> ## Documentation Index
> Fetch the complete documentation index at: https://docs.neoagent.io/llms.txt
> Use this file to discover all available pages before exploring further.

# Execute PowerShell (Active Directory)

> Run validated PowerShell against on-prem Active Directory through your RMM

This tool lets a Neo Agent generate and run validated Active Directory PowerShell on a domain controller, executed through your connected RMM. It's how Neo manages on-prem and hybrid AD environments — user and computer accounts, organizational units, group membership, and infrastructure queries.

<Info>
  Enabled automatically when you turn on **Active Directory** permissions on the workflow's **Integrations** tab — there's no separate toggle in the tool list. Requires an RMM connection that can run scripts on the domain controller. See [Microsoft 365 integration](/integrations/m365/intro) and [on-prem setup](/integrations/m365/on-prem).
</Info>

## What It Does

* Create, update, disable, enable, and delete AD user accounts
* Reset passwords and unlock accounts
* Manage group membership — security groups, distribution groups, OUs
* Manage computer accounts and organizational units
* Query directory and infrastructure state
* Trigger an Azure AD Connect (Entra Connect) sync so on-prem changes propagate to the cloud

## Hybrid Environments

In a hybrid setup, configure Microsoft 365 as on-prem. Neo makes the change on your domain controller and then triggers an Entra Connect sync, so a password reset or group change made on-prem shows up in the cloud automatically — no separate cloud action needed.

If a company has both directories but **no AD Connect sync** (identity provider type "Hybrid (no AD Connect sync)"), there is no sync to trigger — Neo instead applies identity changes to both on-prem AD and Entra ID directly, keeping the two independent directories consistent.

## Safety

| Control                    | Behavior                                                                                                                 |
| -------------------------- | ------------------------------------------------------------------------------------------------------------------------ |
| **Validated cmdlets**      | Code is parsed before it runs — only AD cmdlets are allowed; dangerous operations are blocked                            |
| **Allow / deny lists**     | Optionally restrict the agent to a specific set of cmdlets, or block specific ones                                       |
| **Technician-in-the-Loop** | Require human approval before any write — configurable on the Active Directory permission group                          |
| **Access level**           | Set the AD permission groups to Read Only to allow only query cmdlets                                                    |
| **Runs through your RMM**  | Execution uses your existing RMM agent on the domain controller — the same credentials and audit trail you already trust |

## How to Configure

<Steps>
  <Step title="Connect an RMM">
    Connect a [supported RMM](/integrations/rmm/intro) that can run scripts on the domain controller.
  </Step>

  <Step title="Configure the on-prem environment">
    Follow the [on-prem setup guide](/integrations/m365/on-prem) to point Neo at the domain controller.
  </Step>

  <Step title="Enable Active Directory permissions">
    On the workflow's **Integrations** tab, set the Active Directory permission groups (users, groups, computers, OUs, infrastructure, Entra Connect sync) to Read Only or Read / Write.
  </Step>

  <Step title="Set approval and cmdlet limits">
    Decide whether writes require technician approval, and optionally restrict the allowed cmdlets.
  </Step>
</Steps>

<Tip>
  Start with Read Only and technician approval on. Most onboarding and offboarding workflows only need a handful of cmdlets — restrict to those once you've seen what the agent uses.
</Tip>