Set-ADUser: Modifying Active Directory Users with PowerShell

Published:12 November 2019 - 5 min. read

Kevin Sapp Image

Kevin Sapp

Read more tutorials by Kevin Sapp!

Today’s sponsor is n8n, the AI-native workflow automation tool built for ITOps and DevSecOps. With 100+ templates to get you started quickly and a powerful visual editor, you can automate complex workflows without giving up control. Check it out here.

 

 

 

 

 

Are you tired of going through the motions of making changes to an Active Directory account using the Active Directory (AD) Users and Computers (ADUC) console application? If so, why not save yourself time and automate the trivial process of updating AD objects with PowerShell using the set-aduser cmdlet!

Not a reader? Watch this related video tutorial!
Not seeing the video? Make sure your ad blocker is disabled.

A common way to modify AD accounts is to use the ADUC installed on your machine. However, with this approach there’s a caveat of taking more time on average to make AD account changes. This task can quickly become very tedious.

This article will explain the details on how to use the AD PowerShell cmdlet set-aduser to make changes to AD user accounts.

Prerequisites/Requirements

This article is a walk-through on learning about the Set-ADUser PowerShell cmdlet. If you’d like to follow along, ensure that you have the following prerequisites in place.

Test Environment Setup Scripts

To expedite setting up a test environment, you can also download a script called Create-OU-Structure.ps1. This script will set up the following OU structure in AD:

  • Department (Root OU)
  • Accounting (Nested OU)
  • Users
  • Computers
  • Marketing (Nested OU)
  • Users
  • Computers
  • IT (Nested OU)
  • Users
  • Computers

To get some AD user accounts to work with you, you can also download and run a Populate-AD_Accounts.ps1 PowerShell script. This script will add sample user accounts to the Accounting, Marketing, and IT OUs.

The OUs and user accounts created from these two scripts will be used throughout this article.

Inspecting AD User Accounts with Get-ADUser

Before you can modify a user account, you should first read a user account. To read an AD user account, you’ll use the Get-ADUser cmdlet. The Get-ADUser cmdlet allows you to inspect one or more AD user accounts.

To demonstrate, use the Get-ADUser cmdlet to inspect the accountant_user1 user account created from the user-provisioning script described earlier.

Use the Identity parameter to specify the username. This parameter is required. Below you can see we’re using the Properties parameter as well. By default, not all AD user account properties are returned. The Properties parameter tells Get-ADUser to return extra properties.

The acceptable values for the Identity parameter are: Distinguished Name, GUID (objectGUID), Security Identifier (objectSid), and SAM Account Name (sAMAccountName).

In addition, we’re using the Select-Object cmdlet to limit the output of the  AD properties retrieved from AD. As you can see below, this command only returns the Name, Department, physicalDeliveryOffice, and State user attributes.

PS51> Get-ADUser -Identity accountant_user1 -Properties Name,Department,physicalDeliveryOfficeName,st | Select-Object -Property Name,Department,physicalDeliveryOfficeName,State

Name             Department physicalDeliveryOfficeName State
----             ---------- -------------------------- --
accountant_user1 Accounting Miami                      FL

Changing AD User Account Properties with Set-ADUser

Now that you know what the account_user1 user account properties are currently set at, now change them with Set-ADUser.

The most important parameter you’ll need to use with Set-ADUser is the Identity parameter. This parameter expects the same value as Get-ADUser does.

You can also use the PowerShell pipeline to pass the output of Get-ADUser to Set-ADUser as well without explicitly using the Identity parameter.

Changing the Office and State AD Attributes

To demonstrate changing some user account attributes, change the Office AD attribute from Miami to Atlanta and State AD attribute from FL to GA for the accountant_user1 object. You’ll see below that Set-ADUser has parameters that correlate to the AD attributes they are changing.

PS51> Set-ADUser -Identity accountant_user1 -Office 'Atlanta' -State 'GA'

By default, there is no output when running the Set-ADUser command. However, you can change this behavior by adding the Verbose parameter. The Verbose parameter displays detailed information about the operation being performed by the cmdlet.

