Skip to content
Learni
View all tutorials
Administration Système

How to Manage Active Directory with PowerShell in 2026

18 minADVANCED
PowerShellActive DirectoryWindows Server
Lire en français

Introduction

Active Directory remains the core of authentication in enterprise Windows environments. In 2026, PowerShell automation is essential for managing thousands of objects without human error. This tutorial guides you from remote connection to creating audit and delegation scripts. Each step includes ready-to-use scripts tested in production.

Prerequisites

  • Windows Server 2022 or Windows 11 with RSAT
  • PowerShell 7.4+
  • Domain Admin or delegated rights account
  • ActiveDirectory module installed
  • Network access to the domain controller

Installing the AD Module

install-module.ps1
Install-WindowsFeature -Name RSAT-AD-PowerShell -IncludeAllSubFeature
Import-Module ActiveDirectory
Get-Module ActiveDirectory

This command installs the RSAT-AD-PowerShell module and imports it. Always verify the version after installation to avoid conflicts with older PowerShell versions.

Connecting to a Remote Domain

connect-ad.ps1
$Cred = Get-Credential
$Session = New-PSSession -ComputerName DC01 -Credential $Cred
Enter-PSSession $Session
Import-Module ActiveDirectory

Use remote PowerShell sessions to avoid installing the module on every workstation. This enables centralized and secure management of domain controllers.

Bulk User Creation

create-users.ps1
$Users = Import-Csv -Path "C:\Scripts\users.csv"
foreach ($User in $Users) {
    New-ADUser -Name $User.Name -SamAccountName $User.SamAccountName `
        -UserPrincipalName $User.UPN -Path $User.OU `
        -AccountPassword (ConvertTo-SecureString $User.Password -AsPlainText -Force) `
        -Enabled $true -ChangePasswordAtLogon $true
}

The script reads a CSV and creates users in the specified OU. Always validate the CSV before running and use -WhatIf to test.

Advanced Group Management

manage-groups.ps1
Add-ADGroupMember -Identity "Groupe-Admin" -Members "user1","user2"
Get-ADGroupMember -Identity "Groupe-Admin" | Select Name, SamAccountName
Remove-ADGroupMember -Identity "Groupe-Admin" -Members "user1" -Confirm:$false

These commands allow adding, listing, and removing group members. Always use -Confirm:$false in automated scripts to prevent interactive prompts.

Connection and Object Auditing

audit-ad.ps1
Get-ADUser -Filter * -Properties LastLogonDate | Where-Object {$_.LastLogonDate -lt (Get-Date).AddDays(-90)} | Select Name, SamAccountName, LastLogonDate
Get-ADObject -Filter {ObjectClass -eq "user"} -SearchBase "OU=Utilisateurs,DC=entreprise,DC=local"

This script identifies accounts inactive for 90 days. Combine it with scheduled tasks to generate regular audit reports.

Best Practices

  • Always use remote sessions and limited credentials
  • Test every script with -WhatIf before actual execution
  • Version all scripts in Git
  • Limit rights via AD delegation instead of Domain Admin accounts
  • Log all changes with Start-Transcript

Common Errors to Avoid

  • Forgetting to import the ActiveDirectory module before running commands
  • Running unfiltered queries on large directories (risk of timeout)
  • Not handling errors with try/catch in production scripts
  • Using plaintext passwords in CSV files without encryption

Going Further

Deepen your knowledge of delegation and dynamic GPOs in our Learni training courses.