You don't need to memorise PowerShell to manage users, groups, and computers. BlockShell lets you snap blocks together and see the real script it generates — so you learn by doing, not by guessing.
Before we touch BlockShell, let's understand what we're actually managing. Active Directory (AD) is Microsoft's directory service — essentially a central database that keeps track of every user, computer, group, and policy on a corporate network.
contoso.com. All users and computers that belong to the company exist within this domain.When you open BlockShell AD, you'll see four key areas. Spend a minute getting familiar with the layout before dragging your first block.
Five buttons across the top: Show Script (preview your generated PowerShell), Download Script (save as a .ps1 file), Export Workspace (save your blocks as JSON), Import Workspace (load a saved session), and Clear Workspace (start fresh — use with care!).
Nine colour-coded categories containing all available AD commands. Click a category to expand it and see the blocks inside. Each block represents one PowerShell command. You can scroll through to explore everything that's available.
Your workspace where blocks are placed and connected. Drag blocks from the toolbox onto the canvas. Connect them vertically to build up a sequence of commands — just like a flowchart. You can also zoom in/out with the mouse wheel or the +/− buttons in the corner.
Hover over any block on the canvas to see a tooltip explaining exactly what the command does and what each parameter means. This is one of the most powerful learning features — you get documentation without ever leaving the tool.
Let's walk through the full process of creating a new user account — from opening the toolbox to seeing the generated PowerShell script. This takes about two minutes.
In the left-hand toolbox panel, click "User Management". A flyout will appear showing all available user commands. You'll see New-ADUser, Get-ADUser, Set-ADUser, and more listed as draggable blocks.
Click and hold the New-ADUser block, then drag it into the empty canvas area and release. The block will appear on the canvas with three input fields: Name, SamAccountName, and Path.
Click directly on each text field inside the block to edit it.
Set Name to Sarah Connor,
SamAccountName to sconnor (this is the login username),
and Path to OU=Users,DC=corp,DC=com (the OU where the account will live).
Press Enter or click away to confirm each field.
New accounts are disabled by default. From the toolbox, drag Enable-ADAccount and hover it just below the New-ADUser block — you'll see a connection indicator appear. Drop it to snap the blocks together. Set the Identity field to sconnor.
Hit the Show Script button in the toolbar. A panel will appear showing the real PowerShell commands your blocks generate — including the date header and properly formatted parameters. You can copy it to your clipboard right there.
$true and $false are boolean values (true/false).
The -Enabled $true flag tells AD to create the account in an enabled state.
BlockShell automatically adds sensible defaults like this so you don't miss important flags.
BlockShell organises every AD command into nine colour-coded categories. Here's what lives in each one and when you'd use it.
Create, read, modify, and delete user accounts — the bread and butter of 1st line support.
Creates a brand new user account in AD. Essential for onboarding new starters.
Retrieves details about an existing user. Use to check properties like department, email, last logon.
Updates properties on an existing user — change department, title, manager, phone number etc.
Permanently deletes a user account. Used for offboarding leavers. Always confirm before running!
Enables a disabled account. Useful for returning employees or newly created accounts.
Disables an account without deleting it. Standard practice when an employee leaves — disable first, delete later.
Unlocks an account locked out after too many failed password attempts. One of the most common 1st line tasks.
Resets a user's password. The new password is passed as a SecureString — BlockShell handles this conversion for you.
Sets a date when the account will automatically expire — useful for contractors and temporary staff.
Removes any expiration date from an account, making it permanent again.
Control who belongs to which groups — the key to managing permissions at scale.
Creates a new security or distribution group. You choose the scope (DomainLocal, Global, Universal) and category (Security or Distribution).
Adds one or more users (or computers) to a group. Separate multiple members with commas.
Lists everyone in a group. Great for auditing who has access to a particular resource.
Removes one or more users from a group — used when someone changes role or leaves a team.
Shows all groups a specific user is a member of. Handy for troubleshooting permission issues.
Adds a user to multiple groups in one command — more efficient than multiple Add-ADGroupMember calls.
Manage domain-joined machines — workstations, laptops, and servers.
Pre-stages a computer account in AD before a machine is joined to the domain. Good practice in managed environments.
Retrieves details about a domain-joined computer — last logon, OS version, location, and more.
Updates computer properties — add a description or physical location to help identify machines.
Removes a computer account from AD — used when decommissioning a machine or before re-imaging.
Structure your AD like a filing system — group objects together for easier management and policy application.
Creates a new OU container. Use these to organise users and computers by department, location, or function.
