PowerShell Automation for IT: 15 Scripts Every Admin Needs
The average IT admin spends 30-40% of their week on tasks that could be automated with PowerShell. User provisioning that takes 15 minutes per new hire becomes a 30-second script execution. Monthly disk cleanup across 200 servers that consumes an entire afternoon becomes a scheduled job that runs at 2 AM and emails you the results. Password reset tickets that interrupt your deep work every hour become a self-service portal backed by PowerShell scripts that log every action for audit compliance.
This guide presents 15 PowerShell scripts that address the most common and time-consuming IT administration tasks. Each script is production-ready - it includes error handling, logging, and parameter validation. Copy them, customize them for your environment, and start reclaiming hours every week.
User Provisioning and Lifecycle
1. New User Provisioning
This is the highest-value automation for most IT teams. A new hire provisioning script creates the AD account, sets the initial password, adds the user to the correct security groups based on department and role, creates the home directory, configures the mailbox, and sends a welcome email to the manager - all from a single CSV input or HR system webhook.
# New-UserProvision.ps1 - Create AD user from HR data
param(
[Parameter(Mandatory)]
[string]$FirstName,
[string]$LastName,
[string]$Department,
[string]$Title,
[string]$Manager
)
$ErrorActionPreference = 'Stop'
$logFile = "C:\Logs\Provisioning\$(Get-Date -Format 'yyyyMMdd').log"
try {
$username = ($FirstName[0] + $LastName).ToLower()
$upn = "$username@contoso.com"
$ou = "OU=$Department,OU=Users,DC=contoso,DC=com"
# Create AD account
$password = [System.Web.Security.Membership]::GeneratePassword(16, 4)
$securePass = ConvertTo-SecureString $password -AsPlainText -Force
New-ADUser -Name "$FirstName $LastName" `
-GivenName $FirstName -Surname $LastName `
-SamAccountName $username -UserPrincipalName $upn `
-Path $ou -Department $Department -Title $Title `
-Manager $Manager -AccountPassword $securePass `
-ChangePasswordAtLogon $true -Enabled $true
# Add to department security groups
$groups = Get-ADGroup -Filter "Description -like '*$Department*'"
foreach ($group in $groups) {
Add-ADGroupMember -Identity $group -Members $username
}
"$(Get-Date) - Created user $upn in $ou" | Out-File $logFile -Append
Write-Output "User $upn created successfully"
}
catch {
"$(Get-Date) - ERROR: $($_.Exception.Message)" | Out-File $logFile -Append
throw
}
The key customization points are the username format (first initial + last name is common, but your organization may use first.last or employee IDs), the OU path logic, and the group membership rules. For larger organizations, replace the hardcoded OU mapping with a lookup table or database query that maps department to OU and role to security groups.
2. Bulk User Import from CSV
When onboarding a batch of new hires (mergers, seasonal staff, new office openings), a CSV import script processes dozens or hundreds of accounts in minutes. The CSV contains one row per user with columns for first name, last name, department, title, and manager. The script loops through each row, calls the provisioning logic, and generates a report of successes and failures.
# Import-BulkUsers.ps1 - Process CSV of new hires
param([string]$CsvPath = "C:\HR\NewHires.csv")
$users = Import-Csv $CsvPath
$results = @()
foreach ($user in $users) {
try {
# Call provisioning function for each user
New-UserProvision -FirstName $user.FirstName `
-LastName $user.LastName `
-Department $user.Department `
-Title $user.Title -Manager $user.Manager
$results += [PSCustomObject]@{
User = "$($user.FirstName) $($user.LastName)"
Status = "Success"
Error = ""
}
}
catch {
$results += [PSCustomObject]@{
User = "$($user.FirstName) $($user.LastName)"
Status = "Failed"
Error = $_.Exception.Message
}
}
}
$results | Export-Csv "C:\Logs\BulkImport_$(Get-Date -Format yyyyMMdd).csv" -NoTypeInformation
$results | Format-Table -AutoSize
3. User Offboarding
Offboarding is the mirror of provisioning and equally critical for security. The script disables the account (not deletes - you need it for audit trails), removes the user from all security groups, resets the password to a random value, moves the account to a Disabled Users OU, sets the mailbox to shared (preserving email access for the manager), and generates a compliance report documenting every action taken. Run this within 15 minutes of receiving the termination notice.
