You don't need to memorise PowerShell to manage users, groups, and computers. BlockShell lets you snap blocks together and see the real script it generates — so you learn by doing, not by guessing.
Before we touch BlockShell, let's understand what we're actually managing. Active Directory (AD) is Microsoft's directory service — essentially a central database that keeps track of every user, computer, group, and policy on a corporate network.
contoso.com. All users and computers that belong to the company exist within this domain.When you open BlockShell AD, you'll see six key areas. Spend a minute getting familiar with the layout before dragging your first block.
Eight buttons across the top. Show Script (Ctrl+G) previews your generated PowerShell. Validate checks your script for common mistakes like placeholder values and destructive operations. Explain Script translates your blocks into plain English — great for learning. Split View shows a live code panel alongside your blocks. Templates loads a pre-built workflow. Download Script (Ctrl+S) saves a .ps1 file. Export Workspace (Ctrl+E) saves your blocks as JSON. Clear Workspace resets everything.
Below the toolbar you'll find a search bar — type any cmdlet name or category (e.g. "group", "remove", "New-ADUser") to instantly find and add blocks to the workspace. Beneath that is a Recently Used strip of chips showing your last 8 blocks, so you can re-add them in one click without opening the toolbox at all.
Nine colour-coded categories containing all available AD commands. Click a category to expand it and see the blocks inside. Each block represents one PowerShell command. You can also use the search bar above to find blocks without opening each category manually.
Your workspace where blocks are placed and connected. Drag blocks from the toolbox onto the canvas. Connect them vertically to build up a sequence of commands. Zoom in/out with the mouse wheel or the +/− buttons in the corner. When Split View is active, a live code panel appears on the right showing your script update in real time as you build.
Whenever you drag a block onto the canvas, a Cmdlet Info Panel automatically appears in the bottom-right corner. It shows the command name, a plain-English description of what it does, and a real example of how it's used. Click the × to dismiss it, or click anywhere outside it. Coverage spans all 80+ blocks in the tool.
Click the 🎓 Classroom button in the top-right header to enable Classroom Mode. Enter a student name, optionally hide all destructive blocks (Remove-* / Disable-*) to create a safer learning environment, and log every block the student uses with a timestamp. Activity logs can be exported as JSON for teacher review.
Let's walk through the full process of creating a new user account — from opening the toolbox to seeing the generated PowerShell script. This takes about two minutes.
In the left-hand toolbox panel, click "User Management". A flyout will appear showing all available user commands. You'll see New-ADUser, Get-ADUser, Set-ADUser, and more listed as draggable blocks.
Click and hold the New-ADUser block, then drag it into the empty canvas area and release. The block will appear on the canvas with three input fields: Name, SamAccountName, and Path.
Click directly on each text field inside the block to edit it.
Set Name to Sarah Connor,
SamAccountName to sconnor (this is the login username),
and Path to OU=Users,DC=corp,DC=com (the OU where the account will live).
Press Enter or click away to confirm each field.
New accounts are disabled by default. From the toolbox, drag Enable-ADAccount and hover it just below the New-ADUser block — you'll see a connection indicator appear. Drop it to snap the blocks together. Set the Identity field to sconnor.
Hit the Show Script button in the toolbar. A panel will appear showing the real PowerShell commands your blocks generate — including the date header and properly formatted parameters. You can copy it to your clipboard right there.
BlockShell includes a suite of tools designed to help you learn faster, catch mistakes before they matter, and build scripts with confidence. Here's how to get the most from each one.
Find any of the 80+ blocks instantly — no hunting through categories.
The search bar sits directly below the toolbar. Type a cmdlet name, verb, or keyword and results appear immediately with a colour-coded dot showing which category each block belongs to. Click a result to add that block directly to the canvas — the workspace scrolls to and selects the new block automatically.
8 pre-built block sequences for the most common AD tasks.
Click Templates in the toolbar to open the template library. Each card shows the blocks included and what the workflow does. Clicking a template adds those blocks to your current workspace — you then fill in the field values for your specific scenario and generate the script.
