Introduction
Administrators have several options for managing the properties of Active Directory users. The Active Directory Users and Computers (ADUC) console is convenient for making a few basic changes, such as modifying a user’s description or office location.
For more functionality, however, consider using PowerShell. This article illustrates how you can address many common use cases with the PowerShell cmdlet Set-ADUser.
Set-ADUser Cmdlet
Using the Set-ADUser cmdlet, you can modify many properties of Active Directory users.
Note that in order to run PowerShell cmdlets from a Windows computer that is not a domain controller, you need to first import the Active Directory module for Windows PowerShell.
Set-ADUser Parameters
The following table describes the parameters of the Set-ADUser cmdlet that you can use to change a user’s properties.
To see the full list of parameters for the Set-ADUser cmdlet, run the following cmdlet:
Get-help Set-ADUser| Parameter | Description |
| (A) | |
| -AccountExpirationDate | Sets the account expiration date of the user object. |
| -AccountNotDelegated | Specifies whether the user’s security context is delegated to a service. |
| -Add | Adds one or more values to a property that cannot be changed using a cmdlet parameter (i.e., properties for which no parameter is available). |
| -AllowReversiblePasswordEncryption | Specifies whether the account is allowed to use reversible password encryption. |
| -AuthenticationPolicy | Specifies an authentication policy object for Active Directory Domain Services. |
| -AuthenticationPolicySilo | Sets the authentication policy silo object for Active Directory Domain Services. |
| -AuthType | Specifies the authentication method to use: Negotiate (or 0) or Basic (or 1). |
| (C) | |
| -CannotChangePassword | Specifies whether the user can change the account’s password. |
| -Certificates | Specifies the account’s DER-encoded X.509v3 certificates, such as the public-key certificates issued to this account by the Microsoft Certificate Service. |
| -ChangePasswordAtLogon | Specifies whether the user must change their password at the next login. |
| -City | Specifies the city or town of the user. |
| -Clear | Clears one or more values of an attribute that cannot be changed using a cmdlet parameter (i.e., attributes for which no parameter is available). |
| -Company | Sets the company attribute of the user account. |
| -CompoundIdentitySupported | Specifies whether a user’s account supports Kerberos service tickets, which include the user’s device’s authorization data. |
| -Confirm | Prompts you for confirmation before running the cmdlet. |
| -Country | Sets the country or region code for the user account. |
| -Credential | Specifies the user account credentials to use to run the cmdlet. Unless the cmdlet is launched from an Active Directory PowerShell provider drive, the default credentials are those of the logged-on user. |
| (D) | |
| -Department | Specifies the department of the user. |
| -Description | Specifies the description of the user account. |
| -DisplayName | Specifies the display name of the user. |
| -Division | Specifies the division of the user. |
| (E) | |
| -EmailAddress | Specifies the email address of the user. |
| -EmployeeID | Specifies the employee ID of the user. |
| -EmployeeNumber | Specifies the employee number of the user. |
| -Enabled | Specifies whether the user account is enabled or disabled. |
| (F) | |
| –Fax | Specifies the fax number of the user. |
| (G) | |
| -GivenName | Specifies the first name of the user. |
| (H) | |
| -HomeDirectory | Specifies the home directory of the user account. |
| -HomeDrive | Sets the UNC path of the home directory of the user account. |
| (I) | |
| -Identity | Specifies the user account whose properties need to be changed. A user can be identified by its: • Distinguished Name (DN) • GUID • Security Identifier (SID) • Security Account Manager (SAM) account name Alternatively, you can feed a user object through the pipeline to the Identity parameter, or set it to an object variable. For example, you can use the Get-ADUser cmdlet to retrieve a user object, which can be passed via the pipeline to the Set-ADUser cmdlet. |
| -Initials | Specifies the initials of the user. |
| -Instance | Specifies an ADUser object that identifies the Active Directory user object to be changed and the modifications to be made to that object. When this parameter is supplied, any changes made to the ADUser object are also propagated to the appropriate Active Directory object. Only the object properties that have changed are updated by the cmdlet. This parameter is mainly used when you make changes to an object’s properties with a CSV or script using variables. You call the object, make changes to the desired properties, then use Set-ADUser with the -Instance parameter for those changes to take effect. |
| (K) | |