# Disable-UserAccount.ps1 - Offboarding automation
param([Parameter(Mandatory)][string]$Username)
$ErrorActionPreference = 'Stop'
$log = "C:\Logs\Offboarding\$(Get-Date -Format 'yyyyMMdd').log"
$disabledOU = "OU=Disabled,OU=Users,DC=contoso,DC=com"
try {
$user = Get-ADUser $Username -Properties MemberOf, Manager
# Remove from all groups except Domain Users
$user.MemberOf | ForEach-Object {
Remove-ADGroupMember -Identity $_ -Members $Username -Confirm:$false
}
# Reset password, disable, set description
$randomPass = [System.Web.Security.Membership]::GeneratePassword(20, 5)
Set-ADAccountPassword $Username -NewPassword (
ConvertTo-SecureString $randomPass -AsPlainText -Force
) -Reset
Disable-ADAccount $Username
Set-ADUser $Username -Description "Disabled $(Get-Date -Format 'yyyy-MM-dd') by automation"
# Move to Disabled OU
Move-ADObject -Identity $user.DistinguishedName -TargetPath $disabledOU
"$(Get-Date) - Offboarded $Username" | Out-File $log -Append
Write-Output "User $Username offboarded successfully"
}
catch {
"$(Get-Date) - ERROR offboarding $Username : $($_.Exception.Message)" |
Out-File $log -Append
throw
}
Password and Account Management
4. Expiring Password Notification
Send email reminders to users whose passwords expire within a configurable number of days. This script runs daily via Task Scheduler and reduces the flood of "I am locked out" tickets that occur when passwords expire without warning. It queries AD for all users with password expiration dates within the threshold, generates a personalized email explaining how to change their password, and logs every notification sent.
# Send-PasswordExpiryNotice.ps1
param([int]$DaysWarning = 14)
$users = Get-ADUser -Filter {Enabled -eq $true} -Properties `
msDS-UserPasswordExpiryTimeComputed, EmailAddress, DisplayName
foreach ($user in $users) {
$expiry = [datetime]::FromFileTime($user.'msDS-UserPasswordExpiryTimeComputed')
$daysLeft = ($expiry - (Get-Date)).Days
if ($daysLeft -gt 0 -and $daysLeft -le $DaysWarning -and $user.EmailAddress) {
$body = @"
Hello $($user.DisplayName),
Your network password expires in $daysLeft day(s) on $($expiry.ToString('MMMM dd, yyyy')).
To change your password:
- Press Ctrl+Alt+Del and select 'Change a password'
- Or visit https://passwordreset.contoso.com
If you need help, contact IT support.
"@
Send-MailMessage -To $user.EmailAddress `
-From "it-noreply@contoso.com" `
-Subject "Password expires in $daysLeft days" `
-Body $body -SmtpServer "smtp.contoso.com"
"$(Get-Date) - Notified $($user.SamAccountName) - $daysLeft days" |
Out-File "C:\Logs\PasswordNotify.log" -Append
}
}
5. Locked Account Detector and Auto-Unlock
Account lockouts generate more helpdesk tickets than any other single issue. This script monitors for lockout events, identifies the source workstation (which reveals whether it is a stale session, a mobile device, or a potential brute-force attack), and optionally auto-unlocks the account after logging the event. Deploy this as a scheduled task running every 5 minutes.
# Watch-AccountLockouts.ps1
$lockedUsers = Search-ADAccount -LockedOut
foreach ($user in $lockedUsers) {
# Find the lockout source from Security event log on PDC
$pdc = (Get-ADDomain).PDCEmulator
$events = Get-WinEvent -ComputerName $pdc -FilterHashtable @{
LogName = 'Security'; Id = 4740
} -MaxEvents 50 | Where-Object {
$_.Properties[0].Value -eq $user.SamAccountName
}
$source = if ($events) { $events[0].Properties[1].Value } else { "Unknown" }
# Log the lockout
$logEntry = "$(Get-Date) | $($user.SamAccountName) | Source: $source"
$logEntry | Out-File "C:\Logs\Lockouts.log" -Append
# Auto-unlock (remove this block if manual review is required)
Unlock-ADAccount $user.SamAccountName
"$logEntry | AUTO-UNLOCKED" | Out-File "C:\Logs\Lockouts.log" -Append
}
Log Collection and Analysis
6. Centralized Event Log Collection
Collecting event logs from multiple servers into a central location is essential for troubleshooting and security auditing. This script queries specified event logs across a list of servers, filters for errors and warnings within the last 24 hours, and exports the results to a timestamped CSV file. Schedule it daily to build a searchable archive of system events.
