The Set-ADuser cmdlet in PowerShell is a handy tool. Do you need to make changes to many users in your Active Directory? Or are you seeking a more efficient way to change the properties of users? All can be taken care of with this Cmdlet
We can change all of an Active Directory user’s properties using the Set-ADUser cmdlet. To do this, we can use one of the Powershell cmdlet’s parameters or the Add, Update, Replace parameter.
How to Inspect AD User Accounts with Get-ADUser?
A user account needs first to be read before it can be modified. Use the Get-ADUser cmdlet to read an AD user account. One or more AD user accounts can be inspected using the Get-ADUser cmdlet.
To view the user account, use the Get-ADUser cmdlet.
To specify the username, utilize the Identity argument. As you can see, we are also utilizing the Properties parameter. Not every AD user account property is returned by default. Get-ADUser is instructed to return additional properties using the Properties parameter.
Distinguished Name, GUID (objectGUID), Security Identifier (objectSid), and SAM Account Name (sAMAccountName) are all acceptable choices for the Identity parameter.
Additionally, we are limiting the output of the AD properties acquired from AD using the Select-Object cmdlet. Only the Name, Department, physicalDeliveryOffice, and State user characteristics are returned by this command.
Get-ADUser -Identity accountant -Properties Name,Department,physicalDeliveryOfficeName,st | Select-Object -Property Name,Department,physicalDeliveryOfficeName,State
Changing AD User Account Properties with Set-Aduser Cmdlet
Change the accountant user account properties using Set-ADUser now that you know what they are currently set to.
The Identity argument, which you must use with Set-ADUser, is the most crucial one. Similar to Get-ADUser, this option anticipates the same result.
Without explicitly utilizing the Identity option, you can also utilize the PowerShell pipeline to transmit the Get-ADUser result to Set-ADUser.
Example 1: How can I change the attributes for the state and office ADs?
Change the Office AD attribute for the accountant object from California to Hawaii and the State AD attribute from FL to NY to illustrate updating various user account attributes. The options for Set-ADUser correspond to the AD properties that are being modified.
Set-ADUser -Identity accountant -Office 'Hawaii' -State 'NY'
The Set-ADUser command does not produce anything by default. However, by including the Verbose argument, you can alter this behavior. The Verbose argument shows extensive details about the task that the cmdlet is carrying out.
Run Get-ADUser once more with the Properties parameter, handing Select-Object the results of Get-ADUser.
Get-ADUser -Identity accountant -Properties Name,Department,physicalDeliveryOfficeName,State | Select-Object -Property Name,Department,physicalDeliveryOfficeName,State
Example 3: Change the Title Of Active Directory User
There are a number of parameters available for the Set-ADUser cmdlet to modify AD account property values. The Title property for a single user account will be the main thing you work on.
Using the Title parameter on Set-ADUser, you can modify the Title AD attribute.
Set-ADUser -Identity it_user12 -Title 'CIO'
Once the change has been done, use Get-ADUser to confirm that it was successful, like we did in the previous step. As you can see below, CIO has replaced the Title in the AD property.
Get-ADUser -Identity it_user12 -Properties Name,Department,title | Select-Object -Property Name,Department,titleExample 3: How to Use Alternate Credentials?
Set-ADUser always operates in the context of the currently logged-on user. However, you can adjust this behavior by using the Credential argument to supply a different set of credentials.
You must use Get-Credential to build a PSCredential object in order to authenticate to AD using different credentials.
Check out the ATA blog post Using the Windows PowerShell Get-Credential cmdlet and all things credentials for further details on building a PSCredential object.
$credential = Get-Credential
Now use Set-ADUser to send the PSCredential object to the Credential argument. In order to authenticate and make the necessary modification, AD will receive the username and password saved in the credential set using this method.
Set-ADUser -Identity it_user12 -Title 'Software Developer' -Credential $credential
Example 4: Disabling AD User Accounts In Powershell
Before making any changes, review the AD user object using the Get-ADUser command’s Properties parameter and Select-Object cmdlet.
An Enabled attribute returned with a value of True is visible. This property will return False if it is disabled.
Get-ADUser -Identity user -Properties Name,Department,Enabled | Select-Object -Property Name,Department,EnabledSet the set-aduser cmdlet to disable the user objects. Disable the AD account for the user user by changing the Enabled parameter to $false or 0.
Check the NCSC Password list for leaked and dangerous passwords in your Active Directory.
Set-AdUser -Identity user -Enabled $FalseExtend the capability of Group Policy and make it easier to handle fine-grained password settings. With Specops Password Policy, you may target any GPO level, group, user, or computer with dictionary and password settings.
Run the Get-ADUser command to ensure that the necessary modifications were made.
Get-ADUser -Identity user -Properties Name,Department,Enabled | Select-Object -Property Name,Department,Enabled