Anavem
EnglishFrancais
Anavem
Languagefr
PowerShell Script #1 — Manage Active Directory Users: Create, Edit and Disable Accounts

PowerShell Script #1 — Manage Active Directory Users: Create, Edit and Disable Accounts

Automate AD onboarding and offboarding with a free PowerShell GUI tool — AD User Manager v4. Create accounts, assign groups, edit profiles, copy user templates, and disable accounts in seconds, without opening ADUC. Part of the series: 10 PowerShell Scripts to Automate Your Windows Sysadmin Routine.

Evan MaelEvan Mael
March 26, 2026 15 min
mediumpowershell 5 steps 15 min

Overview

Managing Active Directory users manually through ADUC is repetitive and error-prone. Every onboarding means clicking through the same wizard, setting the same groups, enforcing the same naming convention. AD User Manager v4 is a free PowerShell GUI tool that wraps the core ActiveDirectory cmdlets into a single window — create, edit, copy, and disable accounts without ever opening ADUC.

This is Script #1 in the series 10 PowerShell Scripts to Automate Your Windows Sysadmin Routine.

⬇ Download the script

Get the full AD_Admin_anavem_v4.ps1 script below — free, no account required.

Download AD_Admin_anavem_v4.ps1

Prerequisites

  • Windows Server 2012 R2 or later with Active Directory Domain Services
  • PowerShell 5.1 or later (built-in on Windows 10 / Server 2016+)
  • RSAT ActiveDirectory module (Get-ADUser, New-ADUser, Set-ADUser, Disable-ADAccount)
  • An account with delegation rights to create users, modify groups, and disable accounts
Quick check: Run Get-Module -ListAvailable ActiveDirectory in PowerShell. If the module is missing, install RSAT on Windows 10/11 via Settings > Optional Features > RSAT: Active Directory.

Download and First Run

Save the script to a folder such as C:\Scripts\ADUserManager. Open a PowerShell session as Administrator and run:

# Allow script execution (once per machine)
Set-ExecutionPolicy RemoteSigned -Scope CurrentUser

# Launch the GUI
.\AD_Admin_anavem_v4.ps1

The script connects to your current AD domain automatically on startup via Get-ADDomain. The status bar at the top shows the connected domain and DC name.

Pro tip: Pin a PowerShell shortcut to your taskbar with Run as administrator set by default — this saves a click every time you manage accounts.

Create a New User Account

In the Create User tab, fill in the required fields. The tool automatically generates the SAMAccountName and UPN from the first and last name.

  1. Enter First Name, Last Name, and Job Title.
  2. Select the target OU from the dropdown (pre-loaded on connect).
  3. Click Generate Password — a 14-character random password is created and copied to clipboard.
  4. Optionally click Load Groups, then select the security groups to assign.
  5. Click Create User.
New-ADUser -Name "$displayName" -GivenName "$first" -Surname "$last" `
  -SamAccountName "$sam" -UserPrincipalName "$upn" `
  -Path "$ou" -AccountPassword (ConvertTo-SecureString "$pwd" -AsPlainText -Force) `
  -Enabled $true -ChangePasswordAtLogon $true
Add-ADGroupMember -Identity "$group" -Members "$sam"

Edit an Existing User

In the Edit User tab, search by name or SAMAccountName, select the account, update the fields you need, then click Save Changes.

Set-ADUser -Identity "$sam" -Title "$title" -Department "$dept" `
  -EmailAddress "$email"
Note: SAMAccountName cannot be changed via this tool — it would break existing permissions and logins.

Copy a Template User (Onboarding)

In the Copy User tab, enter the SAMAccountName of the template account. The OU path and group memberships load automatically. Fill in the new user details, then click Create from Template.

Pro tip: Create dedicated template accounts (_TPL_Developer, _TPL_Accountant) — disabled, no password — purely to store OU + group assignments for each role.

Disable a User Account (Offboarding)

In the Block/Enable tab, search for the departing user and click Disable Account.

Disable-ADAccount -Identity $sam
Best practice: Never delete accounts immediately — keep them disabled for 30–90 days to allow mailbox migration and data recovery. The status badge turns red once disabled.

Full Script

The complete source code of AD_Admin_anavem_v4.ps1 is provided below. You can also download the .ps1 file directly.