Creates account, sets password, enables it, and adds to groups — the complete new starter flow.
Disable account, remove from all groups, set account expiry — the safe leaver process.
Unlock a locked-out account and reset the password in one go.
Create a group and add initial members, then verify membership.
Check domain info, forest info, all DCs, and any replication failures.
Search for all locked-out accounts and display the current password policy.
Create a parent OU and two child OUs for a new department or site.
Pre-stage a computer, add a service account, then verify the account.
Catch problems before you generate your script.
Click Validate in the toolbar. The validator scans your entire workspace and reports issues in a panel colour-coded by severity. It currently checks for:
Catches blocks still containing example text like DC=domain,DC=com or domain.com — values you need to replace with your actual domain details before the script will work.
Flags blocks containing the example password P@ssw0rd. Never leave example passwords in scripts — they're well-known and offer no security.
Alerts you when your script contains Remove-* or Disable-* blocks, and recommends testing with -WhatIf where supported before running for real.
Every validation result includes a reminder that generated scripts require the ActiveDirectory module — either via RSAT on your workstation, or by running on a Domain Controller directly.
Translate your blocks into plain English before generating PowerShell.
Click Explain Script and BlockShell produces a numbered list of what your script will do in human language — using the actual values you've entered in the blocks. For example: "1. Create a new user account named Sarah Connor with login name sconnor in the OU=Users,DC=corp,DC=com container. 2. Enable the account so the user can log in."
Destructive operations are highlighted in red within the explanation. This is ideal for students to verify they've built the right thing before their instructor reviews it, and for anyone new to PowerShell who wants to be certain they understand what a script will do.
Watch your PowerShell script build in real time alongside your blocks.
Toggle Split View in the toolbar to open a dark-themed code panel on the right side of the canvas. Every time you add, remove, or change a block, the code panel updates instantly — no need to click Show Script. This is one of the most effective learning features: you can see exactly which PowerShell syntax each block produces as you build, making the connection between visual blocks and real code immediately clear. The panel also has a Copy button to grab the current script.
Built-in documentation for every block — auto-opens when you place one.
Every time you drag a block onto the canvas, the Cmdlet Info Panel slides in from the bottom-right. It shows three things: the cmdlet name, a plain-English description of what the command does and when you'd use it, and a formatted example showing correct PowerShell syntax. Click anywhere outside the panel or press Escape to dismiss it. Documentation is available for all 80+ blocks in the tool.
For educators and training environments — track, restrict, and log student activity.
Click the 🎓 Classroom button in the top-right corner to open the Classroom Mode settings. Once enabled, a dark banner appears across the top of the app identifying the student session. Features include:
Enter the student's name — it's included in the classroom banner and in any exported activity logs, so you can match exports to the right student.
Toggle this on to remove all Remove-* and Disable-* commands from the toolbox entirely. Students can only use blocks that create, retrieve, or modify objects — preventing accidental destructive script generation in a learning context.
Every block the student places on the canvas is recorded with a timestamp. The settings panel shows a summary of the most-used blocks. Logs can be exported as JSON for the instructor to review, or cleared to start a fresh session.
BlockShell organises every AD command into nine colour-coded categories. Here's what lives in each one and when you'd use it.
Create, read, modify, and delete user accounts — the bread and butter of 1st line support.
Creates a brand new user account in AD. Essential for onboarding new starters.
Retrieves details about an existing user. Use to check properties like department, email, last logon.
Updates properties on an existing user — change department, title, manager, phone number etc.
Permanently deletes a user account. Used for offboarding leavers. Always confirm before running!
Enables a disabled account. Useful for returning employees or newly created accounts.
Disables an account without deleting it. Standard practice when an employee leaves — disable first, delete later.
Unlocks an account locked out after too many failed password attempts. One of the most common 1st line tasks.
Resets a user's password. The new password is passed as a SecureString — BlockShell handles this conversion for you.
Sets a date when the account will automatically expire — useful for contractors and temporary staff.
Removes any expiration date from an account, making it permanent again.
