How to Manage Users and Computers in Active Directory on Windows Server 2012 R2

How to Manage Users and Computers in Active Directory on Windows Server 2012 R2

Active Directory Domain Services (AD DS) is the backbone of identity management in Windows enterprise environments. Managing user accounts and computer objects is among the most frequent tasks performed by domain administrators. On Windows Server 2012 R2, you have a rich set of tools available including Active Directory Users and Computers (ADUC), Active Directory Administrative Center (ADAC), and the ActiveDirectory PowerShell module. This guide covers the full lifecycle of user and computer account management using both GUI and PowerShell approaches.

Prerequisites

Before proceeding, ensure the following conditions are met:

The server must be promoted to a Domain Controller running Windows Server 2012 R2 with AD DS installed. You need Domain Admin or Account Operator privileges to manage user and computer objects. The Remote Server Administration Tools (RSAT) package should be installed if managing from a member server or workstation. The ActiveDirectory PowerShell module must be imported before running any AD cmdlets.

Import-Module ActiveDirectory

Creating User Accounts

User accounts can be created through ADUC, ADAC, or PowerShell. Using PowerShell is the most efficient method when creating accounts in bulk or as part of an automated provisioning workflow.

To create a single user account with PowerShell, use the New-ADUser cmdlet. The following example creates a standard user account with a secure password and enables the account immediately:

New-ADUser `
    -Name "Jane Smith" `
    -GivenName "Jane" `
    -Surname "Smith" `
    -SamAccountName "jsmith" `
    -UserPrincipalName "[email protected]" `
    -Path "OU=Users,OU=Contoso,DC=contoso,DC=com" `
    -AccountPassword (ConvertTo-SecureString "P@ssw0rd123!" -AsPlainText -Force) `
    -Enabled $true `
    -PasswordNeverExpires $false `
    -ChangePasswordAtLogon $true `
    -Description "Finance Department User"

For bulk creation from a CSV file, prepare a CSV with columns matching the attributes you want to populate, then iterate through the file:

$users = Import-Csv -Path "C:ScriptsNewUsers.csv"
foreach ($user in $users) {
    New-ADUser `
        -Name "$($user.FirstName) $($user.LastName)" `
        -GivenName $user.FirstName `
        -Surname $user.LastName `
        -SamAccountName $user.Username `
        -UserPrincipalName "$($user.Username)@contoso.com" `
        -Path $user.OU `
        -AccountPassword (ConvertTo-SecureString $user.Password -AsPlainText -Force) `
        -Enabled $true
    Write-Host "Created user: $($user.Username)"
}

Modifying User Attributes

The Set-ADUser cmdlet modifies existing user account attributes. Common operations include updating department, phone number, manager, and account expiration settings:

Set-ADUser -Identity "jsmith" `
    -Department "Finance" `
    -Title "Senior Analyst" `
    -OfficePhone "555-1234" `
    -Manager "mjones" `
    -AccountExpirationDate "2025-12-31"

To modify attributes not exposed by Set-ADUser parameters, use the -Replace, -Add, or -Clear parameter with a hashtable:

Set-ADUser -Identity "jsmith" -Replace @{
    extensionAttribute1 = "FIN-001"
    employeeID = "EMP12345"
    physicalDeliveryOfficeName = "Building A"
}

Disabling and Deleting User Accounts

When an employee leaves the organisation, disable their account first rather than deleting immediately. This preserves group memberships and audit history:

# Disable the account
Disable-ADAccount -Identity "jsmith"

# Move to a Disabled Users OU for retention
Move-ADObject -Identity "CN=Jane Smith,OU=Users,OU=Contoso,DC=contoso,DC=com" `
    -TargetPath "OU=DisabledUsers,DC=contoso,DC=com"

# After retention period, delete permanently
Remove-ADUser -Identity "jsmith" -Confirm:$false

Managing Password Resets and Account Unlocks

Password resets and account unlocks are common helpdesk tasks. With PowerShell, these operations are straightforward:

# Reset a user password and force change at next logon
Set-ADAccountPassword -Identity "jsmith" `
    -Reset `
    -NewPassword (ConvertTo-SecureString "TempP@ss2024!" -AsPlainText -Force)

Set-ADUser -Identity "jsmith" -ChangePasswordAtLogon $true

# Unlock a locked account
Unlock-ADAccount -Identity "jsmith"

# Check if an account is locked
Get-ADUser -Identity "jsmith" -Properties LockedOut | Select-Object Name, LockedOut

Managing Computer Accounts

Computer accounts represent machines joined to the domain. While workstations typically self-join the domain, pre-creating computer accounts allows administrators to control which OU the computer lands in and what permissions are assigned during the join process.

