Category Archives: User Management

Create an user


This script creates a new ad user based on the following:

  • display a gui form for information about the user
  • determines the username based on company standards
  • Sets some AD and profiles/home folder information based on the location of the user
  • sets the default AD groups
  • creates a mailbox for the users
  • creates homefolders and profile folders
  • creates a welcome note for the user, based on the users information

Read more »

Get Lockedout events from the security eventlog from the PDC


Script to Get Lockedout events from the security eventlog from the PDC


Copy the users from a ADgroup to another ADgroup


To Copy the users from a ADgroup to another ADgroup or duplicate the contents of a group, us the commandlet Add-ADGroupMember.

You cannot pipe the contents of Get-ADGroupMember to this commandlet as it does not accept pipeline imput. You can check this in the help of the command.

For this to work correctly you must place the content in a variable with Get-ADGroupMember and use this in Add-ADGroupMember.

These two command are:



Get folder permissions recursive


To view which user or group has access to a folder structure you must check this per folder.

Fortunately powershell has (ofcourse) the option to recursive check a folder structure and display the result in a nice textfile. The oneliner for this is:

You can use the get-acl command to display the effective permissions on a folder. This commandlet does not have the option to recursive go trough the entire folderstructure. Get-Childitem has this option and when you pipe it trough get-acl you get the list you want.

The where-object {($_.PsIsContainer)} is used to only display folders and not files.

Workflow to create a new AD group and add a user to the group


Here are the commands for a workflow to create a new AD group and add a user to the group.

Nothing fancy but saves you the time to find the command next time.. 🙂


List AD group membership readable


If you want to get a list of all the AD groups a user is member of you can use

This will give you a overview of the groups the user is a member of. It is however not easy to read. To get a list use Get-ADPrincipalGroupMembership. This will give you a list with one groupname per line.



To view the hierarchical structure:


Note that the last result does not display the domain users

Powershell: Get users last logon date from AD


The lastlogon time is kept on every domain controller in the AD. So, if you want to find out what the last logon time and dat of u user is, you have to check all the domain controllers.

When you check all the properties of a user using:

You get a lot of information. The most important are:

lastLogon : 130709985039216673
LastLogonDate : 12-3-2015 09:08:56
lastLogonTimestamp : 130706213360820511

The LastLogonDate is the one that is kept on the domain controller and is not replicated to other domain controllers.

The LastLogonTimestamp is the one you need. This is however a format we cannot read but we can convert it to a normal readable value.

First we need to put this into a variable so we can extract the value later.

Next we use the [datetime]::FromFileTime. This converts the unreadable number to a normal format. We do this while using only the value of the variable.

And voila, the correct format is displayed

donderdag 12 maart 2015 09:08:56


Use powershell to reset password and unlock account


A neat script to choose the users OU in the AD, select the user and lets you choose what to do. Reset a password or unlock the users account.

The script uses the out-gridview with -passtru command to ask for your input.


Blog for MVA: Using PowerShell for Active Directory


Get to the Microsoft Virtual Academy and follow the course: “Using PowerShell for Active Directory” with Jason Helmick and Ashley McGlone (GoateePFE)

The blog of this session and the session itself are online available.

Great blog with lots of code on Powershell and active directory.

Some topics that are being addressed are:

  • Users and Groups
  • Quering
  • Forensics
  • Recovery

Use Powershell for presenting all AD users to HR


Use this script to automate and send an email to the HR department with a HTML file of the users in the AD.

You can specify different blocks of users based on the company name (internal and external users like contractors) and users with special rights like administrators of helpdesk staff.

Schedule this powershell script on a domain controller or a management workstation.


Archive-User function – Clean up an user from AD and Exchange


(updated version as a function. Some error handling will follow later)

Powershell Function for cleaning up an AD user and exchange account. This can be used for example when a user leaves the company.

The information, files and mail from the user is placed in an archive folder on the network. After this has been done the user is cleaned from the network.

use as: .Archive-MWUser.ps1 -Mwusername  avanboerum

Powershell unlock and reset AD account


Recently I found a nice script from Matt Schmit. This script give you the choice to reset a users password, unlock a account and has some nice error checking and a good structure.

Powershell unlock and reset AD account

Logoff disconnected users on RDS server with powershell


When you want to manually logoff disconnected users from a Remote Desktop server, you can first query the server for those disconnected sessions and then logoff those sessions.

Logoff disconnected users on RDS server with powershell:

Or if the list is to long you can query the disconnected sessions:

This script queries the RDS broken for sessions and displays a nice (gridview) form. In this form you can select a user to logoff.


« Older Entries