Active Directory PowerShell Management Scripts

A comprehensive collection of 44 production-ready PowerShell scripts for managing Active Directory environments. Organized into 8 categories covering every major AD administration task.

Requirements

• PowerShell 5.1+ (Windows PowerShell) or PowerShell 7+
• Active Directory module (RSAT: Active Directory Domain Services and Lightweight Directory Services Tools)
• Group Policy module (for GPO scripts — RSAT: Group Policy Management Tools)
• Domain Admin or delegated permissions appropriate to each script's function
• Run from a domain-joined machine with line of sight to a Domain Controller

Repository Structure

AD-PowerShell-Scripts/
├── User-Management/          # 7 scripts — user lifecycle & attributes
├── Group-Management/         # 6 scripts — group creation, membership, sync
├── Computer-Management/      # 4 scripts — computer accounts & DNS cleanup
├── OU-Management/            # 3 scripts — OU structure & reporting
├── Security-Auditing/        # 8 scripts — privilege audit, attack paths, ACLs
├── Reporting/                # 6 scripts — health checks, replication, domain info
├── GPO-Management/           # 4 scripts — GPO reporting, backup, comparison
└── Bulk-Operations/          # 6 scripts + 4 CSV templates — imports, exports, syncs

---

User Management (7 scripts)

Script	Description
New-ADUserOnboarding.ps1	Complete user onboarding — creates account, sets attributes, copies group memberships from a template user, creates home folder, sets NTFS permissions
Disable-StaleADUsers.ps1	Finds users inactive for X days (default 90), disables accounts, moves to "Disabled Users" OU, strips group memberships, exports CSV report
Unlock-ADUserAccount.ps1	Unlocks locked-out accounts, queries PDC emulator for lockout source computer, optional password reset
Reset-ADUserPassword.ps1	Single or bulk password reset with secure random password generation, optional force-change-at-logon, exports credentials to encrypted file
Set-ADUserAttributes.ps1	Bulk update user attributes from CSV — supports title, department, manager, phone, office, company, extensionAttributes, and more
Get-ADUserReport.ps1	Comprehensive user report — last logon, password expiry, account status, group memberships. Filter by OU, department, status. Export CSV/HTML
Move-ADUserOU.ps1	Move users between OUs with full logging. Supports single user or bulk moves from CSV

Group Management (6 scripts)

Script	Description
New-ADGroupManaged.ps1	Creates new AD security or distribution group with naming convention, description, managed-by, OU placement, and parent group nesting
Add-ADGroupMembersBulk.ps1	Bulk add users to groups from CSV. Pre-validates all users and groups, generates success/failure report
Remove-ADGroupMembersBulk.ps1	Bulk remove users from groups. Safety checks prevent removal from protected groups (Domain Users, etc.)
Get-ADGroupMembershipReport.ps1	Deep membership reporting — recursive nested group expansion, circular nesting detection, empty group identification. CSV/HTML export
Compare-ADGroupMemberships.ps1	Side-by-side comparison of two users' or two groups' memberships. Shows common, unique-to-A, unique-to-B. Ideal for access reviews
Sync-ADGroupFromCSV.ps1	Syncs group membership to exactly match a CSV — adds missing members, removes extras. Perfect for HR system integration

Computer Management (4 scripts)

Script	Description
Get-StaleComputers.ps1	Finds computer accounts inactive for X days. Actions: Report, Disable, or Delete. Excludes specified OUs. CSV export
Get-ComputerInventory.ps1	Full AD computer inventory — OS version, last logon, OU, enabled status, IPv4 from DNS. Filter by OS or OU
Move-ComputerToOU.ps1	Move computers to correct OU — single, bulk from CSV, or pattern-based matching
Remove-StaleComputerDNS.ps1	Finds and removes orphaned DNS A records pointing to disabled or deleted computer accounts

OU Management (3 scripts)

Script	Description
New-OUStructure.ps1	Creates standardized OU hierarchy from JSON template. Ideal for setting up new sites or offices
Get-OUReport.ps1	OU structure analysis — object counts per OU (users, computers, groups), empty OUs, GPO link counts. CSV/HTML export
Export-OUStructure.ps1	Exports entire OU tree to JSON for documentation, disaster recovery, or replication to another domain. Optional ACL export

Security & Auditing (8 scripts)

Script	Description
Get-PrivilegedAccountAudit.ps1	Audits Domain Admins, Enterprise Admins, Schema Admins, and other privileged groups. Flags policy violations: stale passwords, inactive accounts, service accounts in admin groups
Find-AccountLockouts.ps1	Queries PDC emulator Event ID 4740 for lockout events. Shows locked user, source computer, timestamp, caller process
Get-AdminSDHolderReport.ps1	Finds objects with orphaned AdminCount=1 flag. Optionally clears the flag and resets inherited ACLs
Get-PasswordPolicyAudit.ps1	Reports all password policies (Default Domain Policy + Fine-Grained). Identifies users with "Password Never Expires" flag
Find-SPNAccounts.ps1	Finds all Kerberoastable accounts (user accounts with SPNs). Reports password age and encryption types. Flags high-risk accounts
Get-StaleServiceAccounts.ps1	Identifies service accounts that are inactive, have old passwords, or have excessive group memberships
Get-ACLAudit.ps1	Audits AD object permissions — finds non-standard ACLs and identifies who has elevated access to sensitive OUs
Find-WeakPermissions.ps1	Scans for dangerous AD permissions: GenericAll on domain root, WriteDACL on privileged groups, ResetPassword on admin accounts. Attack path detection