| -KerberosEncryptionType | Specifies whether the user account is compatible with Kerberos encryption. |
| (L) | |
| -LogonWorkstations | Specifies the logon workstations of the user. |
| (M) | |
| -Manager | Specifies the manager of the user. |
| -MobilePhone | Specifies the mobile phone number of the user. |
| (O) | |
| -Office | Specifies the physical office location of the user. |
| -OfficePhone | Specifies the office phone number of the user. |
| -Organization | Specifies the organization of the user. |
| -OtherName | Specifies any other name property of the user. |
| (P) | |
| -Partition | Specifies the distinguished name of an Active Directory partition. The distinguished name must be one of the naming contexts on the current directory server. |
| -PassThru | Returns an object that represents the object you are working with. By default, this cmdlet does not generate any output. |
| -PasswordNeverExpires | Specifies whether the account password never needs to be updated. |
| -PasswordNotRequired | Specifies that the user account does not need a password. |
| -POBox | Specifies the PO box of the user. |
| -PostalCode | Specifies the postal code of the user. |
| -ProfilePath | Specifies the profile path of the user. |
| (R) | |
| -Remove | Removes one or more values of the properties that cannot be modified using a cmdlet parameter (i.e., properties for which no parameter is available). |
| -Replace | Replaces one or more values of the properties that cannot be modified using a cmdlet parameter (i.e., properties for which no parameter is available). This parameter is mostly used for more than one property value, or multiline attributes, particularly those for which there is no parameter available, but you can also use it for properties for which a specific parameter is available. |
| (S) | |
| -SamAccountName | Provides the security account manager (SAM) account name of the user on creation. |
| -ScriptPath | Specifies a path to the user’s log on script. |
| -Server | Specifies the AD DS instance to connect to. |
| -ServicePrincipalNames | Specifies the service principal name of the user. |
| -SmartcardLogonRequired | Specifies whether smart card logon is required for the user. |
| -State | Specifies the state of the user. |
| -StreetAddress | Specifies the street address of the user. |
| (T) | |
| -Title | Specifies the user’s job title. |
| -TrustedForDelegation | Specifies whether the account is trusted for Kerberos delegation. A service running under a trusted Kerberos delegation account can take on the identity of the client requesting the service. |
| (U) | |
| -UserPrincipalName | Specifies the user principal name (UPN) property of a user in the format testuser@testdomain.com. |
| (W) | |
| -WhatIf | Shows the output that would result from running the cmdlet, without actually running it. |
Verbose Command
By default, the Set-ADUser cmdlet produces no output. To get information about what the cmdlet is doing, use the /verbose switch.
Verbose is mostly used with variables and scripts, though sometimes it is also used with cmdlets.
Set-ADUser Examples
The following are examples for using the Set-ADUser cmdlet.
- Change a User’s Office and State Attributes
- Change a User’s Title
- Specify a User’s Manager
- Replace User Properties
- Modify Multiple Attributes for Multiple Users, Example 1
- Modify Multiple Attributes for Multiple Users, Example 2
- Modify Multiple Attributes for Multiple Users, Example 3
- Modify Multiple Attributes for Multiple Users Using a CSV File
- Use Alternate Credentials
- Clear an Attribute Value
- Disable AD User Accounts
- Force a Password Change at Next Logon
- Modify Attributes that Can Have Multiple Values
Change a User’s Office and State Attributes
The following cmdlet will set the values of the Office and State attributes of the AbbeyCrawford object:
Set-ADUser -Identity AbbeyCrawford -Office 'Atlanta' -State 'GA'
Here you can see that the user’s Office and State attributes have been set as specified:
Change a User’s Title
The following cmdlet will update the Title property of the AbbeyCrawford user object:
Set-ADUser -Identity AbbeyCrawford -Title 'CIO'To check that the update was successful, use the following command:
Get-ADUser -Identity AbbeyCrawford -Properties Name,Department,title | Select-Object -Property Name,Department,title
Specify a User’s Manager
The following command uses Get-ADUser to get the AD user object AbbeyCrawford, which is passed to the Set-ADUser cmdlet, which update its Manager attribute:
Get-ADUser -Identity "AbbeyCrawford" | Set-ADUser -Manager "AbbeyEckels"
You can confirm the change by using the following cmdlet:
Get-ADUser -Identity AbbeyCrawford -Properties manager | Select-Object -Property manager
Replace User Properties
To replace a property’s current value with a new value, use the Replace parameter. Use the LDAP display name to identify the object to be modified.
