After script execution, we have two new users, Edward Franklin and Bill Jackson, in our Active Directory

domain:

To create a computer object, use the New-ADComputer cmdlet. For example, execute the following cmdlet
parameters to create a computer object with “WKS932” as its name and the default LDAP path value:

New-ADComputer –Name “WKS932” –SamAccountName “WKS932”

If you have a list of computers that should be imported into Active Directory, save the list to a CSV file with
the heading “computer” and the list of computer names in the column below it. Run the following PowerShell
script on your domain controller to add computers from the CSV file, making sure you have the Path and File
variables set correctly:

$File="C:\scripts\Computers.csv" # Specify the import CSV position.

$Path="OU=Devices,DC=enterprise,DC=com" # Specify the path to the OU.
Import-Csv -Path $File | ForEach-Object { New-ADComputer -Name $_.Computer
-Path $Path -Enabled $True}

17
2.2 Joining a Computer to a Domain and Removing
a Computer from a Domain
Another common task is joining a computer to a domain controller. To join a PC to an Active Directory
domain, run the following PowerShell script locally:

$dc = "ENTERPRISE" # Specify the domain to join.

$pw = "Password123" | ConvertTo-SecureString -asPlainText –Force # Specify the password for
the domain admin.
$usr = "$dc\T.Simpson" # Specify the domain admin account.
$creds = New-Object System.Management.Automation.PSCredential($usr,$pw)
Add-Computer -DomainName $dc -Credential $creds -restart -force -verbose # Note that the
computer will be restarted automatically.

The computer will restart and then join the domain; it will be added to the default container.

To join a computer to a DC remotely, you need to enhance this script this way:

$dc = "ENTERPRISE"
$pw = "Password123" | ConvertTo-SecureString -asPlainText -Force
$usr = "$dc\T.Simpson"
$pc = "R07GF" # Specify the computer that should be joined to the domain.
$creds = New-Object System.Management.Automation.PSCredential($usr,$pw)
Add-Computer -ComputerName $pc -LocalCredential $pc\admin -DomainName $dc -Credential
$creds -Verbose -Restart -Force

The $pc variable and –LocalCredential parameter are used to authenticate the computer to the domain.
Note that in order to use this method, you must disable the firewall on the local computer.

You can add more than one computer to the domain by either specifying them in the command line as a
comma-delimited list or importing their names from a text file.

Here’s how to specify the computers in a comma-delimited list:

$dc = "ENTERPRISE"
$pw = "Password123" | ConvertTo-SecureString -asPlainText -Force
$usr = "$dc\T.Simpson"
$pc = "WKS034, WKS052, WKS057" # Specify the computers that should be joined to the domain.
$creds = New-Object System.Management.Automation.PSCredential($usr$pw)
Add-Computer -ComputerName $pc -LocalCredential $pc\admin -DomainName $dc -Credential
$creds -Restart -Force

18
And here’s how to use a text file with the list of computers that should be joined:

$dc = "ENTERPRISE"
$pw = "Password123" | ConvertTo-SecureString -asPlainText -Force
$usr = "$dc\T.Simpson"
$pc = Get-Content -Path C:\Computers.txt # Specify the path to the computers list.
$creds = New-Object System.Management.Automation.PSCredential($usr,$pw)
Add-Computer -ComputerName $pc -LocalCredential $pc\admin -DomainName $dc -Credential
$creds -Restart -Force

To remove a computer from a domain remotely, use the Remove-Computer cmdlet. Here, we’re removing a
computer from a domain, so no local credentials are needed and we can skip the –LocalCredential parameter:

$dc = "ENTERPRISE"
$pw = "Password123" | ConvertTo-SecureString -asPlainText -Force
$usr = "$dc\T.Simpson"
$pc = "R07GF"
$creds = New-Object System.Management.Automation.PSCredential($usr,$pw)
Remove-Computer -ComputerName $pc -Credential $creds –Verbose –Restart –Force

To remove multiple computers using a list in a TXT file, use the script above for joining computers to a DC,
replacing the Add-Computer cmdlet with Remove-Computer. Note that you will still need domain admin
credentials to complete this unjoin operation.

2.3 Renaming a Computer

To change a computer name, use the Rename-Computer cmdlet. Note that the computer must be online
and connected to Active Directory.

Rename-Computer –ComputerName "FS1" -NewName "FS2"

If you want to run this script locally, it will look like this:

Rename-Computer -NewName "newname" -DomainCredential "Domain\Administrator"

19
You can improve the renaming script by joining the computer to the domain and putting it into the specified
OU simultaneously. The script should be run on the target machine, not on the domain controller.

$NewComputerName = "Server3" # Specify the new computer name.

$DC = "contoso.com" # Specify the domain to join.
$Path = "OU=TestOU,DC=contoso,DC=com" # Specify the path to the OU where to put the
computer account in the domain.
Add-Computer -DomainName $DC -OUPath $Path -NewName $NewComputerName –Restart
–Force

The script will prompt for the credentials of an account that has permissions to join computers to the
domain, and then the computer will be renamed, restarted and joined to the domain.

2.4 Resetting a Computer Account

Like a user account, a computer account interacts with Active Directory using a password. But for computer
accounts, a password change is initiated every 30 days by default and the password is exempted from the
domain’s password policy. Password changes are driven by the client (computer), not AD.