# Collect-EventLogs.ps1
param(
[string[]]$Servers = (Get-Content "C:\Config\Servers.txt"),
[int]$Hours = 24
)
$startTime = (Get-Date).AddHours(-$Hours)
$allEvents = @()
foreach ($server in $Servers) {
try {
$events = Get-WinEvent -ComputerName $server -FilterHashtable @{
LogName = 'System','Application'
Level = 1,2,3 # Critical, Error, Warning
StartTime = $startTime
} -ErrorAction Stop
$allEvents += $events | Select-Object @{N='Server';E={$server}},
TimeCreated, LogName, LevelDisplayName, Id, Message
}
catch {
"$(Get-Date) - Failed to query $server : $($_.Exception.Message)" |
Out-File "C:\Logs\EventCollection.log" -Append
}
}
$outputPath = "C:\Reports\Events_$(Get-Date -Format 'yyyyMMdd').csv"
$allEvents | Export-Csv $outputPath -NoTypeInformation
Write-Output "Collected $($allEvents.Count) events from $($Servers.Count) servers"
7. IIS Log Parser for Failed Requests
Parse IIS logs to identify 500 errors, slow responses, and suspicious request patterns. This script is invaluable for troubleshooting web application issues and identifying attacks against public-facing web servers. It reads IIS W3C log files, filters for status codes 400 and above, and generates a summary report grouped by URL and status code.
# Parse-IISLogs.ps1
param([string]$LogPath = "C:\inetpub\logs\LogFiles\W3SVC1")
$today = Get-Date -Format 'yyMMdd'
$logFile = Get-ChildItem $LogPath -Filter "u_ex$today.log" | Select-Object -First 1
if (-not $logFile) { Write-Warning "No log file found for today"; return }
$errors = Get-Content $logFile.FullName | Where-Object {
$_ -notmatch '^#' -and $_ -match '\s[4-5]\d{2}\s'
} | ForEach-Object {
$fields = $_ -split '\s+'
[PSCustomObject]@{
Time = $fields[1]
Method = $fields[3]
URI = $fields[4]
Status = $fields[11]
TimeTaken = $fields[14]
ClientIP = $fields[8]
}
}
# Summary by URI and status code
$errors | Group-Object URI, Status | Sort-Object Count -Descending |
Select-Object Count, Name | Format-Table -AutoSize
# Export full error details
$errors | Export-Csv "C:\Reports\IIS_Errors_$today.csv" -NoTypeInformation
Disk and Storage Management
8. Disk Space Monitor with Alerts
Monitor disk space across all servers and alert when any volume drops below a threshold. This script prevents the surprise "server crashed because the C: drive filled up at 3 AM" outage. Run it every 15 minutes via Task Scheduler.
# Watch-DiskSpace.ps1
param(
[string[]]$Servers = (Get-Content "C:\Config\Servers.txt"),
[int]$ThresholdPercent = 15
)
foreach ($server in $Servers) {
try {
$disks = Get-CimInstance Win32_LogicalDisk -ComputerName $server `
-Filter "DriveType=3"
foreach ($disk in $disks) {
$freePercent = [math]::Round(($disk.FreeSpace / $disk.Size) * 100, 1)
if ($freePercent -lt $ThresholdPercent) {
$freeGB = [math]::Round($disk.FreeSpace / 1GB, 1)
$msg = "$server $($disk.DeviceID) - $freePercent% free ($($freeGB)GB)"
Send-MailMessage -To "it-alerts@contoso.com" `
-From "monitoring@contoso.com" `
-Subject "DISK WARNING: $server $($disk.DeviceID) at $freePercent%" `
-Body $msg -SmtpServer "smtp.contoso.com" -Priority High
$msg | Out-File "C:\Logs\DiskAlerts.log" -Append
}
}
}
catch {
"$(Get-Date) - Cannot reach $server" | Out-File "C:\Logs\DiskAlerts.log" -Append
}
}
9. Automated Disk Cleanup
Clean up temporary files, old log files, Windows Update cache, and user temp directories across servers. This script reclaims gigabytes of wasted space without manual intervention. Schedule it weekly during maintenance windows.
# Invoke-DiskCleanup.ps1
param([string]$ComputerName = $env:COMPUTERNAME)
$ErrorActionPreference = 'SilentlyContinue'
$freed = 0
# Windows Temp
$tempPaths = @(
"C:\Windows\Temp\*",
"C:\Windows\SoftwareDistribution\Download\*",
"C:\Windows\Logs\CBS\*.log"
)
foreach ($path in $tempPaths) {
$files = Get-ChildItem $path -Recurse -Force |
Where-Object { $_.LastWriteTime -lt (Get-Date).AddDays(-7) }
$size = ($files | Measure-Object Length -Sum).Sum
$files | Remove-Item -Recurse -Force -ErrorAction SilentlyContinue
$freed += $size
}
# User temp directories
$userTemps = Get-ChildItem "C:\Users\*\AppData\Local\Temp\*" -Recurse -Force |
Where-Object { $_.LastWriteTime -lt (Get-Date).AddDays(-3) }
$freed += ($userTemps | Measure-Object Length -Sum).Sum
$userTemps | Remove-Item -Recurse -Force -ErrorAction SilentlyContinue
# IIS log rotation (keep 30 days)
$iisLogs = Get-ChildItem "C:\inetpub\logs" -Recurse -Filter "*.log" |
Where-Object { $_.LastWriteTime -lt (Get-Date).AddDays(-30) }
$freed += ($iisLogs | Measure-Object Length -Sum).Sum
$iisLogs | Remove-Item -Force
$freedMB = [math]::Round($freed / 1MB, 1)
"$(Get-Date) - Cleaned $freedMB MB on $ComputerName" |
Out-File "C:\Logs\DiskCleanup.log" -Append
Write-Output "Freed $freedMB MB"
Service and Application Monitoring
10. Windows Service Health Check
Monitor critical Windows services and automatically restart any that have stopped unexpectedly. This script checks a list of essential services, attempts a restart if any are stopped, and alerts the team if the restart fails.
# Watch-Services.ps1
param([string[]]$Servers = (Get-Content "C:\Config\Servers.txt"))
$criticalServices = @(
'W3SVC', # IIS
'MSSQLSERVER', # SQL Server
'Spooler', # Print
'WinRM', # Remote management
'DNS', # DNS Server
'NTDS' # Active Directory
)
foreach ($server in $Servers) {
foreach ($svcName in $criticalServices) {
try {
$svc = Get-Service -ComputerName $server -Name $svcName -ErrorAction Stop
if ($svc.Status -ne 'Running') {
# Attempt restart
Set-Service -InputObject $svc -Status Running
Start-Sleep -Seconds 5
$svc.Refresh()
$status = if ($svc.Status -eq 'Running') { "RESTARTED" } else { "FAILED" }
$msg = "$(Get-Date) | $server | $svcName | $status"
$msg | Out-File "C:\Logs\ServiceHealth.log" -Append
if ($status -eq "FAILED") {
Send-MailMessage -To "it-alerts@contoso.com" `
-From "monitoring@contoso.com" `
-Subject "SERVICE FAILED: $svcName on $server" `
-Body $msg -SmtpServer "smtp.contoso.com" -Priority High
}
}
}
catch { } # Service does not exist on this server
}
}
11. Scheduled Task Audit
Audit scheduled tasks across all servers to find tasks running as privileged accounts, tasks with broken triggers, and unauthorized tasks that may indicate a compromise. Export the results as a compliance report.
# Audit-ScheduledTasks.ps1
param([string[]]$Servers = (Get-Content "C:\Config\Servers.txt"))
$allTasks = @()
foreach ($server in $Servers) {
try {
$tasks = Get-ScheduledTask -CimSession $server |
Where-Object { $_.State -ne 'Disabled' } |
Get-ScheduledTaskInfo -ErrorAction SilentlyContinue
$tasks | ForEach-Object {
$taskDetail = Get-ScheduledTask -TaskName $_.TaskName -CimSession $server
$allTasks += [PSCustomObject]@{
Server = $server
TaskName = $_.TaskName
LastRun = $_.LastRunTime
LastResult = $_.LastTaskResult
RunAs = $taskDetail.Principal.UserId
NextRun = $_.NextRunTime
}
}
}
catch {
"$(Get-Date) - Cannot audit tasks on $server" |
Out-File "C:\Logs\TaskAudit.log" -Append
}
}
# Flag tasks running as Domain Admin or SYSTEM
$risky = $allTasks | Where-Object {
$_.RunAs -match 'Domain Admins|Administrator|SYSTEM'
}
$allTasks | Export-Csv "C:\Reports\ScheduledTasks_$(Get-Date -Format yyyyMMdd).csv" -NoTypeInformation
Write-Output "Audited $($allTasks.Count) tasks. $($risky.Count) running as privileged accounts."
Reporting and Documentation
12. Active Directory Health Report
Generate a weekly report covering AD health metrics: inactive accounts, accounts with non-expiring passwords, empty groups, stale computer objects, and OU structure. This report drives cleanup actions and audit compliance.
# Get-ADHealthReport.ps1
$report = @{}
# Inactive users (no logon in 90 days)
$report['InactiveUsers'] = (Search-ADAccount -AccountInactive `
-TimeSpan 90.00:00:00 -UsersOnly | Measure-Object).Count
# Password never expires
$report['NeverExpires'] = (Get-ADUser -Filter {
PasswordNeverExpires -eq $true -and Enabled -eq $true
} | Measure-Object).Count
# Disabled but not moved
$report['DisabledInWrongOU'] = (Get-ADUser -Filter {Enabled -eq $false} |
Where-Object { $_.DistinguishedName -notmatch 'OU=Disabled' } |
Measure-Object).Count
# Empty groups
$report['EmptyGroups'] = (Get-ADGroup -Filter * |
Where-Object { (Get-ADGroupMember $_ -ErrorAction SilentlyContinue | Measure-Object).Count -eq 0 } |
Measure-Object).Count
# Stale computers (90 days)
$report['StaleComputers'] = (Get-ADComputer -Filter {
LastLogonDate -lt $((Get-Date).AddDays(-90))
} | Measure-Object).Count
# Format report
$body = "AD Health Report - $(Get-Date -Format 'MMMM dd, yyyy')`n"
$body += "=" * 50 + "`n"
foreach ($key in $report.Keys) {
$body += "$key : $($report[$key])`n"
}
Send-MailMessage -To "it-team@contoso.com" -From "reports@contoso.com" `
-Subject "Weekly AD Health Report" -Body $body -SmtpServer "smtp.contoso.com"
13. Software Inventory Across All Workstations
Collect installed software inventory from all domain workstations. This data supports license compliance, vulnerability management (which machines have outdated versions), and incident response (which machines have a specific application installed).
# Get-SoftwareInventory.ps1
$computers = Get-ADComputer -Filter {OperatingSystem -like '*Windows*'} |
Select-Object -ExpandProperty Name
$inventory = @()
foreach ($pc in $computers) {
try {
$software = Invoke-Command -ComputerName $pc -ScriptBlock {
Get-ItemProperty HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\*,
HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\* |
Where-Object { $_.DisplayName } |
Select-Object DisplayName, DisplayVersion, Publisher, InstallDate
} -ErrorAction Stop
$software | ForEach-Object {
$inventory += [PSCustomObject]@{
Computer = $pc
Software = $_.DisplayName
Version = $_.DisplayVersion
Publisher = $_.Publisher
InstallDate = $_.InstallDate
}
}
}
catch {
"$(Get-Date) - Cannot reach $pc" | Out-File "C:\Logs\Inventory.log" -Append
}
}
$inventory | Export-Csv "C:\Reports\Software_$(Get-Date -Format yyyyMMdd).csv" -NoTypeInformation
14. Certificate Expiration Monitor
Monitor SSL/TLS certificates on internal web servers and alert before they expire. Certificate expirations cause outages that are entirely preventable with monitoring.
