What we’re going to do for the next while is show you how you can manage Active Directory in Powershell.   I’m not going to go “deep dive” but I AM going to at least show you the basics.  And there are generally three common methods.   Using the [ADSI] Accelerator within Powershell V1, Using Quest Active Roles Management add-on or using the new Active Directory Modules in Server 2008 R2.

The [ADSI] method I personally find to be the most complex BUT also the most compatible.   It requires no third party software and uses native features you can leverage in Active Directory.

Using Quest Active Roles I find is the easiest of the three, but because it’s a third party solution you may have a harder time convincing management to implement that into the environment (Even if it IS free)

The third is Server 2008 R2 Active Directory Modules.   This is built in if you have a Server 2008 R2 computer as at least ONE of your domain controllers and will involve a change to your Active Directory schema.  It is not as EASY as Quest but is FAR easier than the [ADSI] Accelerators.  Plus it’s a native component to the Microsoft environment and part of the built in management tools.  Once it’s implemented, you don’t really need to sell it to anybody.


So let’s start with a new user.   We’re going to assume a domain of “CONTOSO.LOCAL” and a user who’s name is “John Smith” (Sorry John, I know we’re abusing you’re name and you should be getting royalties for it, but I was lazy … )


In all cases the Username will take on the format of “John.Smith” and are disabled accounts in A/D in the Default Users container with no assigned Password


Using [ADSI] Accelerator



$User=$ADSI.create($Class, $ObjectName)
$User.Put(“sAMAccountName”, $NEWUSERNAME)


With the [ADSI] Accelerator there is a lot of power going on here, but it is VERY daunting for even seasoned Admins.  But it does NOT require any change to your infrastructure.  Just Powershell


Using Quest Active Roles



NEW-QADUSER -name $NEWUSERNAME -ParentContainer ‘CN=users,DC=contoso,DC=local’ -samAccountName $NEWUSERNAME


Definitely not quite as daunting as the [ADSI] method.  But it requires Quest Active Roles to be installed use it.   But EASE of use has increased! 


Using Active Directory Server 2008 R2

NEW-ADUSER $NEWUSERNAME –path ‘CN=Users,DC=contoso,DC=local’


Pretty simple AND a small must nice feature in the Server 2008 R2 commandlets.  You don’t have to specify the information for SAM (It is picked up by default) AND if I DON’T specify the the Path to create the object in? It will DEFAULT to the default “USERS” container in your Active Directory.


In all cases, this user does not have the UPN defined (ID@domain.com) email address, or various other details.  It is also a disabled object in Active Directory.    But with Powershell in all cases, this information we can set very easily.   We’ll look at that next time in all three CmdLets


Powershell: It’s so Easy and it’s FREE!

The Energized Tech