This command updates the title and email address of the user AbbeyCrawford:
Set-ADUser -Identity Abbey.Crawford -Replace @{title="manager";mail="AbbeyCrawford@corp.net"}
You can verify the changes using this cmdlet:
Get-ADUser -Identity AbbeyCrawford -Properties title,mail | Select-Object -Property title,mail
Modify Multiple Attributes for Multiple Users, Example 1
The following script updates several properties for a particular set of users:
- The first command fetches AD users from the Engineering OU.
- The output is piped to the second command, which replaces three attributes for all those users.
Get-ADUser -SearchBase " OU=Engineering,OU=Versacorp,DC=corp,DC=com" -filter * -Properties Department,Company,l,st | Set-ADUser -Replace @{Department=”Engineering”;Company="VersaCorp";l=”San Francisco”;St=”CA”}
You can check the results using the following script:
Get-ADUser -SearchBase "OU=Engineering,OU=Versacorp,DC=corp,DC=com" -Filter * -Properties DisplayName,Department,Company,l,st | select-object -property DisplayName,Department,Company,l,St
Modify Multiple Attributes for Multiple Users, Example 2
Similarly, the following script updates the DisplayName attribute of the users in the Engineering OU:
Get-ADUser -Filter 'Name -like "*"' -SearchBase ”OU=Engineering,OU=Versacorp,DC=corp,DC=com” -Properties DisplayName | % {Set-ADUser $_ -DisplayName ($_.GivenName + ' ' + $_.SurName)}
To inspect the output of this cmdlet, run the following script:
Get-ADUser -SearchBase "OU=Engineering,OU=Versacorp,DC=corp,DC=com" -Filter * -Properties DisplayName | select-object -property DisplayName
Modify Multiple Attributes for Multiple Users, Example 3
Suppose all users in your Boston office are being relocated to the Worcester office, so you need to update the Office attribute for all of them.
First, we create a variable with the appropriate users:
$BostonUsers = Get-ADUser -Filter "physicalDeliveryOfficeName -eq 'Boston'" -Property *To check this list of users and their offices, we can use this cmdlet:
$BostonUsers | Select-Object Name, OfficeThe next step is to update the office location of each user. We will again use a ForEach loop:
ForEach ($User in $BostonUsers){Set-ADUser -Identity $User -Office ‘Worcester’}Finally, to verify that the update was successful, we can use the Get-ADUser cmdlet to display a list of the users in the Worcester office:
Get-ADUser -Filter "physicalDeliveryOfficeName -eq 'Worcester'" -Property * | Select-Object Name,OfficeModify Multiple Attributes for Multiple Users Using a CSV File
Alternatively, you can use a CSV file to provide the list of AD users whose properties you want to modify. Let’s say you have the following CSV file:
We can create the “$Users” variable to fetch the information about the users from the CSV file:
$users = Import-csv -Path c:\hr.csvThen we can use the following script to make the desired changes; the “ForEach” loop iterates through all the user objects and updates their department and title properties:
foreach ($user in $users) {
Get-ADUser -Filter "employeeID -eq '$($user.employeeID)'" -Properties * -SearchBase " OU=Engineering,OU=Versacorp,DC=corp,DC=com" |Set-ADUser -department $($user.department) -title $($user.title)
}
Even though you can execute a script line by line in Windows PowerShell, it is recommended to use the Windows PowerShell ISE for larger scripts, as shown below:
Windows PowerShell ISE has two sections:
- Script Editor
- PowerShell Console
The following image shows how the cmdlet or script is run. There is a toolbar button for playing and stopping the script.
