diff --git a/xCAT-server/lib/perl/xCAT/ADUtils.pm b/xCAT-server/lib/perl/xCAT/ADUtils.pm
index 2720c541b..2554f5eff 100644
--- a/xCAT-server/lib/perl/xCAT/ADUtils.pm
+++ b/xCAT-server/lib/perl/xCAT/ADUtils.pm
@@ -98,7 +98,6 @@ sub list_user_accounts { #provide enough data to construct an /etc/passwd lookin
     my $searchin;
     my $searcherr = gensym;
     my $search = open3($searchin,$searchout,$searcherr,@searchcmd);
-    print Dumper(@searchcmd);
     my $searchselect = IO::Select->new($searchout,$searchin);
     my @handles;
     my $failure;
@@ -107,7 +106,6 @@ sub list_user_accounts { #provide enough data to construct an /etc/passwd lookin
     while (@handles = $searchselect->can_read()) {
         foreach (@handles) {
             my $line = <$_>;
-            print $line;
             if (not defined $line) {
                 $searchselect->remove($_);
                 next;
diff --git a/xCAT-server/lib/xcat/plugins/activedirectory.pm b/xCAT-server/lib/xcat/plugins/activedirectory.pm
index ed3c70833..0995ec1b1 100644
--- a/xCAT-server/lib/xcat/plugins/activedirectory.pm
+++ b/xCAT-server/lib/xcat/plugins/activedirectory.pm
@@ -14,6 +14,10 @@ sub handled_commands {
     return {
         addclusteruser => 'site:directoryprovider',
         addclouduser => 'site:directoryprovider',
+        delclusteruser => 'site:directoryprovider',
+        delclouduser => 'site:directoryprovider',
+        listclusterusers => 'site:directoryprovider',
+        listcloudusers => 'site:directoryprovider',
     };
 }
 
