Active Directory
- By Orin Thomas
- 2/25/2026
Managing AD DS with PowerShell
Many Active Directory administrative tasks are repetitive. If you’re likely to perform a task more than once, it’s better to script it in PowerShell than work your way through the appropriate wizard multiple times.
There are three PowerShell modules related to Active Directory. The Active Directory PowerShell module (Table 4-3) is the one you’re likely to use on a regular basis when managing Active Directory. The GroupPolicy module (Table 4-4) allows you to manage Group Policy from PowerShell.
Active Directory module
As already mentioned, the Active Directory PowerShell module (see Table 4-3) is the one you’re likely to use regularly when managing Active Directory.
Table 4-3 Active Directory module cmdlets
Noun |
Verbs |
Function |
|---|---|---|
ADAccount |
Unlock, Search, Enable, Disable |
Allows you to find, unlock, enable, or disable a user, computer, or service account. |
ADAccountAuthenticationPolicySilo |
Set |
Allows you to configure the authentication policy or authentication policy silo of an account. |
ADAccountAuthorizationGroup |
Get |
Gets the security groups for a specified user, computer, or service account based on its token. Uses the global catalog to determine this information. |
ADAccountControl |
Set |
Modifies the user account control values of an Active Directory user or computer account. |
ADAccountExpiration |
Set, Clear |
Configure account expiration. |
ADAccountPassword |
Set |
Configure the password of a user, computer, or service account. |
ADAccountResultantPasswordReplicationPolicy |
Get |
Gets the password replication policy for a user, computer, or service account on a specific RODC. |
ADAuthenticationPolicy |
Set, Remove, New, Get |
Manipulate the properties of the AD DS authentication policy. |
ADAuthenticationPolicyExpression |
Show |
Displays Edit Access Control Conditions, Windows Update, or SSDL security descriptors. |
ADAuthenticationPolicySilo |
New, Remove, Get, Set |
Manipulate Active Directory Domain Services authentication policy silos. |
ADAuthenticationPolicySiloAccess |
Revoke, Grant |
Manage membership of authentication policy silos. |
ADCentralAccessPolicy |
Remove, Get, Set, New |
Manage central access rules and policies. |
ADCentralAccessPolicyMember |
Remove, Add |
Add and remove rules from a central access policy. |
ADCentralAccessRule |
New, Set, Remove, Get |
Manage central access rules. |
ADClaimTransformLink |
Set, Clear, Remove |
Manage claims transforms from being applied to one or more cross-forest trust relationships. |
ADClaimTransformPolicy |
New, Set, Get |
Manage claim transformation policy objects from Active Directory. |
ADClaimType |
New, Get, Remove, Set |
Manage Active Directory claim types. |
ADComputer |
Remove, New, Set, Get |
Manage Active Directory computer accounts. |
ADComputerServiceAccount |
Remove, Add, Get |
Add service accounts from Active Directory to a local computer. |
ADDCCloneConfigFile |
New |
Generates a clone configuration file for a domain controller. |
ADDCCloningExcludedApplicationList |
Get |
Manage which Active Directory applications are excluded when cloning the configuration of a domain controller. |
ADDefaultDomainPasswordPolicy |
Set, Get |
Manage the default password policy for a domain. |
ADDirectoryServer |
Move |
Use this cmdlet to move a DC to another AD site. |
ADDirectoryServerOperationMasterRole |
Move |
Move an operations master role to another computer. |
ADDomain |
Set, Get |
View and manage the properties of a domain. |
ADDomainController |
Get |
View the properties of a domain controller. |
ADDomainControllerPasswordReplicationPolicy |
Remove, Get, Add |
Manage which accounts can be replicated to an RODC. |
ADDomainMode |
Set |
Set the domain functional level. |
ADFineGrainedPasswordPolicy |
Remove, Get, Set, New |
Manage AD fine-grained password policy. |
ADFineGrainedPasswordPolicySubject |
Get, Remove, Add |
Manage the application of fine-grained password policies. |
ADForest |
Set, Get |
Manage forest properties. |
ADForestMode |
Set |
Configure the forest functional level. |
ADGroup |
Get, Set, Remove, New |
Manage AD groups. |
ADGroupMember |
Get, Remove, Add |
Manage AD group membership. |
ADObject |
Get, Restore, Rename, Set, Move, Remove, Sync, New |
Manage AD objects. |
ADOptionalFeature |
Disable, Get, Enable |
