Managing Active Directory accounts using PowerShell

powershellYou leaned how to create Active Directory user accounts in “Adding user accounts in Active Directory of Windows Server 2012”, and now you will learn to mange accounts with PowerShell. I list the below PowerShell commands with descriptions.

These commands applies to Windows Server 2008 R2 and Windows Server 2012.

PowerShell command Command description
New-ADUser Creates a new AD user
Remove-ADUser Removes an AD user
Set-ADAccountPassword Modifies the password of an AD account
Set-ADAccountExpiration Sets the expiration date for an AD account
Clear-ADAccountExpiration Clears the expiration date for an AD account
Enable-ADAccount Enables an AD account
Disable-ADAccount Disables an AD account
Unlock-ADAccount Unlocks an AD account
Set-ADUser Modifies an AD user
Search-ADAccount Gets AD user account
Set-ADAccountControl Modifies user account control (UAC) values for an AD account
Get-ADUser Gets one or more AD users
Get-ADUserResultantPasswordPolicy Gets the resultant password policy for a user
Add-ADGroupMember Adds one or more users to an AD group
Remove-ADGroupMember Removes one or more users from an AD group
Add-ADPrincipalGroupMembership Adds a user to one or more AD groups
Remove-ADPrincipalGroupMembership Removes a user from one or more AD groups

Adds users to the Allowed List or the Denied List of the readonly
domain controller (RODC) Password Replication Policy (PRP)


Removes users from the Allowed List or the Denied List of the RODC PRP

Add-ADFineGrainedPasswordPolicySubject Applies a fine-grained password policy to one or more users
Remove-ADFineGrainedPasswordPolicySubject Removes one or more users from a fine-grained password policy

For fetching more information about each command, just put Get-Help before every command to see the full guide for that command.


Adding user accounts in Active Directory of Windows Server 2012

Active Directory users and computersOne of the first jobs after installing Active Directory, is creating user accounts, in order for the users to be authenticated in Active Directory. The authenticated user; therefore, can access the network resources. In this way an unauthorized user does not have access to the network without administrator’s permission. 

As usual, my well known two ways:


  1. Hit Windows Key + R buttons, type dsa.msc, and press OK
  2. Active Directory Users and Computers window opens. Remember you can open it via Server Manager too
  3. The easiest way, is to right click Users object on the left bottom side, click on New, then User
  4. Fill the First and Last names as you desire. Mine will be User1. User logon name is User1 too. Click Next
  5. Choose a strong password, and leave the default settings intact. Then Next and Finish
  6. Now I want to make this account, a member of administrators. So on the working window, click on Users, and right click User1 on the left side. Then click on Add to a group…
  7. On Select Groups window, type Domain Admins; Enterprise Admins. Then click on OK twice

As a result, a user, by the name of User1 is created, who is the administrator of both domain and forest.



  1. Open PowerShell console
  2. Type and hit enter this command:

New-ADUser -SamAccountName User1 -AccountPassword (read-host "Set user password" -assecurestring) -name "User1" -enabled $true -PasswordNeverExpires $false -ChangePasswordAtLogon $true
Add-ADPrincipalGroupMembership -Identity "CN=User1,CN=Users,DC=cyrusbesharat,DC=local" -MemberOf "CN=Enterprise Admins,CN=Users,DC=cyrusbesharat,DC=local","CN=Domain Admins,CN=Users,DC=cyrusbesharat,DC=local"

%d bloggers like this: