Active Directory scripts galore: come and get it! In this blog, we’ll talk about a few reasons why AD is such a popular target for attackers. These range from the traditional to the esoteric, but all follow an old theme – admins are lazy.
There are many scripts that can be used to manage an Active Directory. The “top powershell scripts for active directory” is a list of the top 10 PowerShell scripts that can be used to manage an Active Directory.
One of the most frequent applications for PowerShell is Active Directory. For more than a decade, I’ve been writing Active Directory scripts in VBScript and PowerShell. Here’s a large collection of Active Directory PowerShell scripts for various tasks!
With Specops’ 100% free Password Auditor Pro, you can find, report, and prevent unsafe Active Directory account passwords in your environment. Download it right now!
All of the Active Directory scripts I’m going to post are in varying levels of completion. The goal of this article isn’t to provide you with perfect, tested scripts, but to give you a head start on writing your own.
All of the scripts mentioned here are PowerShell scripts for Active Directory. You may script things in Active Directory, but as you may have observed, I prefer PowerShell. Enjoy!
SPNs in Active Directory
Accounts for Users
- Bulk-AD-User-Creation. ps1 This is an example of reading from a text file to create Active Directory users in bulk.
- Copy-AD-User-Account.ps1 Do you use template Accounts for Users that you need to build other accounts from? Look no further! This script copies attributes from a user account and also all group memberships to create a new AD user.
- FindUnusedUserAccounts.ps1 Use this script to find Active Directory Accounts for Users that aren’t used anymore and remove them. This script also create a CSV log file.
- Get-ActiveDirectoryUserActivity. ps1 This script determines all users’ login and logoff timings on all machines in an Active Directory organizational unit. Because the relevant event IDs will appear, the necessary audit policies must be activated first.
- Get-AdUserMatches.ps1 You’ve got a CSV file full of employee names and need to find their AD Accounts for Users, however, nothing ever matches up 100%. Use this script to find AD Accounts for Users from a CSV file and also get an example of using “fuzzy” searching.
- Get-All-Docs-Password-Age. ps1 This is a nice example of how to get the password age of several AD users at once.
- Get-Inactive-Ad-Users.ps1 Another example of how to pull employee information from a CSV and find their AD Accounts for Users. This script was used to find inactive accounts.
- Get-LoggedOnUser.ps1 Although not strictly connected to Active Directory, the function in this script searches CIM on the local or remote machine and returns the current logged-on user (local or Active Directory).
- GetAdUsersWithPasswordLastSetOlderThan. ps1 Here’s an earlier script I wrote to locate AD users that changed their password recently.
- GetPasswordResetCountXDaysOld. ps1 This script’s code may be used to locate all AD users who have changed their password. This one and GetAdUserWithPasswordLastSetOlderThan.ps1 have some overlap.
- JEA-PSWA-ActiveDirectory-User-Admin. ps1 This is one I remember! This was a long script that allowed you to assign AD change duties to other users. This was used to provide HR permission to create and modify AD users.
- New-AdUserProvision.ps1 This is an example of a script that does everything. This script creates the user account, assigns groups, adds the user to the correct OU, and even generates a home folder!
- Get-UserLogonSessionHistory.ps1 This script searches for all users’ login, logoff, and total active session times on all machines given. The advanced AD policies Audit Logon, Audit Logoff, and Audit Other Logon/Logoff Events must be enabled and targeted to the right machines by GPO for this script to work properly.
Groups in Active Directory
- Get-AdGroupMembershipChange.ps1 This script queries multiple Groups in Active Directory for new members in a domain. It records group membership in a CSV file in the same location as the script is located. On the script’s initial run it will simply record all members of all groups into this CSV file. On subsequent runs it will query each group’s member list and compare that list to what’s in the CSV file. If any differences are found (added or removed) the script will update the CSV file to reflect current memberships and notify an administrator of which members were either added or removed.
- Get-EmptyGroup.ps1 This function searches the starting computer’s Active Directory domain for any groups with no members. When trying to locate groups that can be deleted, this is typical. This excludes normal AD groups like as Domain Computers, Domain Users, and so on.
- New-AdGroupMembershipMonitor. ps1 Because it was a dive into security, I enjoyed creating this script. This script keeps an eye on an Active Directory group for changes in membership. It may alert you if any members are added or deleted.
- CompareIEGPO.ps1 Although this is an ancient script, it is still helpful. I used to compare and contrast two GPOs. This script examines registry information from the GPOs to discover where the discrepancies are.
- Get-DisabledGpo.ps1 This function searches the starting machine’s Active Directory domain for any GPOs that have their computer, user, or both settings deactivated. When looking for GPOs that can be eliminated, this is typical.
- Get-GPO-Reg-Settings.ps1 This script retrieves all of the registry settings that one or more GPOs set when applied using Get-GPRegistryValue and some wizardry.
- Get-GPOs-Linked-To-Empty-OUs. ps1 Here’s another example of a script you may use to clean up AD. This one was used to locate GPOs that were not doing any tasks since they were attached to empty OUs.
- Get-Gpo-Setting.ps1 A good example of how to locate GPO registry settings.
- Get-Inactive-GPO-Settings.ps1 This script detects all GPOs in the current domain that have the user or computer configuration section enabled but no settings activated. Good script for cleaning up AD.
- Get-Inactive-GPOs. ps1 Here’s another example of how to remove GPOs that are no longer in use.
- Get-UnlinkedGpo.ps1 This function searches the starting computer’s Active Directory domain for any GPOs that do not have a connection to an item. When looking for GPOs that can be eliminated, this is typical.
- Get-AdDnsRecordAcl.ps1 This script gets the ACL from a DNS record that is part of Active Directory. This is a useful script for debugging dynamic DNS difficulties.
Troubleshooting Active Directory
- Get-DcDiag. ps1 I like the original dcdiag utility, however it wasn’t PowerShellified correctly. This script parses the output of dcdiag and returns rich objects.
- TestSiteReplicationMod.ps1 This script may be used to verify if DCs are replicating. It performs a modification on one DC and then polls the others to see how long it takes for the item to duplicate (if at all).
Units of Organization
- Get-Empty-OUs.ps1 Another cleanup script to find all Units of Organization that are empty. Might as well clean those up!
Accounts of Computers
- Get-Old-Computer-Accounts.ps1 Need to cleanup old Active Directory Accounts of Computers? Not problem. Take a look at some good examples of using text files and AD to make it happen.
- Get-ClientsUnderNoSite.ps1 Occasionally, AD customers are not allocated to a site. This may result in a variety of issues. This script may be used to locate AD PCs that are no longer allocated to a site and are requesting assistance.
- Rejoin-Computer.ps1 This script disconnects a computer from an Active Directory domain, reboots it, and then reconnects it to the domain and reboots it again.
That’s it! These are some of the Active Directory scripts I’ve developed over the years. I wish I had been more organized in keeping track of them all! I hope these scripts help you get started on constructing your own Active Directory routines.
Hate ads? Do you want to help the author? Many of our lessons are available as ATA Guidebooks.
Examine the ATA Guidebooks
More from ATA Learning & Partners
Continue reading with these related articles.
“Assignment 6 powershell ad management scripts” is a collection of scripts that will help you manage Active Directory. The scripts are all written in PowerShell, so they are easy to understand and use. Reference: assignment 6 powershell ad management scripts.
- active directory powershell commands pdf
- active directory powershell scripts github
- powershell script for active directory users list
- powershell script for active directory computers