# Watch-Certificates.ps1
param([int]$DaysWarning = 30)
$sites = @(
"intranet.contoso.com:443",
"mail.contoso.com:443",
"vpn.contoso.com:443",
"api.contoso.com:443"
)
foreach ($site in $sites) {
try {
$host_port = $site -split ':'
$tcp = New-Object System.Net.Sockets.TcpClient($host_port[0], $host_port[1])
$ssl = New-Object System.Net.Security.SslStream($tcp.GetStream(), $false,
{ $true }) # Accept all certs for monitoring
$ssl.AuthenticateAsClient($host_port[0])
$cert = $ssl.RemoteCertificate
$expiry = [datetime]$cert.GetExpirationDateString()
$daysLeft = ($expiry - (Get-Date)).Days
$ssl.Close(); $tcp.Close()
if ($daysLeft -le $DaysWarning) {
$msg = "$site certificate expires in $daysLeft days ($($expiry.ToString('yyyy-MM-dd')))"
Send-MailMessage -To "it-alerts@contoso.com" -From "monitoring@contoso.com" `
-Subject "CERT WARNING: $site expires in $daysLeft days" `
-Body $msg -SmtpServer "smtp.contoso.com" -Priority High
$msg | Out-File "C:\Logs\CertMonitor.log" -Append
}
}
catch {
"$(Get-Date) - Cannot check $site : $($_.Exception.Message)" |
Out-File "C:\Logs\CertMonitor.log" -Append
}
}
15. Automated HTML Report Generator
Combine data from multiple scripts into a single HTML report that is emailed to the IT team weekly. This master report aggregates disk space, service health, AD metrics, and recent alerts into a dashboard-style email that gives the team a snapshot of infrastructure health without logging into multiple tools.
# Send-WeeklyReport.ps1
$css = @"
<style>
body { font-family: Segoe UI, sans-serif; padding: 20px; }
table { border-collapse: collapse; width: 100%; margin: 16px 0; }
th { background: #2d3748; color: white; padding: 10px; text-align: left; }
td { padding: 8px 10px; border-bottom: 1px solid #e2e8f0; }
tr:hover { background: #f7fafc; }
.warning { color: #d69e2e; font-weight: bold; }
.critical { color: #e53e3e; font-weight: bold; }
h2 { color: #2d3748; border-bottom: 2px solid #4299e1; padding-bottom: 8px; }
</style>
"@
# Collect data from previous script outputs
$diskData = Import-Csv "C:\Reports\DiskSpace_Latest.csv" -ErrorAction SilentlyContinue
$serviceData = Import-Csv "C:\Reports\ServiceHealth_Latest.csv" -ErrorAction SilentlyContinue
$html = "<html><head>$css</head><body>"
$html += "<h1>IT Weekly Report - $(Get-Date -Format 'MMMM dd, yyyy')</h1>"
if ($diskData) {
$html += "<h2>Disk Space Alerts</h2>"
$html += $diskData | ConvertTo-Html -Fragment
}
if ($serviceData) {
$html += "<h2>Service Issues</h2>"
$html += $serviceData | ConvertTo-Html -Fragment
}
$html += "</body></html>"
Send-MailMessage -To "it-team@contoso.com" -From "reports@contoso.com" `
-Subject "IT Weekly Infrastructure Report" -Body $html -BodyAsHtml `
-SmtpServer "smtp.contoso.com"
Best Practices for Production Scripts
Before deploying any of these scripts in production, follow these practices:
- Use a dedicated service account with least-privilege permissions. Never run scheduled scripts as a Domain Admin
- Store credentials securely using Windows Credential Manager, Azure Key Vault, or encrypted SecureString files - never in plain text
- Enable PowerShell logging through Group Policy: Script Block Logging and Module Logging for audit trails
- Test in a non-production environment before running against production AD or servers
- Version control your scripts in Git. Every change should be tracked, reviewed, and attributable
- Include -WhatIf support in scripts that modify data so you can preview changes before committing them
- Set up alerting for failures - a script that fails silently is worse than no script at all
Let AI Handle Your Tier 1 Tickets
HelpBot resolves password resets, account lockouts, and common IT questions automatically. Your team focuses on the automation and infrastructure work that moves the needle.
Start Your Free TrialRelated reading: Active Directory Management Guide | 3-2-1 Backup Strategy Guide