# Pre-create a computer account
New-ADComputer `
    -Name "WS-FIN-001" `
    -SamAccountName "WS-FIN-001$" `
    -Path "OU=Workstations,OU=Finance,DC=contoso,DC=com" `
    -Description "Finance Workstation 001" `
    -Enabled $true

# Delegate join permissions to a specific user
$computer = Get-ADComputer -Identity "WS-FIN-001"
$user = Get-ADUser -Identity "helpdesk1"
# Grant the user the right to join this pre-created account
$acl = Get-Acl "AD:$($computer.DistinguishedName)"

To find stale computer accounts (not logged on in 90 days) and disable them:

$cutoffDate = (Get-Date).AddDays(-90)
Get-ADComputer -Filter {LastLogonDate -lt $cutoffDate -and Enabled -eq $true} `
    -Properties LastLogonDate, Description |
    Select-Object Name, LastLogonDate, Description |
    Sort-Object LastLogonDate

# Disable stale computers
Get-ADComputer -Filter {LastLogonDate -lt $cutoffDate -and Enabled -eq $true} |
    Disable-ADAccount

Managing Group Memberships

Group membership management is central to access control in Active Directory. Use Add-ADGroupMember and Remove-ADGroupMember to manage memberships:

# Add a user to a group
Add-ADGroupMember -Identity "Finance-ReadOnly" -Members "jsmith"

# Add multiple users at once
Add-ADGroupMember -Identity "VPN-Users" -Members "jsmith","bwilliams","tjones"

# Remove a user from a group
Remove-ADGroupMember -Identity "Finance-ReadOnly" -Members "jsmith" -Confirm:$false

# List all groups a user belongs to
Get-ADUser -Identity "jsmith" -Properties MemberOf |
    Select-Object -ExpandProperty MemberOf |
    Get-ADGroup |
    Select-Object Name, GroupCategory, GroupScope

Searching and Reporting on User and Computer Objects

The Get-ADUser and Get-ADComputer cmdlets support powerful filtering. The -Filter parameter uses PowerShell expression syntax, while -LDAPFilter allows raw LDAP queries:

# Find all enabled users in a specific OU
Get-ADUser -Filter {Enabled -eq $true} `
    -SearchBase "OU=Users,OU=Finance,DC=contoso,DC=com" `
    -Properties Department, LastLogonDate, PasswordLastSet |
    Select-Object Name, SamAccountName, Department, LastLogonDate, PasswordLastSet |
    Export-Csv "C:ReportsFinanceUsers.csv" -NoTypeInformation

# Find users whose passwords never expire
Get-ADUser -Filter {PasswordNeverExpires -eq $true -and Enabled -eq $true} |
    Select-Object Name, SamAccountName

# Find all domain computers with their OS info
Get-ADComputer -Filter * -Properties OperatingSystem, OperatingSystemVersion, LastLogonDate |
    Select-Object Name, OperatingSystem, OperatingSystemVersion, LastLogonDate |
    Sort-Object OperatingSystem

Using Active Directory Administrative Center

ADAC provides a modern GUI interface built on PowerShell. It includes a PowerShell History pane that shows the PowerShell commands equivalent to every GUI action performed. This makes ADAC an excellent learning tool for building PowerShell scripts. Open ADAC from Server Manager or run dsac.exe from the command line. The interface presents a navigation pane on the left showing the domain tree, and a central work area for managing objects. Right-click any OU to create new users, groups, or computers. The global search feature allows searching across the entire directory by any attribute.

Verifying Changes

After making changes to user or computer accounts, verify the changes replicated correctly and the attributes are set as expected:

# Verify user account details
Get-ADUser -Identity "jsmith" -Properties * |
    Select-Object Name, Enabled, LockedOut, PasswordExpired,
    PasswordLastSet, LastLogonDate, Department, MemberOf

# Force AD replication to ensure changes propagate
Sync-ADObject -Object (Get-ADUser "jsmith").DistinguishedName `
    -Source (Get-ADDomainController).HostName `
    -Destination (Get-ADDomainController -Discover -NextClosestSite).HostName

Summary

Managing users and computers in Active Directory on Windows Server 2012 R2 is most efficiently accomplished through PowerShell using the ActiveDirectory module. Key cmdlets include New-ADUser for creation, Set-ADUser for modification, Disable-ADAccount and Remove-ADUser for lifecycle management, and Get-ADUser with rich filtering for reporting. Computer account management follows the same patterns using the corresponding ADComputer cmdlets. The Active Directory Administrative Center provides a modern GUI that bridges the gap between graphical management and PowerShell scripting by displaying the equivalent PowerShell commands for all GUI operations, making it an invaluable tool for both day-to-day administration and script development.