Use Alternate Credentials
By default, Set-ADUser runs in the context of the currently logged-on user. To specify different credentials, use the -Credential parameter.
The following command uses Get-Credential to produce a credential object:
$credential = Get-Credential
We can then pass that credential object to the Set-ADUser cmdlet using the -Credential parameter:
Set-ADUser -Identity AbbeyCrawford -Title “Senior Software Developer” -Credential $credentialClear an Attribute Value
To clear the value for an Active Directory user attribute, use the -Clear parameter. The script below uses the Get-ADUser cmdlet to retrieve users from the specified OU and passes the result to Set-ADUser, which clears the Department attribute:
Get-ADUser -filter * -SearchBase " OU=Engineering,OU=Versacorp,DC=corp,DC=com" | Set-AdUser -clear department
To check the results, use the following script:
Get-ADUser -SearchBase "OU=Engineering,OU=Versacorp,DC=corp,DC=com" -Filter * -Properties DisplayName | select-object -property DisplayName,Department
Disable AD User Accounts
Whenever a user leaves the organization, it’s vital to ensure their account is deactivated.
First, we’ll use the Get-ADUser cmdlet to check whether the departing user’s account is enabled:
Get-ADUser -Identity AbbeyCrawford -Properties Enabled | Select Enabled
The output shows that the account is active (Get-ADUser Enabled is True), so we need to disable it. We can use the following script; the first command gets the AD user’s Enabled property, and the second command disables the user account:
Get-ADUser -Identity AbbeyCrawford -Properties Enabled | Set-ADUser -Enabled $False
We can check the results by running the following cmdlet:
Get-ADUser -Identity AbbeyCrawford -Properties DisplayName,Enabled | select-object -Property DisplayName,Enabled
Force a Password Change at Next Logon
The following command will modify the value of the UserAccountControl property for all users in the specified OU, forcing them to change their password at the next login:
Get-ADUser -Filter * -SearchBase "OU=Test,DC=corp,DC=com" | Set-ADUser -ChangePasswordAtLogon $true
The following image shows the checkbox we just set:
Modify Attributes that Can Have Multiple Values
Some properties, such as ProxyAddress and OtherTelephone, can have multiple values. To modify them, use the -Add and -Remove parameters of Set-ADUser.
To remove a single value, specify the property and the value to remove from it:
Set-ADUser -Identity AbbeyCrawford -Remove @{proxyAddresses="AbbeyCrawford@hotmail.com"}
To verify the result, use the Get-ADUser cmdlet:
Get-ADUser -Identity AbbeyCrawford -Properties manager | Select-Object -Property managerNotice that AbbeyCrawford@hotmail.com has been removed from the ProxyAddresses list.
To add several values, use a comma-separated list, as shown below:
Set-ADUser -Identity AbbeyCrawford -Add @{proxyAddresses="AbbeyCrawford@corp.net","AbbeyCrawford@hotmail.com"}
To check the results, use the Get-ADUser cmdlet:
Get-ADUser -Identity AbbeyCrawford -Properties proxyaddresses | Select-Object -Property proxyaddresses
Alternatives to PowerShell for Managing AD Users
Netwrix GroupID Management Shell
Netwrix GroupID Shell is a command-line tool that makes it easy to manage objects in Active Directory and Azure-based identity stores, as well as to perform other administrative activities that you can do with PowerShell.
As you can see here, Netwrix GroupID Shell cmdlets are similar to PowerShell cmdlets:
Here is the Netwrix GroupID Shell cmdlet that is similar to Set-ADUser:
Netwrix GroupID Self-Service Portal
With Netwrix GroupID, you can quickly create web-based portals that enable helpdesk technicians and business users to perform certain tasks without help from the IT team. Users can:
- Search the directory
- Update their profiles
- Create and update directory objects and groups
When users manage their own information, data is more accurate and dependable. Administrators keep complete control over data integrity, though, because they decide what users can see and modify through the portal. Administrators can also build workflows that act as an auditing system to ensure that the correct data is entered before changes are committed to the directory.
Here are some of the user attributes that can be updated through the Self-Service portal:
