Skills

active-directory

Installation
SKILL.md

Active Directory Skill

When to Activate

  • User mentions: AD, Active Directory, user account, group membership, domain, OU, GPO
  • User asks to find/create/modify AD objects
  • User needs to check group memberships or locked accounts

Prerequisites Check

# Verify AD module is available
if (-not (Get-Module -ListAvailable ActiveDirectory)) {
    Write-Warning "ActiveDirectory module not installed. Install RSAT or run on a DC."
    # Alternative: Use ADSI queries
}
Import-Module ActiveDirectory -ErrorAction SilentlyContinue

Common Queries

Find User

# By name (partial match)
Get-ADUser -Filter "Name -like '*$searchTerm*'" -Properties DisplayName, EmailAddress, Enabled, LastLogonDate |
Select-Object SamAccountName, DisplayName, EmailAddress, Enabled, LastLogonDate

# By email
Get-ADUser -Filter "EmailAddress -eq '$email'" -Properties *

Check Account Status

$user = Get-ADUser -Identity $username -Properties LockedOut, Enabled, PasswordExpired, LastLogonDate, PasswordLastSet
[PSCustomObject]@{
    User = $user.SamAccountName
    Enabled = $user.Enabled
    Locked = $user.LockedOut
    PasswordExpired = $user.PasswordExpired
    LastLogon = $user.LastLogonDate
    PasswordAge = (New-TimeSpan -Start $user.PasswordLastSet).Days
}

Unlock Account

Unlock-ADAccount -Identity $username
# Verify
(Get-ADUser -Identity $username -Properties LockedOut).LockedOut

Group Membership

# User's groups
Get-ADPrincipalGroupMembership -Identity $username | Select-Object Name, GroupCategory

# Group's members
Get-ADGroupMember -Identity $groupName | Select-Object Name, ObjectClass

Find Inactive Accounts

# Users not logged in for 90 days
$cutoff = (Get-Date).AddDays(-90)
Get-ADUser -Filter {LastLogonDate -lt $cutoff -and Enabled -eq $true} -Properties LastLogonDate |
Select-Object SamAccountName, LastLogonDate | Sort-Object LastLogonDate

Computer Objects

# Find computer
Get-ADComputer -Filter "Name -like '*$hostname*'" -Properties OperatingSystem, LastLogonDate |
Select-Object Name, OperatingSystem, LastLogonDate, Enabled

# Stale computers (90 days)
Get-ADComputer -Filter {LastLogonDate -lt $cutoff} -Properties LastLogonDate |
Select-Object Name, LastLogonDate

OU Structure

# List OUs
Get-ADOrganizationalUnit -Filter * | Select-Object Name, DistinguishedName

# Objects in specific OU
Get-ADUser -SearchBase "OU=Sales,DC=contoso,DC=com" -Filter *

GPO Status

# Applied GPOs
gpresult /r

# Detailed GPO report
gpresult /h "$env:TEMP\gpo-report.html"

ADSI Fallback (No Module Required)

# Find user via ADSI
$searcher = [adsisearcher]"(samaccountname=$username)"
$searcher.FindOne().Properties

# Find all users in domain
$searcher = [adsisearcher]"(&(objectCategory=person)(objectClass=user))"
$searcher.FindAll() | ForEach-Object { $_.Properties.samaccountname }

Safety Notes

  • ⚠️ Always confirm before modifying AD objects
  • ⚠️ Use -WhatIf for destructive operations
  • ⚠️ Document changes for audit compliance
Related skills

More from diegosouzapw/awesome-omni-skill

Installs
1
Repository
diegosouzapw/aw…ni-skill
GitHub Stars
27
First Seen
Mar 3, 2026
Security Audits
Gen Agent Trust HubWarn
SocketPass
SnykPass