure to prevent unauthorized access and maintain a clean AD environment. This script helps pinpoint users who haven't logged in for a specified period.
$InactiveDays = 90$InactiveDate = (Get-Date).AddDays(-$InactiveDays)
Get-ADUser -Filter {LastLogonDate -lt $InactiveDate Enabled -eq $true} -Properties LastLogonDate | Select-Object Name, sAMAccountName, LastLogonDate
Disabled accounts, if not properly managed, can pose a security risk or indicate former employees who still have a lingering directory presence. This script helps you quickly fetch all disabled AD users, providing their name, sAMAccountName, and their enabled status for clear identification.
Get-ADUser -Filter {Enabled -eq $false} -Properties Name, sAMAccountName, Enabled | Select-Object Name, sAMAccountName, Enabled
Use this script to find temporary or contract user accounts that have passed their set expiration date. This is different from a disabled account and is useful for cleaning up accounts that should no longer have access.
Search-ADAccount -AccountExpired | Select-Object Name, sAMAccountName, AccountExpirationDate | Export-Csv -Path "C:\Reports\ExpiredAccounts.csv" -NoTypeInformation
Tracking the last logon date for AD users is an essential practice for security auditing, identifying inactive accounts, and maintaining a clean user directory. This AD user logon PowerShell script retrieves the last logon timestamp for all users, providing their name, sAMAccountName, and the last logon date.
Get-ADUser -Filter * -Properties LastLogonDate |
Select-Object Name, sAMAccountName, LastLogonDate |
Export-Csv -Path "C:\ADUserLogonReport.csv" -NoTypeInformation
Generating reports on AD users' permissions is essential for auditing user access and ensuring a least-privilege security posture. This AD user permissions PowerShell script retrieves the permissions that a user has on a specific organizational unit (OU).
$OUPath = "OU=Sales,DC=yourdomain,DC=com"
Get-Acl -Path"AD:\$OUPath" | Select-Object-ExpandProperty Access | Select-Object IdentityReference, ActiveDirectoryRights, AccessControlType, ObjectType, InheritanceType, IsInherited | Export-Csv-Path"C:\Reports\OUPermissions.csv"-
For security reasons, very few accounts should have their passwords set to never expire. This script identifies all user accounts that have this flag enabled:
Get-ADUser -Filter * -Properties name, PasswordNeverExpires | Where-Object {$_.PasswordNeverExpires -eq $true} | Select-Object name, sAMAccountName, distinguishedName | Export-Csv -Path "C:\Reports\PwdNeverExpires.csv" -NoTypeInformation
Sometimes you just need to quickly find a single user's details without navigating the Active Directory Users and Computers interface. This script allows you to find a specific user by their sAMAccountName and retrieve all of their properties:
$Username = "JohnDoe"
Get-ADUser -Identity $Username -Properties *
For organizational charting, reporting structures, or approval workflows, you often need a list of users and their direct managers. This script retrieves users and includes their manager's name in the report.
Get-ADUser -Filter * -Properties displayName, manager | Select-Object name, displayName, @{Name="Manager";Expression={(Get-ADUser $_.Manager).Name}} | Export-Csv -Path "C:\Reports\UsersWithManagers.csv" -NoTypeInformation
If you have a user's full name but need their sAMAccountName, this script provides a quick way to look it up.
$DisplayName = "John Doe"
Get-ADUser - Filter "displayName -eq '$displayName'" | Select-Object name, sAMAccountName
In complex AD environments, users may be spread across several OUs. This script demonstrates how to target multiple OUs and consolidate the user list into a single report.
Get-ADUser-Filter * -SearchBase$OU-Properties displayName | Select-Object name, displayName, distinguishedName } $AllUsers | Export-Csv-Path"C:\Reports\MultiOUUsers.csv"-NoTypeInformation
Filtering users by department is a common requirement for creating department-specific distribution lists or reports. This script retrieves all users who have a specific value in their department attribute.
$Department = "Finance"
Get-ADUser -Filter "department -eq '$department'" -Properties displayName, department | Select-Object name, displayName, sAMAccountName, department | Export-Csv -Path "C:\Reports\FinanceDepartmentUsers.csv" -NoTypeInformation
For data integrity and AD cleanup, it's useful to find users who are missing important information, such as a phone number or email address. This script finds all users where the TelephoneNumber attribute is not set. You can change the attribute to whatever you need to check.
Get-ADUser-Filter * -Properties telephoneNumber | Where-Object {-not $_.TelephoneNumber} | Select-Object name, sAMAccountName, distinguishedName | Export-Csv-Path"C:\Reports\UsersWithEmptyPhone.csv"-NoTypeInformation
While name and displayName are the most commonly used naming attributes, sometimes you need to find a user based on their Common-Name (CN), which is part of their distinguished name. This script shows how to filter users based on the CN.
$CN = "John Doe"
Get-ADUser -Filter "cn -eq '$cn'" | Select-Object Name, sAMAccountName, distinguishedName
While powerful, relying solely on PowerShell AD scripts for extensive reporting can present several challenges:
ADManager Plus is a comprehensive AD reporting tool designed to simplify AD, Exchange, Microsoft 365, and Google Workspace management and reporting. It comes with the following capabilities:
You can use the Get-ADUser cmdlet with the -Filter * parameter to get all users.
You can use the Export-Csv cmdlet to export any PowerShell object to a CSV file.
You can use the Get-ADUser cmdlet with the -Properties LastLogonDate parameter to retrieve a user's last logon time.
You can use the Search-ADAccount -LockedOut cmdlet to find all locked-out user accounts.
Yes, you can use the Get-Acl cmdlet to get the permissions for any AD object, including OUs, users, and groups.