Control who belongs to which groups — the key to managing permissions at scale.
Creates a new security or distribution group. You choose the scope (DomainLocal, Global, Universal) and category (Security or Distribution).
Adds one or more users (or computers) to a group. Separate multiple members with commas.
Lists everyone in a group. Great for auditing who has access to a particular resource.
Removes one or more users from a group — used when someone changes role or leaves a team.
Shows all groups a specific user is a member of. Handy for troubleshooting permission issues.
Adds a user to multiple groups in one command — more efficient than multiple Add-ADGroupMember calls.
Manage domain-joined machines — workstations, laptops, and servers.
Pre-stages a computer account in AD before a machine is joined to the domain. Good practice in managed environments.
Retrieves details about a domain-joined computer — last logon, OS version, location, and more.
Updates computer properties — add a description or physical location to help identify machines.
Removes a computer account from AD — used when decommissioning a machine or before re-imaging.
Structure your AD like a filing system — group objects together for easier management and policy application.
Creates a new OU container. Use these to organise users and computers by department, location, or function.
Moves any AD object (user, computer, group) to a different OU. Commonly used when someone changes department.
Updates OU properties. Automatically sets ProtectedFromAccidentalDeletion — a safety feature to prevent OUs being deleted by mistake.
Renames any AD object. Useful for correcting typos or reflecting organisational changes.
Managed service accounts (MSAs / gMSAs) run background services and applications without needing a human user.
Creates a Group Managed Service Account (gMSA) — a special account whose password is automatically managed by AD. Used for services like IIS or SQL.
Installs (links) a managed service account onto a specific computer so that computer can use it to run services.
Fine-grained password policies, account controls, and authentication silos for tighter security.
Creates a custom password policy that applies to specific users or groups — useful when IT admins need stronger passwords than regular staff.
Configures account flags like PasswordNeverExpires and CannotChangePassword. Useful for service accounts that should never be forced to change passwords.
Applies a fine-grained password policy to a specific group or user so they follow stricter (or looser) password rules than the domain default.
Shows the default password policy for the entire domain — minimum length, complexity requirements, lockout threshold etc.
High-level domain and forest operations — typically 2nd line and above territory.
Returns information about the current domain — its name, functional level, PDC emulator, and more. Great for quickly orienting yourself in an unknown environment.
Returns details about the entire AD forest — all domains, the schema master, and UPN suffixes. Useful in multi-domain environments.
Enables features like the AD Recycle Bin, which allows recovery of deleted objects. A critical safety feature you'll want enabled on every domain.
Transfers FSMO roles between domain controllers — an advanced operation usually done during DC maintenance or decommissioning.
Manage how AD data is replicated across multiple locations and domain controllers.
Creates an AD site — a logical grouping representing a physical location (e.g., "London-HQ" or "Manchester-Branch"). Sites control replication schedules and logon optimisation.
Lists any replication failures on a domain controller. A go-to command when troubleshooting AD changes not appearing on all DCs.
Forces replication of a single object immediately rather than waiting for the scheduled interval — useful after urgent account changes.
Connects two AD sites with a site link, controlling how and when they replicate. The Cost value determines preference — lower cost = preferred path.
Search, audit, and report on the state of your AD environment.
Finds accounts by state — locked out, disabled, expired, or inactive. The pre-configured block searches for locked-out user accounts, a daily task for 1st line.
Lists all domain controllers in the domain with their site, IP address, and OS. Essential when troubleshooting or planning maintenance.
Flexible search across all AD object types using a filter expression. Useful when you need to find something specific without knowing exactly where it lives.
Recovers a deleted AD object from the Recycle Bin. Only works if the AD Recycle Bin feature was enabled before the deletion occurred.
These are the situations you'll actually encounter in IT support. Follow each one in BlockShell to practise the full workflow.
A new marketing manager starts Monday. Create their account, add them to the right groups, and set an initial password.
