Are you tired of going through the motions of making changes to an Active Directory account using the Active Directory (AD) Users and Computers (ADUC) console application? If so, why not save yourself time and automate the trivial process of updating AD objects with PowerShell using the set-aduser cmdlet!
Discover, report and prevent insecure Active Directory account passwords in your environment with Specops’ completely free Password Auditor Pro. Download it today!
A common way to modify AD accounts is to use the ADUC installed on your machine. However, with this approach there’s a caveat of taking more time on average to make AD account changes. This task can quickly become very tedious.
This article will explain the details on how to use the AD PowerShell cmdlet set-aduser to make changes to AD user accounts.
Table of Contents
This article is a walk-through on learning about the
Set-ADUser PowerShell cmdlet. If you’d like to follow along, ensure that you have the following prerequisites in place.
- Read and write permissions to the AD environment you’re using.
- The Remote Server Administration Tools (RSAT) package installed. This gives you the required ActiveDirectory PowerShell module.
Test Environment Setup Scripts
To expedite setting up a test environment, you can also download a script called Create-OU-Structure.ps1. This script will set up the following OU structure in AD:
- Department (Root OU)
- Accounting (Nested OU)
- Marketing (Nested OU)
- IT (Nested OU)
To get some AD user accounts to work with you, you can also download and run a Populate-AD_Accounts.ps1 PowerShell script. This script will add sample user accounts to the Accounting, Marketing, and IT OUs.
The OUs and user accounts created from these two scripts will be used throughout this article.
Inspecting AD User Accounts with Get-ADUser
Before you can modify a user account, you should first read a user account. To read an AD user account, you’ll use the
Get-ADUser cmdlet. The
Get-ADUser cmdlet allows you to inspect one or more AD user accounts.
To demonstrate, use the
Get-ADUser cmdlet to inspect the accountant_user1 user account created from the user-provisioning script described earlier.
Identity parameter to specify the username. This parameter is required. Below you can see we’re using the
Properties parameter as well. By default, not all AD user account properties are returned. The
Properties parameter tells
Get-ADUser to return extra properties.
The acceptable values for the
Identityparameter are: Distinguished Name, GUID (objectGUID), Security Identifier (objectSid), and SAM Account Name (sAMAccountName).
In addition, we’re using the
Select-Object cmdlet to limit the output of the AD properties retrieved from AD. As you can see below, this command only returns the
State user attributes.
PS51> Get-ADUser -Identity accountant_user1 -Properties Name,Department,physicalDeliveryOfficeName,st | Select-Object -Property Name,Department,physicalDeliveryOfficeName,State Name Department physicalDeliveryOfficeName State ---- ---------- -------------------------- -- accountant_user1 Accounting Miami FL
Changing AD User Account Properties with Set-ADUser
Now that you know what the account_user1 user account properties are currently set at, now change them with
The most important parameter you’ll need to use with
Set-ADUser is the
Identity parameter. This parameter expects the same value as
You can also use the PowerShell pipeline to pass the output of
Set-ADUseras well without explicitly using the
Changing the Office and State AD Attributes
To demonstrate changing some user account attributes, change the Office AD attribute from Miami to Atlanta and State AD attribute from FL to GA for the accountant_user1 object. You’ll see below that
Set-ADUser has parameters that correlate to the AD attributes they are changing.
PS51> Set-ADUser -Identity accountant_user1 -Office 'Atlanta' -State 'GA'
By default, there is no output when running the
Set-ADUsercommand. However, you can change this behavior by adding the
Verboseparameter displays detailed information about the operation being performed by the cmdlet.
Get-ADUser using the
Properties parameter again passing the output of
PS51> Get-ADUser -Identity accountant_user1 -Properties Name,Department,physicalDeliveryOfficeName,State | Select-Object -Property Name,Department,physicalDeliveryOfficeName,State Name Department physicalDeliveryOfficeName State ---- ---------- -------------------------- -- accountant_user1 Accounting Atlanta GA
Viola! The accountant_user1 user object has been changed to include Atlanta and Georgia (as GA), as the
State AD attribute values, respectively.
Try running the following command to view the full list of parameters available and syntax for the
Changing the Title AD Attribute
Set-ADUser cmdlet has several parameters available to change the property values of AD accounts. Just as an example, in this section, you will focus on changing the
Title property for a single user account.
Using the same approach as the previous section, you can see below you can change the
Title AD attribute using the
Title parameter on
PS51> Set-ADUser -Identity it_user12 -Title 'CIO'
Once the change has been made, now check to make sure that the change was successful using
Get-ADUser just as we did in the previous section. Below you can see the AD attribute
Title has been changed to CIO.
PS51> Get-ADUser -Identity it_user12 -Properties Name,Department,title | Select-Object -Property Name,Department,title Name Department title ---- ---------- ----- it_user12 IT CIO
Using Alternate Credentials
Set-ADUser runs under the context of the logged-on user. But you can change this behavior by providing an alternate credential set using the
To authenticate to AD with alternate credentials, you have to create a PSCredential object using
Get-Credential as seen below.
For more information on creating a PSCredential object, check out the ATA blog post entitled Using the PowerShell Get-Credential cmdlet and all things credentials.
PS51> $credential = Get-Credential
Now, pass the PSCredential object to the
Credential parameter with
Set-ADUser as shown below. This will pass the username and password stored in the credential set to AD to authenticate and make the required change.
PS51> Set-ADUser -Identity it_user12 -Title 'Senior Software Developer' -Credential $credential
Disabling AD User Accounts
It is best practice to disable AD accounts that are no longer in use or, in a company setting, when people leave an organization. The next task is to disable a single user account in the Marketing OU.
First, review the AD user object before you make changes to it with
Get-ADUser using the
Properties parameter and
Select-Object cmdlet you’ve been using throughout this article. You can see an example of inspecting the market_user6 user account below.
You can see an
Enabled property returned of
True. When disabled, this property will return
PS51> Get-ADUser -Identity market_user6 -Properties Name,Department,Enabled | Select-Object -Property Name,Department,Enabled Name Department Enabled ---- ---------- ------- market_user6 Marketing True
Next, disable the user objects using the set-aduser cmdlet. Disable the AD account for the market_user6 user using the
Enabled parameter and setting the value to
0. Below you can see an example of this.
Find leaked & unsafe passwords in your Active Directory by checking against the NCSC Password list.
PS51> Set-AdUser -Identity market_user6 -Enabled $False
Want to quickly check your Active Directory for leaked passwords? Specops has a tool that does so for free and generates a nice report as well.
Now, check that the correct changes were implemented by running the
Get-ADUser command again as shown below.
PS51> Get-ADUser -Identity market_user6 -Properties Name,Department,Enabled | Select-Object -Property Name,Department,Enabled Name Department Enabled ---- ---------- ------- market_user6 Marketing False
The market_user6 user is now disabled in AD!
Note: You can also leverage using the
Disable-ADAccountcmdlet to disable AD accounts.
In this article, you learned how to inspect AD user accounts with the
Get-ADUser PowerShell cmdlet and make changes to AD user objects with the
The ability to make changes to the user objects in AD is a crucial skill needed in many organizations to remove the need for a GUI and promote automation.
Now get automating!