PowerShell Active Directory One-Liners at a Glance
- List all users:
Get-ADUser -Filter * - Find locked-out accounts:
Search-ADAccount -LockedOut - Reset a password:
Set-ADAccountPassword -Identity username -NewPassword (ConvertTo-SecureString "P@ss1" -AsPlainText -Force) -Reset - Add user to group:
Add-ADGroupMember -Identity "GroupName" -Members username - Disable a user:
Disable-ADAccount -Identity username - Get last logon date:
Get-ADUser username -Properties LastLogonDate | Select LastLogonDate
This page is the fast-reference companion to the main Active Directory PowerShell one-liners hub. It is deliberately built for copy-and-paste daily admin work rather than long explanations.
If you need a full onboarding workflow instead of quick commands, use the bulk create Active Directory users with PowerShell and CSV guide.
Quick start
Import-Module ActiveDirectory
Get-Module ActiveDirectory -ListAvailableRun PowerShell with the right admin permissions and test in a lab or non-production OU before making broad changes.
User lookup commands
Get-ADUser -Identity 'jdoe'
Get-ADUser -Filter *
Get-ADUser -Filter 'Enabled -eq $false' -Properties Name,SamAccountName
Get-ADUser -Filter 'Department -eq "Finance"' -Properties Department | Select-Object Name,SamAccountName,Department
Get-ADUser -Filter * -SearchBase 'OU=Users,DC=contoso,DC=com'Password, lockout, and account status
Set-ADAccountPassword -Identity 'jdoe' -Reset -NewPassword (Read-Host -AsSecureString)
Unlock-ADAccount -Identity 'jdoe'
Enable-ADAccount -Identity 'jdoe'
Disable-ADAccount -Identity 'jdoe'
Search-ADAccount -LockedOut | Select-Object Name,SamAccountNameUser updates
Set-ADUser -Identity 'jdoe' -Department 'Sales'
Set-ADUser -Identity 'jdoe' -Title 'Systems Administrator'
Set-ADUser -Identity 'jdoe' -Manager 'CN=Jane Smith,OU=Users,DC=contoso,DC=com'
Set-ADUser -Identity 'jdoe' -ChangePasswordAtLogon $trueSingle-user creation
$Password = Read-Host -AsSecureString -Prompt 'Enter password'
New-ADUser -Name 'John Doe' -GivenName 'John' -Surname 'Doe' -SamAccountName 'jdoe' -UserPrincipalName '[email protected]' -AccountPassword $Password -Enabled $true -Path 'OU=Users,DC=contoso,DC=com'For bulk onboarding from a spreadsheet, do not expand this one-liner into a giant loop here. Use the dedicated CSV provisioning guide.
Group membership commands
Get-ADGroupMember -Identity 'VPN Users' | Select-Object Name,ObjectClass
Add-ADGroupMember -Identity 'VPN Users' -Members 'jdoe'
Remove-ADGroupMember -Identity 'VPN Users' -Members 'jdoe' -Confirm:$false
Get-ADPrincipalGroupMembership -Identity 'jdoe' | Select-Object NameComputer account commands
Get-ADComputer -Filter * | Select-Object Name
Get-ADComputer -Filter 'OperatingSystem -like "Windows 11*"' -Properties OperatingSystem | Select-Object Name,OperatingSystem
Search-ADAccount -AccountInactive -ComputersOnly -TimeSpan 120.00:00:00 | Select-Object Name,LastLogonDate
Disable-ADAccount -Identity 'PC-001'OU and object movement
Get-ADOrganizationalUnit -Filter * | Select-Object Name,DistinguishedName
Move-ADObject -Identity 'CN=PC-001,OU=Workstations,DC=contoso,DC=com' -TargetPath 'OU=Disabled Computers,DC=contoso,DC=com'
Move-ADObject -Identity 'CN=John Doe,OU=New Starters,DC=contoso,DC=com' -TargetPath 'OU=Users,DC=contoso,DC=com'Reporting commands
Get-ADUser -Filter 'Enabled -eq $false' | Select-Object Name,SamAccountName | Export-Csv .\disabled-users.csv -NoTypeInformation
Get-ADUser -Filter * -Properties LastLogonDate | Select-Object Name,SamAccountName,LastLogonDate | Export-Csv .\last-logon-report.csv -NoTypeInformation
Get-ADGroupMember -Identity 'Domain Admins' | Select-Object Name,ObjectClass | Export-Csv .\domain-admins.csv -NoTypeInformationStale object hunting
Search-ADAccount -AccountInactive -UsersOnly -TimeSpan 90.00:00:00 | Select-Object Name,SamAccountName,LastLogonDate
Search-ADAccount -PasswordExpired | Select-Object Name,SamAccountName
Get-ADComputer -Filter * -Properties LastLogonDate | Where-Object {$_.LastLogonDate -lt (Get-Date).AddDays(-120)} | Select-Object Name,LastLogonDateSafer change execution
Disable-ADAccount -Identity 'jdoe' -WhatIf
Remove-ADGroupMember -Identity 'VPN Users' -Members 'jdoe' -Confirm:$false -WhatIfUse -WhatIf where possible, export current state first, and apply bulk changes in a maintenance window with a rollback plan.
Where this page fits in the cluster
- Active Directory PowerShell One-Liners: User, Group and Computer Admin is the main explainer and overview page.
- How to Bulk Create Active Directory Users with PowerShell and CSV is the step-by-step guide for repeatable onboarding.