Moves any AD object (user, computer, group) to a different OU. Commonly used when someone changes department.
Updates OU properties. Automatically sets ProtectedFromAccidentalDeletion — a safety feature to prevent OUs being deleted by mistake.
Renames any AD object. Useful for correcting typos or reflecting organisational changes.
Managed service accounts (MSAs / gMSAs) run background services and applications without needing a human user.
Creates a Group Managed Service Account (gMSA) — a special account whose password is automatically managed by AD. Used for services like IIS or SQL.
Installs (links) a managed service account onto a specific computer so that computer can use it to run services.
Fine-grained password policies, account controls, and authentication silos for tighter security.
Creates a custom password policy that applies to specific users or groups — useful when IT admins need stronger passwords than regular staff.
Configures account flags like PasswordNeverExpires and CannotChangePassword. Useful for service accounts that should never be forced to change passwords.
Applies a fine-grained password policy to a specific group or user so they follow stricter (or looser) password rules than the domain default.
Shows the default password policy for the entire domain — minimum length, complexity requirements, lockout threshold etc.
High-level domain and forest operations — typically 2nd line and above territory.
Returns information about the current domain — its name, functional level, PDC emulator, and more. Great for quickly orienting yourself in an unknown environment.
Returns details about the entire AD forest — all domains, the schema master, and UPN suffixes. Useful in multi-domain environments.
Enables features like the AD Recycle Bin, which allows recovery of deleted objects. A critical safety feature you'll want enabled on every domain.
Transfers FSMO roles between domain controllers — an advanced operation usually done during DC maintenance or decommissioning.
Manage how AD data is replicated across multiple locations and domain controllers.
Creates an AD site — a logical grouping representing a physical location (e.g., "London-HQ" or "Manchester-Branch"). Sites control replication schedules and logon optimisation.
Lists any replication failures on a domain controller. A go-to command when troubleshooting AD changes not appearing on all DCs.
Forces replication of a single object immediately rather than waiting for the scheduled interval — useful after urgent account changes.
Connects two AD sites with a site link, controlling how and when they replicate. The Cost value determines preference — lower cost = preferred path.
Search, audit, and report on the state of your AD environment.
Finds accounts by state — locked out, disabled, expired, or inactive. The pre-configured block searches for locked-out user accounts, a daily task for 1st line.
Lists all domain controllers in the domain with their site, IP address, and OS. Essential when troubleshooting or planning maintenance.
Flexible search across all AD object types using a filter expression. Useful when you need to find something specific without knowing exactly where it lives.
Recovers a deleted AD object from the Recycle Bin. Only works if the AD Recycle Bin feature was enabled before the deletion occurred.
These are the situations you'll actually encounter in IT support. Follow each one in BlockShell to practise the full workflow.
A new marketing manager starts Monday. Create their account, add them to the right groups, and set an initial password.
Emma Thompson, SamAccountName to ethompson, and Path to OU=Marketing,DC=corp,DC=com.ethompson and NewPassword to a temporary password like TempP@ss2026!. This uses ConvertTo-SecureString automatically.ethompson — new accounts start disabled.Marketing Team and Members ethompson. Repeat for any other groups she needs.A user rings the helpdesk saying they can't log in. Most likely a lockout after too many wrong password attempts.
the.user to see all properties. The generated script outputs their account status, so you can confirm it's actually locked before doing anything.An employee is leaving the company. Proper offboarding means disabling their account, removing group memberships, and documenting the action.
A new department is being set up. You need to create the OU, a security group, and populate it.
Cyber Security, Path DC=corp,DC=com.Cyber Security Team, GroupScope Global, GroupCategory Security, Path pointing to your new OU.The real value of BlockShell is that it teaches you PowerShell as you build. Here's how to read what gets generated — and what it all means.
Every PowerShell command is Verb-Noun. The verb tells you what's happening (Get, New, Set, Remove) and the noun tells you what object is being acted on (ADUser, ADGroup).
Anything starting with a hyphen is a parameter — it's like a labelled argument. -Identity "jdoe" means "the identity I'm targeting is jdoe". Parameters tell the command exactly what to do and with what.
Text values (usernames, paths, names) are wrapped in double quotes. Values like $true, $false, and numbers don't need quotes — they're not text, they're special PowerShell types.
Lines starting with # are comments — they're ignored when the script runs. BlockShell adds a date header automatically. You should add your own comments to explain what each section does.