Emma Thompson, SamAccountName to ethompson, and Path to OU=Marketing,DC=corp,DC=com.ethompson and NewPassword to a temporary password like TempP@ss2026!. This uses ConvertTo-SecureString automatically.ethompson — new accounts start disabled.Marketing Team and Members ethompson. Repeat for any other groups she needs.A user rings the helpdesk saying they can't log in. Most likely a lockout after too many wrong password attempts.
the.user to see all properties. The generated script outputs their account status, so you can confirm it's actually locked before doing anything.An employee is leaving the company. Proper offboarding means disabling their account, removing group memberships, and documenting the action.
A new department is being set up. You need to create the OU, a security group, and populate it.
Cyber Security, Path DC=corp,DC=com.Cyber Security Team, GroupScope Global, GroupCategory Security, Path pointing to your new OU.The real value of BlockShell is that it teaches you PowerShell as you build. Here's how to read what gets generated — and what it all means.
Every PowerShell command is Verb-Noun. The verb tells you what's happening (Get, New, Set, Remove) and the noun tells you what object is being acted on (ADUser, ADGroup).
Anything starting with a hyphen is a parameter — it's like a labelled argument. -Identity "jdoe" means "the identity I'm targeting is jdoe". Parameters tell the command exactly what to do and with what.
Text values (usernames, paths, names) are wrapped in double quotes. Values like $true, $false, and numbers don't need quotes — they're not text, they're special PowerShell types.
Lines starting with # are comments — they're ignored when the script runs. BlockShell adds a date header automatically. You should add your own comments to explain what each section does.
-Path parameter uses Distinguished Name format: OU=HR,DC=corp,DC=com. Read it right to left — DC=com is the top-level domain, DC=corp is the domain name, OU=HR is the organisational unit. Each comma separates a level. Nesting looks like: OU=Managers,OU=HR,DC=corp,DC=com.
BlockShell has several ways to save and share your work. Understanding the difference between them will save you from losing a complex block layout.
BlockShell automatically saves your workspace to your browser's local storage every second after you stop making changes. This means if you accidentally close the tab, your work will be there when you reopen the app in the same browser. This is not a backup — clearing browser data will erase it.
Saves your entire block layout as a .json file. This is your proper backup and the way to share workspaces with colleagues. Use this before making big changes. The filename includes a timestamp: blockshell_ad_workspace_1742123456789.json.
Loads a previously exported JSON file back into the canvas. Use this to pick up where you left off on another machine, or to load a template workspace your trainer has provided. The import will replace your current canvas.
Exports just the generated PowerShell as a blockshell_script.ps1 file — ready to be reviewed and run in a PowerShell session (with appropriate AD module access). This does not save your block layout, only the script output.
Things you'd normally only learn after six months on the helpdesk — condensed into one page.
Before modifying or deleting anything, run Get-ADUser (or Get-ADGroup, etc.) first to confirm you have the right object. Accidentally modifying the wrong account is a painful mistake.
Never immediately delete a leaving employee's account. Disable it, move it to a Leavers OU, and keep it for at least 30–90 days. You'll thank yourself when a manager asks for their old emails.
Blocks connected in sequence run top to bottom. Build your scripts like a checklist: create, configure, enable, add to groups. Reading it should tell you exactly what's happening step by step.
Use the Download Script button regularly and open the .ps1 files in Notepad or VS Code. Reading the real PowerShell is how you'll eventually memorise the syntax and move beyond BlockShell.
Set SamAccountNames consistently: first initial + surname (jsmith) is common. Whatever format your company uses — stick to it. Inconsistency makes AD searches a nightmare.
Run your generated scripts in a lab environment (a Windows Server VM with AD installed) before ever using them anywhere near a real domain. This is non-negotiable for any serious IT learning.
Every time you drag a block onto the canvas, the Cmdlet Info Panel opens automatically with a plain-English description and real example. It's built-in documentation that covers all 80+ commands. Use it every time you're unsure what a block does.
Open Templates in the toolbar and load a pre-built workflow for onboarding, offboarding, or domain health checks. For your own custom tasks, use Export Workspace (Ctrl+E) to save them as JSON. Import them next time to pick up exactly where you left off.
