Creating and Modifying Users, Groups, and Computers¶
Active Directory is not only a directory of information—it is a living system that administrators must update continuously. New employees join the organization, groups evolve to reflect changing responsibilities, and computers are added, retired, or reconfigured. PowerShell provides a structured, predictable, and scriptable way to perform these operations, ensuring consistency and reducing the risk of human error.
This section explains how to create and modify the most common AD object types—users, groups, and computers—using the Active Directory module. The goal is to give you a clear understanding of how these cmdlets behave, how to supply the required attributes, and how to manage objects safely in a production environment.
1. Creating and Managing AD Users¶
User accounts represent individuals or service identities within the domain. PowerShell exposes the New-ADUser, Set-ADUser, and Enable-ADUser/Disable-ADUser cmdlets for managing them.
1.1 Creating a New User¶
Creating a user requires specifying at least a name and a security principal. In most organizations, additional attributes such as department, email, or office location are also required.
Example: creating a basic user¶
$password = Read-Host "Enter password" -AsSecureString
New-ADUser `
-Name "Enrico Rossi" `
-GivenName "Enrico" `
-Surname "Rossi" `
-SamAccountName "enrico.rossi" `
-UserPrincipalName "enrico.rossi@contoso.com" `
-AccountPassword $password `
-Enabled $true
This command:
- Creates a new user object
- Assigns a secure password
- Enables the account immediately
- Sets the user’s identity attributes
The user is created in the default Users container unless you specify a different OU.
Creating a user in a specific OU¶
New-ADUser -Name "John Doe" -SamAccountName "jdoe" `
-Path "OU=Sales,DC=contoso,DC=com"
The -Path parameter ensures the user is placed in the correct organizational unit.
1.2 Modifying Existing Users¶
Once a user exists, you can update any of their attributes using Set-ADUser.
Updating user attributes¶
Set-ADUser -Identity "enrico.rossi" -Department "IT" -Office "Tokyo"
This updates the user’s department and office attributes.
Setting or resetting a password¶
Set-ADAccountPassword -Identity "enrico.rossi" -NewPassword $password
Enabling or disabling a user¶
Disable-ADUser -Identity "jdoe"
Enable-ADUser -Identity "jdoe"
Disabling accounts is a common practice when employees leave the organization.
2. Creating and Managing AD Groups¶
Groups are essential for assigning permissions and managing access. PowerShell provides New-ADGroup, Set-ADGroup, and membership cmdlets such as Add-ADGroupMember.
2.1 Creating a New Group¶
Groups can be security groups (used for permissions) or distribution groups (used for email lists).
Example: creating a security group¶
New-ADGroup `
-Name "Helpdesk" `
-SamAccountName "Helpdesk" `
-GroupScope Global `
-GroupCategory Security `
-Path "OU=Groups,DC=contoso,DC=com"
This creates a global security group in the Groups OU.
2.2 Modifying Groups¶
Updating group attributes¶
Set-ADGroup -Identity "Helpdesk" -Description "Tier 1 support team"
Adding members to a group¶
Add-ADGroupMember -Identity "Helpdesk" -Members "jdoe","enrico.rossi"
Removing members¶
Remove-ADGroupMember -Identity "Helpdesk" -Members "jdoe" -Confirm:$false
Retrieving group membership¶
Get-ADGroupMember -Identity "Helpdesk"
This returns users, groups, and service accounts that belong to the group.
3. Creating and Managing AD Computer Objects¶
Computer objects represent domain‑joined machines. They store information such as the machine’s name, operating system, and last logon time.
3.1 Creating a Computer Object¶
Computer objects are often created automatically when a machine joins the domain, but administrators sometimes pre‑stage them.
Example: creating a computer object¶
New-ADComputer `
-Name "PC-01" `
-SamAccountName "PC-01$" `
-Path "OU=Workstations,DC=contoso,DC=com"
Pre‑staging ensures the computer is placed in the correct OU before it joins the domain.
3.2 Modifying Computer Objects¶
Updating computer attributes¶
Set-ADComputer -Identity "PC-01" -Description "Marketing workstation"
Moving a computer to a different OU¶
Move-ADObject `
-Identity "CN=PC-01,OU=Workstations,DC=contoso,DC=com" `
-TargetPath "OU=Marketing,DC=contoso,DC=com"
This is common when reorganizing departments or applying different Group Policies.
4. Practical Administrative Scenarios¶
Creating a new employee account with group membership¶
$password = Read-Host "Enter password" -AsSecureString
New-ADUser `
-Name "Alice Kim" `
-SamAccountName "alice.kim" `
-UserPrincipalName "alice.kim@contoso.com" `
-AccountPassword $password `
-Enabled $true `
-Path "OU=Employees,DC=contoso,DC=com"
Add-ADGroupMember -Identity "Employees" -Members "alice.kim"
Bulk‑creating users from a CSV file¶
$users = Import-Csv "C:\NewUsers.csv"
foreach ($u in $users) {
New-ADUser `
-Name $u.Name `
-SamAccountName $u.SamAccountName `
-UserPrincipalName $u.UserPrincipalName `
-AccountPassword (ConvertTo-SecureString $u.Password -AsPlainText -Force) `
-Enabled $true `
-Path $u.OU
}
Resetting all disabled computers to a specific OU¶
Get-ADComputer -Filter "Enabled -eq 'False'" |
Move-ADObject -TargetPath "OU=DisabledComputers,DC=contoso,DC=com"
5. Summary¶
PowerShell provides a comprehensive and structured interface for creating and modifying Active Directory objects. With the AD module, you can:
- Create users with secure passwords and detailed attributes
- Modify user properties, reset passwords, and enable or disable accounts
- Create and manage security and distribution groups
- Add or remove group members with precision
- Pre‑stage and update computer objects
- Automate large‑scale identity operations using scripts and CSV imports
Mastering these cmdlets allows you to manage Active Directory efficiently, consistently, and safely—whether you are onboarding new employees, maintaining group memberships, or organizing computer objects across the domain.