@@ -23,7 +27,84 @@ sub process_request {
     $callback = shift;
     my $doreq = shift;
     use Data::Dumper;
-    if ($command =~ /add.*user/) { #user management command, adding
+    my $sitetab = xCAT::Table->new('site');
+    my $domain;
+    $domain = $sitetab->getAttribs({key=>'domain'},['value']);
+    if ($domain and $domain->{value}) { 
+        $domain = $domain->{value};
+    } else {
+        $domain = undef;
+    }
+    #TODO: if multi-domain support implemented, use the domains table to reference between realm and domain  
+    my $server = $sitetab->getAttribs({key=>'directoryserver'},['value']);
+    my $realm = $sitetab->getAttribs({key=>'realm'},['value']);
+    if ($realm and $realm->{value}) {
+        $realm = $realm->{value};
+    } else {
+        $realm = uc($domain);
+        $realm =~ s/\.$//; #remove trailing dot if provided
+    }
+    my $passtab = xCAT::Table->new('passwd');
+    my $adpent = $passtab->getAttribs({key=>'activedirectory'},[qw/username password/]);
+    unless ($adpent and $adpent->{username} and $adpent->{password}) {
+        sendmsg([1,"activedirectory entry missing from passwd table"]);
+        return 1;
+    }
+    if ($server and $server->{value}) {
+        $server = $server->{value};
+    } else {
+        my $res = Net::DNS::Resolver->new;
+        my $query = $res->query("_ldap._tcp.$domain","SRV");
+        if ($query) {
+            foreach my $srec ($query->answer) {
+                $server = $srec->{target};
+            }
+        }
+        unless ($server) {
+            sendmsg([1,"Unable to determine a directory server to communicate with, try site.directoryserver"]);
+            return;
+        }
+    }
+    if ($command =~ /list.*user/) { #user management command, listing
+        my $passwdfmt;
+        @ARGV=@{$request->{arg}};
+        Getopt::Long::Configure("bundling");
+        Getopt::Long::Configure("no_pass_through");
+        if (!GetOptions(
+            'p' => \$passwdfmt
+            )) {
+            die "TODO: usage message";
+        }
+         unless ($domain and $realm) {
+             sendmsg([1,"Unable to determine domain from arguments or site tabel"]);
+             return undef;
+         }
+         my $err = xCAT::ADUtils::krb_login(username=>$adpent->{username},password=>$adpent->{password},realm=>$realm);
+         if ($err) {
+             sendmsg([1,"Error authenticating to Active Directory"]);
+             return 1;
+         }
+         my $accounts = xCAT::ADUtils::list_user_accounts(
+            dnsdomain => $domain,
+            directoryserver=> $server,
+         );
+         if ($passwdfmt) {
+             my $account;
+             foreach $account (keys %$accounts) {
+                 my $textout = ":".$account.":x:"; #first colon is because sendmsg would mistake it for a description
+                 foreach (qw/uid gid fullname homedir shell/) {
+                     $textout .= $accounts->{$account}->{$_}.":";
+                 }
+                 $textout =~ s/:$//;
+                 sendmsg($textout);
+             }
+         } else {
+             my $account;
+             foreach $account (keys %$accounts) {
+                 sendmsg($account);
+             }
+         }
+    } elsif ($command =~ /add.*user/) { #user management command, adding
         my $homedir;
         my $fullname;
         my $gid;
@@ -43,48 +124,20 @@ sub process_request {
          }
          my $username = shift @ARGV;
          my $domain;
-         my $sitetab = xCAT::Table->new('site');
          if ($username =~ /@/) {
              ($username,$domain) = split /@/,$username;
              $domain = lc($domain);
-         } else {
-             $domain = $sitetab->getAttribs({key=>'domain'},['value']);
-             unless ($domain and $domain->{value}) { 
-                 sendmsg([1,"Domain not provided and none set in site table"]);
-             }
-             $domain = $domain->{value};
-         }
-         #TODO: if multi-domain support implemented, use the domains table to reference between realm and domain  
-         my $server = $sitetab->getAttribs({key=>'directoryserver'},['value']);
-         if ($server and $server->{value}) {
-             $server = $server->{value};
-         } else {
-             my $res = Net::DNS::Resolver->new;
-             my $query = $res->query("_ldap._tcp.$domain","SRV");
-             if ($query) {
-                 foreach my $srec ($query->answer) {
-                     $server = $srec->{target};
-                 }
-             }
-             unless ($server) {
-                 sendmsg([1,"Unable to determine a directory server to communicate with, try site.directoryserver"]);
-             }
+         } 
+         unless ($domain) {
+             sendmsg([1,"Unable to determine domain from arguments or site tabel"]);
+             return undef;
          }
 
-         my $realm = $sitetab->getAttribs({key=>'realm'},['value']);
-         if ($realm and $realm->{value}) {
-             $realm = $realm->{value};
-         } else {
-             $realm = uc($domain);
-             $realm =~ s/\.$//; #remove trailing dot if provided
-         }
          #my $domainstab = xCAT::Table->new('domains');
          #$realm = $domainstab->getAttribs({domain=>$domain},
-         my $passtab = xCAT::Table->new('passwd');
-         my $adpent = $passtab->getAttribs({key=>'activedirectory'},[qw/username password/]);
-         unless ($adpent and $adpent->{username} and $adpent->{password}) {
-             sendmsg([1,"activedirectory entry missing from passwd table"]);
-             return 1;
+         unless ($realm) {
+            $realm = uc($domain);
+            $realm =~ s/\.$//; #remove trailing dot if provided
          }
 
          my $err = xCAT::ADUtils::krb_login(username=>$adpent->{username},password=>$adpent->{password},realm=>$realm);
@@ -96,7 +149,7 @@ sub process_request {
             username => $username,
             dnsdomain => $domain,
             directoryserver=> $server,
-        );
+         );
          if ($fullname) { $args{fullname} = $fullname };
          if ($ou)  { $args{ou} = $ou };
          if ($request->{environment} and