Add-Type -AssemblyName System.Windows.Forms
Add-Type -AssemblyName System.Drawing
Import-Module ActiveDirectory -ErrorAction Stop
[System.Windows.Forms.Application]::EnableVisualStyles()

# --- Colours ---
$cbg     = [System.Drawing.Color]::FromArgb(246, 248, 252)
$cwhite  = [System.Drawing.Color]::White
$cheader = [System.Drawing.Color]::FromArgb(13, 17, 38)
$cside   = [System.Drawing.Color]::FromArgb(13, 17, 38)
$csearch = [System.Drawing.Color]::FromArgb(37, 99, 235)
$ccreate = [System.Drawing.Color]::FromArgb(3, 122, 70)
$cedit   = [System.Drawing.Color]::FromArgb(37, 99, 235)
$cblock  = [System.Drawing.Color]::FromArgb(180, 22, 22)
$ccopy   = [System.Drawing.Color]::FromArgb(88, 28, 175)
$cgreen  = [System.Drawing.Color]::FromArgb(3, 130, 72)
$corange = [System.Drawing.Color]::FromArgb(194, 78, 10)
$cred    = [System.Drawing.Color]::FromArgb(180, 22, 22)
$cgray   = [System.Drawing.Color]::FromArgb(71, 85, 105)
$ctext   = [System.Drawing.Color]::FromArgb(15, 23, 42)
$csub    = [System.Drawing.Color]::FromArgb(71, 85, 105)
$cborder = [System.Drawing.Color]::FromArgb(203, 213, 225)
$cinput  = [System.Drawing.Color]::FromArgb(248, 250, 255)
$crowalt = [System.Drawing.Color]::FromArgb(239, 244, 255)
$cshadow = [System.Drawing.Color]::FromArgb(196, 207, 226)

# --- Fonts ---
$fhdr    = New-Object System.Drawing.Font("Segoe UI Semibold", 16, [System.Drawing.FontStyle]::Bold)
$fnorm   = New-Object System.Drawing.Font("Segoe UI", 10)
$flbl    = New-Object System.Drawing.Font("Segoe UI", 9)
$flblb   = New-Object System.Drawing.Font("Segoe UI", 9, [System.Drawing.FontStyle]::Bold)
$fbtn    = New-Object System.Drawing.Font("Segoe UI Semibold", 9, [System.Drawing.FontStyle]::Bold)
$fbtnlg  = New-Object System.Drawing.Font("Segoe UI Semibold", 10, [System.Drawing.FontStyle]::Bold)
$fnav    = New-Object System.Drawing.Font("Segoe UI", 10, [System.Drawing.FontStyle]::Bold)
$fsmall  = New-Object System.Drawing.Font("Segoe UI", 8)
$fhero   = New-Object System.Drawing.Font("Segoe UI Semibold", 13, [System.Drawing.FontStyle]::Bold)
$fmono   = New-Object System.Drawing.Font("Consolas", 9)

function pt($x, $y) { return New-Object System.Drawing.Point($x, $y) }
function sz($w, $h) { return New-Object System.Drawing.Size($w, $h) }

function L($t, $x, $y, $w = 155, $h = 26) {
    $l = New-Object System.Windows.Forms.Label
    $l.Text = $t; $l.Location = pt $x $y; $l.Size = sz $w $h
    $l.Font = $flbl; $l.ForeColor = $csub
    $l.BackColor = [System.Drawing.Color]::Transparent
    $l.TextAlign = [System.Drawing.ContentAlignment]::MiddleLeft
    return $l
}

function TBox($x, $y, $w = 290, $h = 32, $v = "") {
    $t = New-Object System.Windows.Forms.TextBox
    $t.Location = pt $x $y; $t.Size = sz $w $h
    $t.Font = $fnorm; $t.BackColor = $cinput; $t.ForeColor = $ctext
    $t.BorderStyle = "FixedSingle"; $t.Text = $v
    return $t
}

function Btn($t, $x, $y, $w = 175, $h = 44, $bg = $csearch, $fg = $cwhite) {
    $b = New-Object System.Windows.Forms.Button
    $b.Text = $t; $b.Location = pt $x $y; $b.Size = sz $w $h
    $b.FlatStyle = "Flat"; $b.FlatAppearance.BorderSize = 0
    $b.BackColor = $bg; $b.ForeColor = $fg; $b.Font = $fbtnlg
    $b.Cursor = [System.Windows.Forms.Cursors]::Hand
    return $b
}

function Connect-AD {
    try {
        $d = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
        $script:ADDomain = $d.Name
        $script:ADDC = $d.FindDomainController().Name
        Write-Host "Connected to $($script:ADDomain) via $($script:ADDC)"
    } catch {
        Write-Host "AD connection failed: $_" -ForegroundColor Red
    }
}

Connect-AD

$form = New-Object System.Windows.Forms.Form
$form.Text = "AD User Manager v4 - anavem.com"
$form.Size = sz 1130 870
$form.StartPosition = "CenterScreen"
$form.BackColor = $cbg
$form.Font = $fnorm

$pHdr = New-Object System.Windows.Forms.Panel
$pHdr.Dock = "Top"; $pHdr.Height = 76; $pHdr.BackColor = $cheader
$form.Controls.Add($pHdr)

$lblHdrTitle = New-Object System.Windows.Forms.Label
$lblHdrTitle.Text = "AD User Manager"; $lblHdrTitle.Font = $fhdr
$lblHdrTitle.ForeColor = $cwhite; $lblHdrTitle.Location = pt 14 18
$lblHdrTitle.AutoSize = $true
$pHdr.Controls.Add($lblHdrTitle)

$form.ShowDialog()

The above is a condensed reference version. Download the full script for the complete GUI with all tabs, search, group management, and activity log.

Related Tutorials

Implementation Guide

Full Procedure

01

Download and Launch AD User Manager v4

Download AD_Admin_anavem_v4.ps1 from anavem.com (free, no account required). Save it to C:\Scripts\ADUserManager.

Open PowerShell as Administrator and run:

Set-ExecutionPolicy RemoteSigned -Scope CurrentUser
.\AD_Admin_anavem_v4.ps1

The script auto-connects to your AD domain on startup. The status bar shows the connected domain and current user.

Verification: The domain name appears in the status bar at the top of the GUI window.
02

Create a New User Account

Go to the Create User tab. Fill in First Name, Last Name, Job Title, and select the target OU.

  1. Click Generate Password to create a secure random password.
  2. Click Load Groups and select the security groups to assign.
  3. Click Create User.
New-ADUser -Name "$displayName" -SamAccountName "$sam" -UserPrincipalName "$upn" -Path "$ou" -AccountPassword (ConvertTo-SecureString "$pwd" -AsPlainText -Force) -Enabled $true -ChangePasswordAtLogon $true
Add-ADGroupMember -Identity "$group" -Members "$sam"
Verification: The Activity Log shows "[OK] Account '$sam' created" in green.
03

Edit an Existing User

Go to the Edit User tab. Search by name or SAMAccountName, then select the account.

  1. The form pre-fills with current values (title, department, email, phone, manager).
  2. Modify the fields you need.
  3. Click Save Changes.
Set-ADUser -Identity "$sam" -Title "$title" -Department "$dept" -EmailAddress "$email" -OfficePhone "$phone" -Manager "$managerSam"
Note: SAMAccountName cannot be changed via this tool — it would break existing permissions and logins.
04

Copy a Template User (Onboarding)

Go to the Copy User tab. Enter the SAMAccountName of the template account and click Load Template.

  1. The OU path and group memberships load automatically.
  2. Fill in the new user details.
  3. Click Create from Template.
Pro tip: Create dedicated template accounts (_TPL_Developer, _TPL_Accountant) disabled and passwordless — purely to store OU + group assignments for each role.
05

Disable a User Account (Offboarding)

Go to the Disable User tab. Search for the departing user's account.

  1. Review the account details (last logon, groups, OU).
  2. Click Disable Account.
Disable-ADAccount -Identity $sam
Best practice: Never delete accounts immediately — keep them disabled 30–90 days for mailbox migration and data recovery. The status badge turns red once disabled.

Frequently Asked Questions

Do I need admin rights to run AD User Manager v4?+
You need an account with appropriate AD delegation rights. Full domain admin rights are not required — you can delegate Create User, Modify User, and Disable Account permissions to a service account or IT helpdesk group. Run PowerShell as Administrator on your local machine.
How do I install the RSAT ActiveDirectory module on Windows 10/11?+
Go to Settings > Optional Features > Add a feature, search for 'RSAT: Active Directory Domain Services and Lightweight Directory Tools', and install it. Alternatively, run in PowerShell as admin: Add-WindowsCapability -Online -Name Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0
Can I use the Copy User feature without template accounts?+
Yes. Any existing active user account can serve as a template. The script reads their OU path and group memberships and replicates them to the new account. However, dedicated template accounts (disabled, no password) are best practice to keep onboarding consistent.
Where is the Activity Log saved?+
The Activity Log is stored in memory during the current session only. For persistent audit trails, run Start-Transcript before launching the script, or add export-to-CSV logic at the end of the WLog function. The log displays in the Activity Log tab with timestamp and severity colour coding.
Does this script support multi-domain or forest environments?+
The current version connects to the local domain detected by Get-ADDomain. For multi-domain scenarios, you can modify the Connect-AD function to prompt for a specific domain controller or domain name using the -Server parameter on all AD cmdlets.
Evan Mael
Written by

Evan Mael

Microsoft MCSA-certified Cloud Architect | Fortinet-focused. I modernize cloud, hybrid & on-prem infrastructure for reliability, security, performance and cost control - sharing field-tested ops & troubleshooting.

Tags
#powershell#active-directory#automation

Further Intelligence

Deepen your knowledge with related resources

How to Get Windows 11 26H1: What It Is, Who It's For, and How to Install It
tutorial
Windows

How to Get Windows 11 26H1: What It Is, Who It's For, and How to Install It

Deep Dive
How to Configure Suspicious File Blocking in Microsoft Defender Using Intune
tutorial
Cybersecurity

How to Configure Suspicious File Blocking in Microsoft Defender Using Intune

Deep Dive
How to Control Windows Start Menu Shortcuts Using Microsoft Intune
tutorial
Cloud Computing

How to Control Windows Start Menu Shortcuts Using Microsoft Intune

Deep Dive

Discussion

Share your thoughts and insights

Sign in to join the discussion

Sign inCreate account