Manual AD administration at scale is error-prone and slow. Onboarding 10 new users one-by-one in ADUC takes 30+ minutes and creates inconsistencies. Running stale account audits manually means someone skips it. Group membership reviews get delayed. These scripts turn all three tasks into single-command operations with logged, exportable results.
Reads a structured CSV, validates required columns, creates each user in the correct OU based on their department, sets a temporary password, forces a password change at next logon, and logs every result (Created / Skipped / Failed) to a timestamped CSV.
PS C:\Scripts> .\New-BulkADUsers.ps1 -CSVPath ".\SampleUsers.csv"
[INFO] Loaded 10 users from .\SampleUsers.csv
OK | Created: John Smith (jsmith) -> OU=IT,OU=Users,aoU=Corp,DC=corp,DC=local
OK | Created: Maria Garcia (mgarcia) -> OU=HR,OU=Users,OU=Corp,DC=corp,DC=local
OK | Created: David Johnson (djohnson) -> OU=Finance,OU=Users,OU=Corp,DC=corp,DC=local
SKIP | jsmith already exists in AD.
OK | Created: Sarah Williams (swilliams) -> OU=IT,OU=Users,OU=Corp,DC=corp,DC=local
...
--- Provisioning Summary ---
Created : 9
Skipped : 1
Failed : 0
Log : .\BulkADUsers_Log_20260312_143022.csv
Queries AD for enabled accounts with no logon activity within a configurable threshold (default: 90 days). Exports a CSV with username, department, last logon date, days inactive, and manager. Supports an optional -DisableAccounts flag (always run with -WhatIf first).
PS C:\Scripts> .\Get-ADStaleUsers.ps1
[INFO] Searching for accounts inactive since: 12/03/2025
[INFO] Found 4 stale accounts.
Username LastLogon DaysInactive Department Manager
-------- --------- ------------ ---------- -------
bthompson 09/15/2025 178 days Finance djohnson
rsmith 10/02/2025 161 days HR mgarcia
testadmin Never 365+ days IT administrator
svc_legacy 11/01/2025 131 days Operations administrator
Report saved: .\StaleUsers_20260312.csv
# Preview what would be disabled (WhatIf mode — no changes made)
PS C:\Scripts> .\Get-ADStaleUsers.ps1 -DaysInactive 60 -DisableAccounts -WhatIf
What if: Performing the operation "Disable-ADAccount" on target "bthompson".
What if: Performing the operation "Disable-ADAccount" on target "rsmith".
Enumerates AD groups, uses Get-ADGroupMember to pull all members, then enriches each user record with enabled status, department, and last logon date. Supports recursive resolution for nested groups. Exports a full CSV for quarterly access reviews.
PS C:\Scripts> .\Get-ADGroupAudit.ps1 -IncludeNestedMembers
[INFO] Querying AD groups (filter: '*') under: DC=corp,DC=local
[INFO] Found 12 group(s) to audit.
[OK] Domain Admins — 2 member(s)
[OK] IT-Staff — 4 member(s)
[OK] HR-Staff — 3 member(s)
[EMPTY] Test-Group
[OK] VPN-Users — 7 member(s)
...
--- Audit Summary ---
Groups audited : 12
Total members : 31
Report saved : .\ADGroupAudit_20260312_143508.csv
# Target just privileged groups for a quick Domain Admin audit
PS C:\Scripts> .\Get-ADGroupAudit.ps1 -GroupFilter "Domain*" -IncludeNestedMembers
- 3 production-grade, well-commented scripts covering the most common AD automation tasks
- All scripts support -WhatIf for safe previewing before any changes are made
- Full error handling — individual failures don't halt the script; every result is logged
- CSV output on all three scripts — compatible with ServiceNow, Jira, and compliance reporting tools
- All scripts publicly available on GitHub with full README documentation
- Directly mirrors scripts used in enterprise onboarding and HIPAA access review workflows