Configure AD optional features. |
ADOrganizationalUnit |
Set, Get, New, Remove |
Manage AD OUs. |
ADPrincipalGroupMembership |
Remove, Add, Get |
Manage group membership on the basis of the user account. |
ADReplicationAttributeMetadata |
Get |
View replication metadata for AD object attributes. |
ADReplicationConnection |
Get, Set |
Manage the properties of an AD replication connection. |
ADReplicationFailure |
Get |
View information about AD replication failure. |
ADReplicationPartnerMetadata |
Get |
View information about AD replication partners. |
ADReplicationQueueOperation |
Get |
View all operations in the AD replication queue. |
ADReplicationSite |
Set, Get, Remove, New |
Manage AD replication sites. |
ADReplicationSiteLink |
Set, New, Get, Remove |
Manage AD replication site links. |
ADReplicationSiteLinkBridge |
Get, Remove, New, Set |
Manage AD replication site link bridges. |
ADReplicationSubnet |
New, Get, Set, Remove |
Manage AD replication subnets. |
ADReplicationUpToDatenessVectorTable |
Get |
Displays Update Sequence Numbers (USNs) for domain controllers. |
ADResourceProperty |
Set, New, Remove, Get |
Manage Active Directory resource properties. |
ADResourcePropertyList |
Remove, Set, New, Get |
Manage Active Directory resource property list. |
ADResourcePropertyListMember |
Remove, Add |
Add and remove resource properties from an Active Directory resource property list. |
ADResourcePropertyValueType |
Get |
View a resource property value type. |
ADRootDSE |
Get |
View the root of a Directory Server information tree. |
ADServiceAccount |
Get, Test, Set, Install, New, Remove, Uninstall |
Manage the AD Managed Service Account. |
ADServiceAccountPassword |
Reset |
Reset the AD Managed Service Account password. |
ADTrust |
Get |
View the properties of an AD Trust. |
ADUser |
New, Set, Get, Remove |
Manage an Active Directory user. |
ADUserResultantPasswordPolicy |
Get |
Use this cmdlet to determine the resultant password policy for an account that has multiple fine-grained password policies applied to it. |
Group Policy module
As mentioned earlier, the GroupPolicy module (see Table 4-4) allows you to manage Group Policy from PowerShell.
Table 4-4 Group Policy module cmdlets
Noun |
Verbs |
Function |
|---|---|---|
GPInheritance |
Get, Set |
View and manage which GPOs are applied and whether inheritance is blocked. |
GPLink |
Remove, New, Set |
Manage whether a GPO is linked. |
GPO |
Restore, Import, New, Remove, Rename, Backup, Get, Copy |
Manage GPOs, including backup restore and copy. |
GPOReport |
Get |
Generate a report on a GPO. |
GPPermission |
Set, Get |
Manage permissions on policies. |
GPPrefRegistryValue |
Remove, Set, Get, |
Manage registry-based policy preference settings. Microsoft maintains spreadsheets that map Group Policy settings to registry settings. To use this cmdlet to set registry settings, you need to consult the spreadsheet. |
GPRegistryValue |
Remove, Get, Set, |
Manage registry-based policy settings. |
GPResultantSetOfPolicy |
Get |
View the resultant set of policy information. |
GPStarterGPO |
New, Get |
Manage the starter GPO. |
GPUpdate |
Invoke |
Triggers a Group Policy update. |
ADDSDeployment module
As previously mentioned, you use the ADDSDeployment (see Table 4-5) module when performing deployment tasks.
Table 4-5 Active Directory module cmdlets
Noun |
Verbs |
Function |
|---|---|---|
ADDSDomain |
Install |
Installs a new Active Directory Domain Services domain. |
ADDSDomainController |
Install, Uninstall |
Use to add or remove a domain controller. |
ADDSDomainControllerInstallation |
Test |
Runs a prerequisite check prior to installing a domain controller. |
ADDSDomainControllerUninstallation |
Test |
Runs a prerequisite check prior to removing a domain controller. |
ADDSDomainInstallation |
Test |
Checks the prerequisites for a new Active Directory Domain Services domain. |
ADDSForest |
Install |
Allows you to install a new Active Directory Forest configuration. |
ADDSForestInstallation |
Test |
Allows you to perform a prerequisite check prior to performing an Active Directory forest installation. |
ADDSReadOnlyDomainControllerAccount |
Add |
Use this cmdlet to create an RODC account in the AD DS database. |
ADDSReadOnlyDomainControllerAccountCreation |
Test |
Allows you to check that the necessary prerequisites are in place before you create an RODC account. |