Now run Get-ADUser using the Properties parameter again passing the output of Get-ADUser to Select-Object.

PS51> Get-ADUser -Identity accountant_user1 -Properties Name,Department,physicalDeliveryOfficeName,State | Select-Object -Property Name,Department,physicalDeliveryOfficeName,State

Name             Department physicalDeliveryOfficeName State
----             ---------- -------------------------- --
accountant_user1 Accounting Atlanta                    GA

Viola! The accountant_user1 user object has been changed to include Atlanta and Georgia (as GA), as the Office and State AD attribute values, respectively.

Try running the following command to view the full list of parameters available and syntax for the Set-ADUser cmdlet: Get-help Set-ADUser.

Changing the Title AD Attribute

The Set-ADUser cmdlet has several parameters available to change the property values of AD accounts. Just as an example, in this section, you will focus on changing the Title property for a single user account.

Using the same approach as the previous section, you can see below you can change the Title AD attribute using the Title parameter on Set-ADUser.

PS51> Set-ADUser -Identity it_user12 -Title 'CIO'

Once the change has been made, now check to make sure that the change was successful using Get-ADUser just as we did in the previous section. Below you can see the AD attribute Title has been changed to CIO.

PS51> Get-ADUser -Identity it_user12 -Properties Name,Department,title | Select-Object -Property Name,Department,title

Name      Department title
----      ---------- -----
it_user12 IT         CIO

Using Alternate Credentials

By default, Set-ADUser runs under the context of the logged-on user. But you can change this behavior by providing an alternate credential set using the Credential parameter.

To authenticate to AD with alternate credentials, you have to create a PSCredential object using Get-Credential as seen below.

For more information on creating a PSCredential object, check out the ATA blog post entitled Using the PowerShell Get-Credential cmdlet and all things credentials.

PS51> $credential = Get-Credential

Now, pass the PSCredential object to the Credential parameter with Set-ADUser as shown below. This will pass the username and password stored in the credential set to AD to authenticate and make the required change.

PS51> Set-ADUser -Identity it_user12 -Title 'Senior Software Developer' -Credential $credential

Disabling AD User Accounts

It is best practice to disable AD accounts that are no longer in use or, in a company setting, when people leave an organization. The next task is to disable a single user account in the Marketing OU.

First, review the AD user object before you make changes to it with Get-ADUser using the Properties parameter and Select-Object cmdlet you’ve been using throughout this article. You can see an example of inspecting the market_user6 user account below.

You can see an Enabled property returned of True. When disabled, this property will return False.

PS51> Get-ADUser -Identity market_user6 -Properties Name,Department,Enabled | Select-Object -Property Name,Department,Enabled

Name         Department Enabled
----         ---------- -------
market_user6 Marketing     True

Next, disable the user objects using the set-aduser cmdlet. Disable the AD account for the market_user6 user using the Enabled parameter and setting the value to $false or 0. Below you can see an example of this.

Find leaked & unsafe passwords in your Active Directory by checking against the NCSC Password list.

PS51> Set-AdUser -Identity market_user6 -Enabled $False

Now, check that the correct changes were implemented by running the Get-ADUser command again as shown below.

PS51> Get-ADUser -Identity market_user6 -Properties Name,Department,Enabled | Select-Object -Property Name,Department,Enabled

Name         Department Enabled
----         ---------- -------
market_user6 Marketing    False

The market_user6 user is now disabled in AD!

Note: You can also leverage using the Disable-ADAccount cmdlet to disable AD accounts.

Summary

In this article, you learned how to inspect AD user accounts with the Get-ADUser PowerShell cmdlet and make changes to AD user objects with the Set-ADUser cmdlet.

The ability to make changes to the user objects in AD is a crucial skill needed in many organizations to remove the need for a GUI and promote automation.

Now get automating!

Further Reading

Hate ads? Want to support the writer? Get many of our tutorials packaged as an ATA Guidebook.

Explore ATA Guidebooks

Looks like you're offline!