-Path parameter uses Distinguished Name format: OU=HR,DC=corp,DC=com. Read it right to left — DC=com is the top-level domain, DC=corp is the domain name, OU=HR is the organisational unit. Each comma separates a level. Nesting looks like: OU=Managers,OU=HR,DC=corp,DC=com.
BlockShell has several ways to save and share your work. Understanding the difference between them will save you from losing a complex block layout.
BlockShell automatically saves your workspace to your browser's local storage every second after you stop making changes. This means if you accidentally close the tab, your work will be there when you reopen the app in the same browser. This is not a backup — clearing browser data will erase it.
Saves your entire block layout as a .json file. This is your proper backup and the way to share workspaces with colleagues. Use this before making big changes. The filename includes a timestamp: blockshell_ad_workspace_1742123456789.json.
Loads a previously exported JSON file back into the canvas. Use this to pick up where you left off on another machine, or to load a template workspace your trainer has provided. The import will replace your current canvas.
Exports just the generated PowerShell as a blockshell_script.ps1 file — ready to be reviewed and run in a PowerShell session (with appropriate AD module access). This does not save your block layout, only the script output.
Things you'd normally only learn after six months on the helpdesk — condensed into one page.
Before modifying or deleting anything, run Get-ADUser (or Get-ADGroup, etc.) first to confirm you have the right object. Accidentally modifying the wrong account is a painful mistake.
Never immediately delete a leaving employee's account. Disable it, move it to a Leavers OU, and keep it for at least 30–90 days. You'll thank yourself when a manager asks for their old emails.
Blocks connected in sequence run top to bottom. Build your scripts like a checklist: create, configure, enable, add to groups. Reading it should tell you exactly what's happening step by step.
Use the Download Script button regularly and open the .ps1 files in Notepad or VS Code. Reading the real PowerShell is how you'll eventually memorise the syntax and move beyond BlockShell.
Set SamAccountNames consistently: first initial + surname (jsmith) is common. Whatever format your company uses — stick to it. Inconsistency makes AD searches a nightmare.
Run your generated scripts in a lab environment (a Windows Server VM with AD installed) before ever using them anywhere near a real domain. This is non-negotiable for any serious IT learning.
Don't guess what a block does — hover over it. Every block has a detailed tooltip explaining the command, what each parameter does, and when you'd use it. It's built-in documentation.
Build a workspace for your most common tasks (new starter, leaver, password reset) and save each as a JSON file. Next time, import it, update the names, and generate the script instantly.
Key terms you'll encounter when working with Active Directory and PowerShell.
jsmith). Limited to 20 characters, no spaces.CN=John Smith,OU=HR,DC=corp,DC=com. Read right to left: domain → OU → object.jsmith@corp.com. Modern Windows environments often use UPN for login instead of SamAccountName.-Enabled $true or -PasswordNeverExpires $false.ConvertTo-SecureString cmdlet (auto-added by BlockShell) converts a plain text password into this format.Enable-ADOptionalFeature with "Recycle Bin Feature".The most commonly used commands in BlockShell AD — at a glance.
| Command | When to use it |
|---|---|
| New-ADUser | New employee starting — create their account |
| Get-ADUser | Look up user details, check account status, last logon |
| Set-ADUser | Update department, title, manager after a promotion or role change |
| Disable-ADAccount | Employee leaves — disable immediately, delete later |
| Unlock-ADAccount | User locked out after too many failed login attempts |
| Set-ADAccountPassword | Password reset request from user or after a security incident |
| Add-ADGroupMember | Grant a user access to a shared resource or application |
| Remove-ADGroupMember | Revoke access when someone changes role or leaves a team |
| Get-ADGroupMember | Audit who has access to a particular group / resource |
| Get-ADPrincipalGroupMembership | Check which groups a specific user belongs to |
| Move-ADObject | Move a user to a different OU after a department transfer |
| New-ADOrganizationalUnit | New department or location needs its own container in AD |
| Search-ADAccount -LockedOut | Find all currently locked-out accounts across the domain |
| Get-ADDomainController | List all DCs — useful during troubleshooting or maintenance |
| Get-ADDomain | Get a quick overview of domain settings and functional level |
| Get-ADDefaultDomainPasswordPolicy | Check current domain password requirements |
| Restore-ADObject | Recover an accidentally deleted user or group (requires Recycle Bin) |
| Set-ADAccountExpiration | Set an end date for contractor or temporary staff accounts |
| Get-ADReplicationFailure | Troubleshoot why changes aren't appearing on all domain controllers |
| Enable-ADOptionalFeature | Turn on the AD Recycle Bin on a fresh domain setup |