A nice feature in Active Directory is the ability to connect users with managers. On the user account you can manually go to the Organization tab, click on the Change button under manager, and type the name of the user’s manager. When you look at the same tab for the manager you will see the user under Direct Reports. It isn’t necessarily that difficult to manually change users in bulk but probably not very efficient. Let me show you how with the Active Directory module and PowerShell. It is easier than you think.
Latest posts by Jeffery Hicks (see all)

Configure the user ^

The easiest way to accomplish this is to get the user account and configure it with a manager. I’m running from a Windows 8 desktop with PowerShell v3 and Remote Server Administration (RSAT) tools installed. I need to add April Showers as the manager for Mae Flowers.

PS C:\> get-aduser mflowers | Set-ADUser -Manager ashowers

The best part is that I don’t have to know where either account resides. It really is that easy. The Set-ADUser cmdlet doesn’t write anything to the pipeline unless you use –Passthru. If you wanted to configure and verify with a single command you can try something like this:

PS C:\> get-aduser mflowers | Set-ADUser -Manager ashowers -PassThru | get-aduser -Properties Manager | Select Name,Manager

Name                                         Manager
----                                         -------
Mae Flowers                                  CN=April Showers,OU=Customer Service,OU=D...

Want to clear the entry? Set the manager to $Null.

PS C:\> get-aduser mflowers | Set-ADUser -Manager $null

Of course, it is just as easy to do this for several user accounts.

PS C:\> get-aduser -filter "department -eq 'Customer Service'" | Set-ADuser -Manager ashowers -passthru | get-aduser -Properties Title,Manager | Select Name,Title,Manager

get-aduser - Configure the user

I used –Passthru and the additional code to verify the results.

One thing you may have noticed, April Showers was set to be the manager of herself because account came up in the Get-ADUser filter. The better approach is to check the accounts first before committing the change. In my case, I should be able to tweak the filter.

PS C:\> get-aduser -filter "department -eq 'Customer Service' -AND samaccountname -ne 'ashowers'" | set-aduser -manager ashowers

Getting direct reports ^

Once a user account has people assigned to it, you will be able to find and user a DirectReports property.

PS C:\> get-aduser ashowers -Properties DirectReports | Select -Expand DirectReports

get-aduser - Getting direct reports

As you can see in the screenshot above all you get is the distinguishedname. For something a bit more meaningful try this:

PS C:\> get-aduser ashowers -Properties DirectReports | Select -Expand DirectReports | get-aduser -Properties Title | Select Name,Title

get-aduser - Getting direct reports 2

Reporting ^

With a little work, you can even create some basic organizational reports. Here is a script that uses a recursive function to list all mangers and subordinates.

#requires -version 3.0
#requires -modules ActiveDirectory

[Parameter(Position=0,Mandatory=$True,HelpMessage="Enter a top level user name")]

Function Get-DirectReports {


Process {
 $direct = Get-ADUser -Identity $DistinguishedName -Properties DirectReports

 if ($direct.DirectReports) {
  $direct.DirectReports | Get-ADUser -Properties Title | foreach {
   "{0} [{1}]" -f $_.Name.padleft($_.name.length+$tab),$_.title
   $_ | Get-DirectReports -Tab $($tab+2)

} #process

} #end function

$user = Get-ADUser $Identity -Properties DirectReports,Title
$reports = $user.DirectReports

"{0} [{1}]" -f $User.name,$User.Title

foreach ($report in $reports) {
$direct = $report | Get-ADUser -Properties DirectReports,Title,Department
"{0} [{1}]" -f $direct.name.padleft($direct.name.length+1,">"),$direct.Title
$direct | Get-DirectReports
} #foreach

The script writes a simple text list with some indentations to indicate which employees belong to which managers.

List all mangers and subordinates

Summary ^

Creating manager/employee relationships in Active Directory with PowerShell is not that difficult. You can even do something similar with computer accounts.

PS C:\> get-adcomputer chi-win8-01 | set-adcomputer -ManagedBy jeff

Notice how similar the syntax is? Once you get the basics, you can easily leverage what you already know to accomplish many other tasks.