The Set-ADUser cmdlet in PowerShell is an incredibly useful tool for managing Active Directory users. With it, you can modify multiple properties and attributes of one or more AD user accounts.
In this comprehensive guide, we will cover everything you need to know to leverage the Set-ADUser cmdlet effectively.
An Overview of the Set-ADUser Cmdlet
The Set-ADUser cmdlet allows you to modify Active Directory user attributes and properties. With it, you can:
- Update user account details like name, address, phone number, etc.
- Set the manager attribute to define reporting structures
- Configure login settings like the allowed workstations
- Manage group memberships
- Enable/disable accounts
- Set permissions and rights
- And much more!
The key parameters of the Set-ADUser cmdlet include:
- -Identity: Specifies the AD user to modify. You can use the distinguished name, GUID, SID or SAMAccountName to identify the user.
- -Replace: Replaces all the attribute values with the specified hash table of attributes and values.
- -Clear: Removes one or more values of a multivalued attribute.
- -Add: Adds one or more values to a multivalued attribute.
- -Remove: Removes specified values from a multivalued attribute.
- -Manager: Sets the user‘s manager using the manager‘s distinguished name.
As you can see, the Set-ADUser cmdlet gives you total control to manage all aspects of AD user accounts. Next, let‘s look at some examples to see it in action.
Example 1: Modifying Basic User Account Details
A common use case for Set-ADUser is to update basic details of a user account. For example:
Set-ADUser -Identity JohnDoe -DisplayName "John E. Doe" -OfficePhone "+1 555 123 4567" -MobilePhone "+1 555 987 6543" -StreetAddress "123 Main St" -City "New York" -State NY -PostalCode 10001 -Title "Senior Developer"
Here we are modifying many attributes for the user JohnDoe, including:
- Display name
- Office and mobile phone numbers
- Office address
- Job title
You can specify multiple attribute updates in a single command to modify several details at once.
Example 2: Setting a User‘s Manager
The manager attribute defines who a particular user reports to. Here‘s how to set it:
Set-ADUser -Identity JaneSmith -Manager CN=JohnWilliams,OU=Managers,DC=corp,DC=contoso,DC=com
We specify JaneSmith as the user and set her manager to JohnWilliams by using the distinguished name of his user account.
Setting hierarchical reporting structures is important for permissions, email distribution groups, org charts and more.
Example 3: Adding and Removing Groups
Use the -Add and -Remove parameters to manage group memberships:
Set-ADUser -Identity JimWilson -Add @{memberof="CN=Developers,CN=Users,DC=corp,DC=contoso,DC=com"}
Set-ADUser -Identity JimWilson -Remove @{memberof="CN=Testers,CN=Users,DC=corp,DC=contoso,DC=com"}
First, we add JimWilson to the Developers group. Then we remove him from the Testers group.
Managing group memberships allows you to grant and revoke access rights that are tied to those groups.
Example 4: Enabling and Disabling Accounts
To enable a disabled account:
Set-ADUser -Identity DisabledUser -Enabled $true
And to disable an active account:
Set-ADUser -Identity ActiveUser -Enabled $false
The Enabled parameter accepts $true or $false to enable/disable accounts as needed. This allows you to deactivate unused accounts or stop access for terminated employees while keeping the accounts intact.
Example 5: Unlocking Accounts
If a user makes several wrong password attempts, AD will lock the account. To unlock it:
Set-ADUser -Identity LockedOutUser -UnlockAccount
No need to reset the password. Just unlock and the user can login with the existing password.
Example 6: Modifying Several Users in Bulk
The Set-ADUser cmdlet really shines in its ability to modify multiple AD users in one operation.
For example, to set the postal code for all users in the Sales organizational unit (OU):
Get-ADUser -Filter * -Searchbase "OU=Sales,DC=corp,DC=contoso,DC=com" | Set-ADUser -PostalCode 98052
Here we:
- Get all users in the Sales OU
- Pipe the output to Set-ADUser
- Set the PostalCode attribute to 98052 for all users
This ability to make batch changes really simplifies managing large sets of users.
Example 7: Modifying Custom Active Directory Attributes
In addition to the default AD user attributes, you can also modify any custom attributes added by admins for internal tracking purposes:
Set-ADUser -Identity JohnSmith -Add @{customAttribute1="Value1"} -Add @{customAttribute2="Value2"}
This shows adding values for two custom attributes called customAttribute1 and customAttribute2.
Custom attributes are very useful for tailoring AD to internal business processes. And Set-ADUser gives you full access to update them.
Common Set-ADUser Scenarios
Now that you have seen some key usage examples, let‘s discuss some common real-world scenarios where the Set-ADUser cmdlet comes in handy.
Onboarding New Employees
When onboarding new people, use Set-ADUser to update employee details like:
- Legal name
- Contact info
- Job title and department
- Manager
- Location
Ensure all the right group memberships are setup to grant appropriate access.
Offboarding Employees
While offboarding employees:
- Re-assign active tickets/cases to other agents
- Remove access by taking departed users out of all groups
- Disable the user account
- Set another user as manager for their direct reports
Handling these details smoothly will prevent major disruptions.
Security
Quickly disable or unlock accounts assuming appropriate approval processes. When needed, resetting passwords or enabling MFA can bolster security.
Access Management
Easily add user accounts to or remove them from security and distribution groups based on their roles to manage access.
Organization Changes
Seamlessly move subsets of users to new OUs, assign new managers, and set or alter permissions during re-orgs or mergers/acquisitions.
Maintenance
Perform periodic hygiene by de-provisioning stale accounts, fixing group memberships, and ensuring manager attributes are current.
Key Takeaways
The Set-ADUser cmdlet is a game changer for Active Directory administration. With it, you can:
- Modify any user attribute like names, titles, contact details etc.
- Manage group memberships to grant or revoke access
- Enable, disable, lock or unlock user accounts
- Update manager fields to define org structures
- Make batch changes to multiple users
- And more!
So be sure to add Set-ADUser to your PowerShell toolkit if you manage AD environments. The use cases and time savings are enormous.
Let me know if you have any other Set-ADUser tips or examples to share!