Computer credentials usually unknown to the user because they are randomly set by the computer. But you
can set your own password; here is a PowerShell script for doing so:

$pc = read-host –Prompt “Input computer name to reset“ # Specify the computer name.
$pw = read-host –Prompt “Input random characters for temp password“ –AsSecureString #
Specify the password.
Get-ADComputer $pc | Set-ADAccountPassword –NewPassword:$pw -Reset:$true

2.5 Disabling User and Computer Accounts

To disable user, computer or service accounts, use the Disable-ADAccount cmdlet. The -Identity parameter
specifies which account to disable. You can specify an account by its distinguished name, security identifier
(SIDs), globally unique identifier (GUID) or Security Account Manager (SAM) account name.

Disable-AdAccount -Identity RussellS

20
If you specify a computer account name, remember to append a dollar sign ($) at the end of the name;
otherwise, you’ll get an error after script execution.

Disable-ADAccount -Identity fs1$

You can also disable accounts in bulk using a list in a text file:

$Pclist = Get-Content C:\scripts\Computer.txt # Specify the path to the computer list.

Foreach($pc in $Pclist)
{
Disable-ADAccount -Identity "$pc"
Get-ADComputer -Identity "$pc" | Move-ADObject -TargetPath “OU=Disabled
Computers,DC=enterprise,DC=com”
}

2.6 Deleting a Computer from Active Directory

To delete a computer account from AD, use the Remove-ADObject cmdlet:

Remove-ADObject -Identity "WKS932"

You will be prompted to confirm the deletion.

If you have a text file with a list of old computers, you can streamline the task of removing them using
PowerShell. The following script will read the computer names from a TXT file and delete the corresponding
accounts via a pipeline:

Get-Content C:\scripts\computersfordeletion.txt | % { Get-ADComputer -Filter { Name

-eq $_ } } | Remove-ADObject -Recursive

21
Stale accounts in Active Directory can be compromised, leading to security incidents, so it is critical to keep
an eye on them. This PowerShell script will query Active Directory and return all computers that have not
been logged in to for the past 30 days. It also will remove those accounts to keep your AD clean.

$stale = (Get-Date).AddDays(-30) # means 30 days since last logon; can be changed to any number.
Get-ADComputer -Property Name,lastLogonDate -Filter {lastLogonDate -lt $stale} |
FT Name,lastLogonDate
Get-ADComputer -Property Name,lastLogonDate -Filter {lastLogonDate -lt $stale} |
Remove-ADComputer

There is one computer, FS1, that has been not been logged on to for more than 30 days. The system will
prompt for confirmation before deleting it from the domain:

If you want to disable, rather than delete, the inactive computer accounts, replace the
Remove-ADComputer cmdlet with Set-ADComputer and -Enabled $false parameter and value.

Remember that it is critical to closely track all changes to computer accounts, so you can quickly spot any
unwanted modifications and respond appropriately. Here’s how to monitor computer account deletions.

2.7 Creating and Deleting an Active Directory Group

In Active Directory, access to network resources is granted to security principals, such as user accounts and
computer accounts, and those permissions can change over time. To simplify access management and
improve security, medium and large companies often use Active Directory security groups, which can
contain user and computer accounts as well as other groups. They also often use distribution groups to
manage email distribution lists. Both security and distribution groups have unique SIDs and GUIDs.

22
 If you’re not already familiar with AD groups and group management, please read the Active Directory
Group Management Best Practice guide.

To create an AD group, use the New-ADGroup cmdlet. You can get its syntax by running the following command:

Get-Command New-ADGroup –Syntax

The easiest way to create a group is to run this short script:

New-ADGroup "Group Name"

The system will ask you to specify the GroupScope parameter and then it will create a new group. However,
this group will have default values, such as:

It will be created in the default LDAP container called “Users”.

It will have the “Security” group type.

The Members, Member of, Description, Email and Notes fields will all be blank.

Let’s create a security group called “Quality” in the “Production” OU (-Path); it should be a security group
(-GroupCategory) and it should be global (-GroupScope):

New-ADGroup "Quality" -Path "OU=Production,DC=enterprise,dc=com" -GroupCategory

Security -GroupScope Global -PassThru –Verbose

If you want to make a universal distribution group, simply change the –GroupCategory parameter to “Distribution” and
the –GroupScope parameter to “Universal”. You can also change the LDAP path by changing the –Path parameter.

To delete an AD group, use the Remove-ADGroup cmdlet. The easiest script for that will look like this:

Remove-ADGroup -Identity Quality

You’ll be prompted to confirm the deletion of the group.

23
2.8 Adding Users and Computers to a Group
You can add users to an AD group with the Add-AdGroupMember cmdlet. For instance, if you needed to
add two users, B.Jackson and E.Franklin, to the “Quality” group, here is what the script would look like:

Add-AdGroupMember -Identity Quality -Members B.Jackson, E.Franklin

Once you’ve added users to a security group, you can run this script to verify that they are listed as members:

Get-ADGroupMember -Identity Quality

If you need to add users to another security or distribution group, such as Domain Admins, specify “Domain
Admins” as the value for the –Identity parameter. If you need one group to be a member of another, specify
the group name as the value for the –Members parameter. The same principle applies to computer accounts,
but you’ll need to append a dollar sign ($) to the end of the computer account name. For example, to add the
computer “WKS043” to a group, specify “WKS043$” as the value for the –Member parameter:

Add-AdGroupMember -Identity Quality -Members WKS043$

To add a user to multiple groups at once, run the following script.

"Managers","Quality" | Add-ADGroupMember -Members `

(Read-Host -Prompt "Enter User Name")

You’ll be prompted to input the username.

If you want to add a large number of users to a group, you can specify them in a CSV file and then import that
file. Note that the list of the usernames in the CSV file must contain the SamAccountNames in the “users”
column, as shown below:

24