Are you tired of going through the motions of making changes to an Active Directory account using the Active Directory (AD) Users and Computers (ADUC) console application? If so, why not save yourself time and automate the trivial process of updating AD objects with PowerShell using the set-aduser cmdlet!
Not a reader? Watch this related video tutorial!A common way to modify AD accounts is to use the ADUC installed on your machine. However, with this approach there’s a caveat of taking more time on average to make AD account changes. This task can quickly become very tedious.
This article will explain the details on how to use the AD PowerShell cmdlet set-aduser to make changes to AD user accounts.
Prerequisites/Requirements
This article is a walk-through on learning about the Set-ADUser
PowerShell cmdlet. If you’d like to follow along, ensure that you have the following prerequisites in place.
- Read and write permissions to the AD environment you’re using.
- The Remote Server Administration Tools (RSAT) package installed. This gives you the required ActiveDirectory PowerShell module.
Test Environment Setup Scripts
To expedite setting up a test environment, you can also download a script called Create-OU-Structure.ps1. This script will set up the following OU structure in AD:
- Department (Root OU)
- Accounting (Nested OU)
- Users
- Computers
- Marketing (Nested OU)
- Users
- Computers
- IT (Nested OU)
- Users
- Computers
To get some AD user accounts to work with you, you can also download and run a Populate-AD_Accounts.ps1 PowerShell script. This script will add sample user accounts to the Accounting, Marketing, and IT OUs.
The OUs and user accounts created from these two scripts will be used throughout this article.
Inspecting AD User Accounts with Get-ADUser
Before you can modify a user account, you should first read a user account. To read an AD user account, you’ll use the Get-ADUser
cmdlet. The Get-ADUser
cmdlet allows you to inspect one or more AD user accounts.
To demonstrate, use the Get-ADUser
cmdlet to inspect the accountant_user1 user account created from the user-provisioning script described earlier.
Use the Identity
parameter to specify the username. This parameter is required. Below you can see we’re using the Properties
parameter as well. By default, not all AD user account properties are returned. The Properties
parameter tells Get-ADUser
to return extra properties.
The acceptable values for the
Identity
parameter are: Distinguished Name, GUID (objectGUID), Security Identifier (objectSid), and SAM Account Name (sAMAccountName).
In addition, we’re using the Select-Object
cmdlet to limit the output of the AD properties retrieved from AD. As you can see below, this command only returns the Name
, Department
, physicalDeliveryOffice
, and State
user attributes.
PS51> Get-ADUser -Identity accountant_user1 -Properties Name,Department,physicalDeliveryOfficeName,st | Select-Object -Property Name,Department,physicalDeliveryOfficeName,State
Name Department physicalDeliveryOfficeName State
---- ---------- -------------------------- --
accountant_user1 Accounting Miami FL
Changing AD User Account Properties with Set-ADUser
Now that you know what the account_user1 user account properties are currently set at, now change them with Set-ADUser
.
The most important parameter you’ll need to use with Set-ADUser
is the Identity
parameter. This parameter expects the same value as Get-ADUser
does.
You can also use the PowerShell pipeline to pass the output of
Get-ADUser
toSet-ADUser
as well without explicitly using theIdentity
parameter.
Changing the Office and State AD Attributes
To demonstrate changing some user account attributes, change the Office AD attribute from Miami to Atlanta and State AD attribute from FL to GA for the accountant_user1 object. You’ll see below that Set-ADUser
has parameters that correlate to the AD attributes they are changing.
PS51> Set-ADUser -Identity accountant_user1 -Office 'Atlanta' -State 'GA'
By default, there is no output when running the
Set-ADUser
command. However, you can change this behavior by adding theVerbose
parameter. TheVerbose
parameter displays detailed information about the operation being performed by the cmdlet.
Now run Get-ADUser
using the Properties
parameter again passing the output of Get-ADUser
to Select-Object
.
PS51> Get-ADUser -Identity accountant_user1 -Properties Name,Department,physicalDeliveryOfficeName,State | Select-Object -Property Name,Department,physicalDeliveryOfficeName,State
Name Department physicalDeliveryOfficeName State
---- ---------- -------------------------- --
accountant_user1 Accounting Atlanta GA
Viola! The accountant_user1 user object has been changed to include Atlanta and Georgia (as GA), as the Office
and State
AD attribute values, respectively.
Try running the following command to view the full list of parameters available and syntax for the
Set-ADUser
cmdlet:Get-help Set-ADUser
.
Changing the Title AD Attribute
The Set-ADUser
cmdlet has several parameters available to change the property values of AD accounts. Just as an example, in this section, you will focus on changing the Title
property for a single user account.
Using the same approach as the previous section, you can see below you can change the Title
AD attribute using the Title
parameter on Set-ADUser
.
PS51> Set-ADUser -Identity it_user12 -Title 'CIO'
Once the change has been made, now check to make sure that the change was successful using Get-ADUser
just as we did in the previous section. Below you can see the AD attribute Title
has been changed to CIO.
PS51> Get-ADUser -Identity it_user12 -Properties Name,Department,title | Select-Object -Property Name,Department,title
Name Department title
---- ---------- -----
it_user12 IT CIO
Using Alternate Credentials
By default, Set-ADUser
runs under the context of the logged-on user. But you can change this behavior by providing an alternate credential set using the Credential
parameter.
To authenticate to AD with alternate credentials, you have to create a PSCredential object using Get-Credential
as seen below.
For more information on creating a PSCredential object, check out the ATA blog post entitled Using the PowerShell Get-Credential cmdlet and all things credentials.
PS51> $credential = Get-Credential
Now, pass the PSCredential object to the Credential
parameter with Set-ADUser
as shown below. This will pass the username and password stored in the credential set to AD to authenticate and make the required change.
PS51> Set-ADUser -Identity it_user12 -Title 'Senior Software Developer' -Credential $credential
Disabling AD User Accounts
It is best practice to disable AD accounts that are no longer in use or, in a company setting, when people leave an organization. The next task is to disable a single user account in the Marketing OU.
First, review the AD user object before you make changes to it with Get-ADUser
using the Properties
parameter and Select-Object
cmdlet you’ve been using throughout this article. You can see an example of inspecting the market_user6 user account below.
You can see an Enabled
property returned of True
. When disabled, this property will return False
.
PS51> Get-ADUser -Identity market_user6 -Properties Name,Department,Enabled | Select-Object -Property Name,Department,Enabled
Name Department Enabled
---- ---------- -------
market_user6 Marketing True
Next, disable the user objects using the set-aduser cmdlet. Disable the AD account for the market_user6 user using the Enabled
parameter and setting the value to $false
or 0
. Below you can see an example of this.
Find leaked & unsafe passwords in your Active Directory by checking against the NCSC Password list.
PS51> Set-AdUser -Identity market_user6 -Enabled $False
Now, check that the correct changes were implemented by running the Get-ADUser
command again as shown below.
PS51> Get-ADUser -Identity market_user6 -Properties Name,Department,Enabled | Select-Object -Property Name,Department,Enabled
Name Department Enabled
---- ---------- -------
market_user6 Marketing False
The market_user6 user is now disabled in AD!
Note: You can also leverage using the
Disable-ADAccount
cmdlet to disable AD accounts.
Summary
In this article, you learned how to inspect AD user accounts with the Get-ADUser
PowerShell cmdlet and make changes to AD user objects with the Set-ADUser
cmdlet.
The ability to make changes to the user objects in AD is a crucial skill needed in many organizations to remove the need for a GUI and promote automation.
Now get automating!