Reporting (6 scripts)

Script	Description
Get-ADHealthCheck.ps1	Comprehensive AD health dashboard — DC connectivity (LDAP/RPC), replication status, SYSVOL share validation, FSMO role holders, time sync, DNS. HTML report
Get-ADReplicationReport.ps1	Detailed replication status between all DCs — last sync time, failure count, partner status, transport type
Get-ADSiteTopology.ps1	AD Sites and Services report — sites, subnets, site links, DC placement per site, replication schedule
Get-DomainSummary.ps1	Quick domain overview — forest/domain functional level, DC count, user/computer/group counts, trust relationships, FSMO roles, schema version
Get-LicenseReport.ps1	Counts enabled user accounts for license reconciliation. Breakdown by OU or department. Excludes service/shared accounts by pattern
Get-ExpiringPasswordReport.ps1	Lists users whose passwords expire within X days (default 14). Optional email notification for proactive alerts

GPO Management (4 scripts)

Script	Description
Get-GPOReport.ps1	All GPOs with links, status, WMI filters, last modified, security filtering. Identifies unlinked and empty GPOs
Backup-AllGPOs.ps1	Backs up every GPO to a timestamped folder. Generates HTML report of each backup for audit trail
Compare-GPOVersions.ps1	Compares two GPO backup versions with diff-style output. Essential for change tracking
Find-UnlinkedGPOs.ps1	Finds GPOs not linked to any OU. Actions: Report, Delete (with -WhatIf), or Export

Bulk Operations (6 scripts + 4 CSV templates)

Script	Description
Import-ADUsersFromCSV.ps1	Full bulk user import — creates accounts, sets all attributes, adds to groups. Handles duplicates, generates success/failure report
Export-ADUsersToCSV.ps1	Exports AD users with all common fields (name, email, department, title, manager, last logon, password expiry, groups)
Import-ADGroupsFromCSV.ps1	Bulk create groups from CSV with scope, category, description, managed-by, OU, and initial members
Set-BulkPasswordReset.ps1	Reset passwords for a list of users. Generates complex random passwords. Exports new credentials to encrypted file
Update-ADUsersFromHR.ps1	Sync AD attributes from HR system CSV export. Matches on EmployeeID. Resolves manager DNs. Creates detailed change log
New-BulkADComputers.ps1	Pre-stage computer accounts in AD from CSV. Sets description, OU, and group memberships before domain join

CSV Templates (in Bulk-Operations/Templates/)

Template	Columns
UserImportTemplate.csv	FirstName, LastName, Username, Password, Department, Title, Manager, Office, Phone, Groups
GroupImportTemplate.csv	GroupName, Scope, Category, Description, ManagedBy, OU, Members
HRSyncTemplate.csv	EmployeeID, FirstName, LastName, Title, Department, Manager, Office, Phone, Company
ComputerImportTemplate.csv	ComputerName, Description, OU, Groups

---

Common Features

All scripts in this repository share these production-quality characteristics:

• #Requires statements — enforces module dependencies before execution
• Comment-based help — full .SYNOPSIS, .DESCRIPTION, .PARAMETER, .EXAMPLE blocks; use Get-Help .\ScriptName.ps1 -Full for documentation
• Parameter validation — ValidateSet, ValidateScript, ValidateNotNullOrEmpty on all inputs
• Error handling — try/catch blocks with meaningful error messages throughout
• -WhatIf support — preview changes before committing on all destructive operations
• Logging — timestamped operational logs for audit trails
• CSV/HTML export — flexible output formats for reporting and documentation

Quick Start

# Import the AD module (if not auto-loaded)
Import-Module ActiveDirectory

# Example: Get a full user report for the Sales department
.\User-Management\Get-ADUserReport.ps1 -Department "Sales" -OutputFormat HTML -OutputPath "C:\Reports\SalesUsers.html"

# Example: Find all Kerberoastable accounts
.\Security-Auditing\Find-SPNAccounts.ps1 -HighRiskOnly -OutputPath "C:\Reports\SPNAccounts.csv"

# Example: Bulk import users from CSV
.\Bulk-Operations\Import-ADUsersFromCSV.ps1 -CSVPath ".\Bulk-Operations\Templates\UserImportTemplate.csv" -DefaultOU "OU=NewUsers,DC=corp,DC=local" -WhatIf

# Example: Full AD health check
.\Reporting\Get-ADHealthCheck.ps1 -IncludeDNS -IncludeReplication -OutputPath "C:\Reports\ADHealth.html"

Contributing

Feel free to submit issues or pull requests. When adding new scripts, please follow the existing conventions: comment-based help, parameter validation, error handling, and -WhatIf support for destructive operations.

License

MIT License — free to use, modify, and distribute.