Dashboard
Level 1
0 / 100 XP

Active Directory Users and Computers PowerShell Automation

This lab focuses on leveraging PowerShell to automate the management of Active Directory users and computers, enhancing efficiency and streamlining administrative tasks in a Windows environment. Participants will gain hands-on experience in scripting and executing commands to optimize user account management and system administration.

Session duration: 60 minutes· Typical launch: ~3 min

Difficulty

Beginner

Lab level

Lab VMs

1

1 Windows

XP Reward

300 XP

On completion

Virtual machines

Lab VMs

Windows

SADC01

Windows

Username / Password

user / password123

Connection type

In-browser RDP / RDP

CPU / RAM

Lab instructions

Follow the steps below to complete the lab.

Log in to SADC01 with the followig credentials:

  • Username: user
  • Password: password123

Once you log in and get to the desktop, click Continue to the next step.

Before you can run PowerShell scripts for Active Directory automation, you need to set the script execution policy. In this step, you will set the PowerShell script execution policy to Unrestricted.

  1. Open the PowerShell ISE as an administrator.
  2. Click Yes button on the User Account Control window.
  3. Run the following command to set the execution policy:
    Powershell
    Set-ExecutionPolicy Unrestricted
  4. When prompted, click Yes to confirm the change.

Write the Create Users Script in PowerShell ISE

In this step you'll write a PowerShell script that reads your CSV file and creates each user account in Active Directory. You should already have PowerShell ISE open on the Domain Controller from the previous step.

Before You Begin

  • PowerShell ISE is open and running as Administrator
  • Your users.csv file is saved on the Desktop

Steps

  1. In PowerShell ISE, open a new script file using File > New or Ctrl+N.

  2. In the script pane, write a script that does the following:

    • Imports the CSV file from the Desktop using Import-Csv
    • Loops through each row and creates an AD user account using the data from each column
    • Sets the account password and enabled status based on the values in the CSV
    • Places each user in the correct OU based on the path column in the CSV

  3. Save the script as CreateUsers.ps1 to the Desktop using File > Save As or Ctrl+Shift+S.

  4. Before running the full script, test it against a single row first — you can do this by temporarily limiting your loop to the first entry and pressing F5 to run it. Verify the account was created correctly in Active Directory Users and Computers before proceeding.

  5. Once confirmed, run the full script against all rows in the CSV.

Expected Result

All users defined in users.csv should now exist in Active Directory, placed in their correct OUs with the correct enabled status. You can verify this using Active Directory Users and Computers or by running your validation script from the previous step.

Tip: If a user already exists and your script throws an error, you can add error handling around your New-ADUser call to skip existing accounts and continue processing the rest of the CSV.

Disable a User Account in Active Directory

In this step you'll disable a specific user account in Active Directory using PowerShell ISE. Disabling an account prevents the user from logging in without permanently deleting the account.

Before You Begin

  • PowerShell ISE is open and running as Administrator
  • You are logged into the Domain Controller

Steps

  1. In PowerShell ISE, open a new script file using File > New or Ctrl+N.

  2. In the script pane, write a command using Disable-ADAccount targeting the username testadmin-adm by its SamAccountName.

  3. Run the script using F5 or the green play button.

  4. Verify the account has been disabled by querying the account with Get-ADUser and checking the Enabled property — it should return False.

Expected Result

The testadmin-adm account should now be disabled in Active Directory. You can confirm this in Active Directory Users and Computers where the account will appear with a downward-facing arrow icon indicating it is disabled.

Tip: Disabling an account is always preferable to deleting it when offboarding users — it preserves the account history and group memberships in case the account needs to be reinstated later.

Move Disabled Users to the Disabled Users OU

Now that your user accounts are created, any accounts that are disabled should be organized into the Disabled Users OU. In this step you'll query Active Directory for disabled accounts and move them to the correct location.

Steps

  1. Open PowerShell ISE by clicking the Start menu and searching for Windows PowerShell ISE.

  2. In the script pane at the top, write a query using Get-ADUser filtered by the Enabled property to retrieve all disabled accounts. Run it using F5 or the green play button to confirm the list of users looks correct before proceeding.

  3. Once you're satisfied the results are correct, extend your script to pipe those results into the appropriate cmdlet to move each object to the Disabled Users OU. You will need to supply the full distinguished name as the target path: OU=Disabled Users,OU=Server Academy,DC=ad,DC=serveracademy,DC=com

  4. Run the updated script and then re-run your query from step 2 to confirm the disabled accounts no longer appear in their original OUs.

Expected Result

All disabled user accounts should now reside under the Disabled Users OU. You can verify this in Active Directory Users and Computers by expanding the OU and confirming the accounts are present.

Tip: Use the script pane in ISE rather than the console pane so you can easily edit and re-run your commands as you build up the script.