Hit Validate every time before downloading a script. It catches placeholder domain values, example passwords, and destructive operations that you might have overlooked. It takes one click and can save you real embarrassment in a lab or interview scenario.
Key terms you'll encounter when working with Active Directory and PowerShell.
jsmith). Limited to 20 characters, no spaces.CN=John Smith,OU=HR,DC=corp,DC=com. Read right to left: domain → OU → object.jsmith@corp.com. Modern Windows environments often use UPN for login instead of SamAccountName.-Enabled $true or -PasswordNeverExpires $false.ConvertTo-SecureString cmdlet (auto-added by BlockShell) converts a plain text password into this format.$DomainDN = (Get-ADDomain).DistinguishedName. It holds your domain's Distinguished Name so you don't have to hardcode DC=corp,DC=com in every command.try { } runs normally. If any command fails, execution jumps to catch { } which reports the error. BlockShell wraps all generated scripts in try/catch automatically.The most commonly used commands in BlockShell AD — at a glance.
| Command / Action | When to use it |
|---|---|
| 🎓 BlockShell Tools | App features, not PS commands |
| Templates button | Load a pre-built workflow (onboarding, offboarding, health check, etc.) |
| Validate button | Check for placeholder values, example passwords, and destructive ops before downloading |
| Explain Script button | Get a plain-English summary of what your blocks will do — great before you generate |
| Split View button | Open the live code pane — watch PowerShell appear as you drag blocks |
| Search bar | Find any block instantly by typing its name or category keyword |
| 🎓 Classroom button | Enable student tracking, hide destructive blocks, and export activity logs |
| Ctrl+G | Show Script — open the generated PowerShell preview modal |
| Ctrl+S | Download Script — save your script as a .ps1 file immediately |
| Ctrl+E | Export Workspace — save your block layout as a JSON backup |
| 📋 AD PowerShell Commands | What the blocks generate |
| New-ADUser | New employee starting — create their account |
| Get-ADUser | Look up user details, check account status, last logon |
| Set-ADUser | Update department, title, manager after a promotion or role change |
| Disable-ADAccount | Employee leaves — disable immediately, delete later (safer than Remove) |
| Unlock-ADAccount | User locked out after too many failed login attempts |
| Set-ADAccountPassword | Password reset request from user or after a security incident |
| Set-ADAccountExpiration | Set an end date for contractor or temporary staff accounts |
| Clear-ADAccountExpiration | Remove expiry date when a temp worker becomes permanent staff |
| Add-ADGroupMember | Grant a user access to a shared resource or application |
| Remove-ADGroupMember | Revoke access when someone changes role or leaves a team |
| Get-ADGroupMember | Audit who has access to a particular group / resource |
| Get-ADPrincipalGroupMembership | Check which groups a specific user belongs to |
| Add-ADPrincipalGroupMembership | Add a user to multiple groups in one command — faster onboarding |
| Move-ADObject | Move a user to a different OU after a department transfer |
| New-ADOrganizationalUnit | New department or location needs its own container in AD |
| Search-ADAccount -LockedOut | Find all currently locked-out accounts across the domain |
| Get-ADDomainController | List all DCs — useful during troubleshooting or maintenance |
| Get-ADDomain | Get a quick overview of domain settings and functional level |
| Get-ADForest | See the full AD forest — all domains, schema master, UPN suffixes |
| Get-ADDefaultDomainPasswordPolicy | Check current domain password requirements and lockout settings |
| Restore-ADObject | Recover an accidentally deleted user or group (requires Recycle Bin) |
| Get-ADReplicationFailure | Troubleshoot why changes aren't appearing on all domain controllers |
| Sync-ADObject | Force an urgent change to replicate immediately to all DCs |
| Enable-ADOptionalFeature | Turn on the AD Recycle Bin on a fresh domain setup — do this first |
| New-ADServiceAccount | Create a gMSA for a service that needs automatic password management |
| Get-ADReplicationQueueOperation | Check for a replication backlog — too many items = bottleneck |