Set-ADUser

Modify an Active Directory user.

Syntax
      Set-ADUser [-Identity] ADUser  ADProperties[...]
         [-AccountExpirationDate DateTime] [-AccountNotDelegated bool]
            [-Add hashtable] [-AllowReversiblePasswordEncryption bool]
               [-AuthType {Negotiate | Basic}][-CannotChangePassword bool]
                  [-Certificates hashtable] [-ChangePasswordAtLogon bool]
                     [-Clear string[]] [-Credential PSCredential] [-Enabled bool]
                        [-Partition string] [-PasswordNeverExpires bool]
                           [-PasswordNotRequired bool] [-ProfilePath string] 
                              [-PassThru] [-Remove hashtable] [-Replace hashtable]
                                 [-SamAccountName string] [-ScriptPath string]
                                    [-Server string] [-ServicePrincipalNames hashtable]
                                       [-SmartcardLogonRequired bool]
                                          [-TrustedForDelegation bool]
                                             [-Confirm] [-WhatIf] [CommonParameters]

      Set-ADUser -Instance ADUser [-SamAccountName string]
         [-AuthType {Negotiate | Basic}] [-Credential PSCredential]
            [-Partition string] [-PassThru] [-Server string]
               [-Confirm] [-WhatIf] [CommonParameters]

Key
   ADProperties
               [-City string] [-Company string] [-Country string]  
               [-Department string] [-Description string] [-DisplayName string] 
               [-Division string] [-EmailAddress string] [-EmployeeID string]
               [-EmployeeNumber string] [-Fax string] [-GivenName string]
               [-HomeDirectory string] [-HomeDrive string] [-HomePage string] 
               [-HomePhone string] [-Initials string] [-LogonWorkstations string] 
               [-Manager ADUser] [-MobilePhone string] [-Office string] [-OfficePhone string]
               [-Organization string] [-OtherName string]
               [-POBox string] [-PostalCode string] [-State string] [-StreetAddress string]
               [-Surname string] [-Title string] [-UserPrincipalName string]

   -AccountExpirationDate [System.DateTime]
       The expiry date for the account. (0=never expires)        
       Use PowerShell DateTime syntax
       Time is assumed to be local time unless otherwise specified.
       The default time is 12:00 (Midday) local time.
       The default date is the current date.
       Examples using GMT, UTC and local time:
        -AccountExpirationDate "Mon, 17 Apr 2011 21:22:48 GMT"
        -AccountExpirationDate "2011-04-17T14:22:48.0000000" 
        -AccountExpirationDate "04/17/2011 2:22:48 PM"
       The LDAP provider name (LDAPDisplayName) for this property is accountExpires.

   -AccountNotDelegated bool
       Security delegation. When True, the security context of the user is not
       delegated to a service even when the service account is set as trusted for
       Kerberos delegation. Sets the AccountNotDelegated property for an AD account.
       This parameter also sets the ADS_UF_NOT_DELEGATED flag of the AD User Account
       Control (UAC) attribute.
       Values for this parameter: $false or 0, $true or 1

   -Add hashtable
       Specify values to add to an object property.
       Use this parameter to add one or more values to a property that cannot be modified
       using a cmdlet parameter. To modify an object property, you must use the LDAP provider name.
       Specify multiple values to a property by specifying a comma-separated list of values
       and more than one property by separating them using a semicolon.
       The format for this parameter is 

          -Add @{Attribute1LDAPName=value1, value2, ...;
                 Attribute2LDAPName=value1, value2, ...; AttributeNLDAPName=value1, value2, ...}

        For example, to remove the value "555-222-2222" and add the values "555-222-1111" and "555-222-3333
        " to Phone-Office-Other attribute (LDAP provider name: 'otherTelephone'), and add the value "555-222-9999" to Pho
        ne-Mobile-Other (LDAP provider name: 'otherMobile'), set the Add and Remove parameters as follows.

          -Add @{otherTelephone='555-222-1111', '555-222-3333'; otherMobile='555-222-9999' } -Remove @{otherTelephone='
        555-222-2222'}

        When you use the -Add, -Remove, -Replace and -Clear parameters together, the operations will be
        performed in the order: Remove, then Add, then Replace, then clear.

   -AllowReversiblePasswordEncryption bool
       Whether reversible password encryption is allowed for the account.
       This parameter sets the AllowReversiblePasswordEncryption property of the account.
       This also sets the ADS_UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED flag of
       the AD User Account Control (UAC) attribute.
       Values for this parameter: $false or 0, $true or 1

   -AuthType {Negotiate | Basic}
       The authentication method to use: Negotiate (or 0), Basic (or 1)
       A Secure Sockets Layer (SSL) connection is required for Basic authentication.

   -CannotChangePassword bool
       Whether the account password can be changed.
       Sets the 'CannotChangePassword' property of an account.
       Values for this parameter: $false or 0, $true or 1

   -Certificates X509Certificate[]
       Modifies the DER-encoded X.509v3 certificates of the account.
       These certificates include the public key certificates issued to
       this account by the Microsoft Certificate Service. 
       Sets the Certificates property of the account object.
       The LDAP provider Name for this property is "userCertificate".

       Syntax to add/remove/replace/clear:
         -Certificates @{Add=value1,value2,...}
         -Certificates @{Remove=value3,value4,...}
         -Certificates @{Replace=value1,value2,...}
         -Certificates $null

       Multiple operations may be specified by using a list separated by semicolons.
         -Certificates @{Add=value1,value2,...};@{Remove=value3,value4,...}

   -ChangePasswordAtLogon bool
       Whether a password must be changed during the next logon attempt.
       Values for this parameter: $false or 0, $true or 1
       This cannot be set to $true for an account that also has PasswordNeverExpires set.

   -City string
       The user's town or city.
       The LDAP provider name of the City property is "l".

   -Clear string[]
       An array of object properties that will be cleared in the directory.
       Use this parameter to clear one or more values of a property that cannot be modified
       using a cmdlet parameter. To modify an object property, you must use the LDAP provider name.
       Modify more than one property by specifying a comma-separated list.
       The format for this parameter is
          -Clear Attribute1LDAPName, Attribute2LDAPName

       For example, to clear the value for the Phone-Office-Other attribute
       ( LDAP provider name 'otherTelephone') set the Clear parameter as follows.

          -Clear otherTelephone

   -Company string
       The user's company. 
       The LDAP provider name of the Company property is "company". 

   -Country string
       The country or region code for the user's language of choice. 
       The LDAP provider name of the Country property is "c".

   -Credential PSCredential
       A user account that has permission to perform this action.
       The default is the current user unless the cmdlet is run from an AD PowerShell provider drive
       in which case the account associated with the drive is the default.

       "User64" or "Domain01\User64" or a PSCredential object.

   -Department string
       The user's department. 
       The LDAP provider name for this property is "department".

   -Description string
       A description of the object.
       The LDAP provider name for this property is "description".

   -DisplayName string
       The display name of the object.
       The LDAP provider name for this property is "displayName".

   -Division string
       The user's division.
       The LDAP provider name for this property is "division".

   -EmailAddress string
       The user's email address.
       The LDAP provider name for this property is "mail".

   -EmployeeID string
       The user's employee ID. 
       The LDAP provider name for this property is "employeeID".

   -EmployeeNumber string
       The user's employee number. 
       The LDAP provider name for this property is "employeeNumber". 

   -Enabled bool
       Is the account enabled.
       An enabled account requires a password.
       This parameter sets the Enabled property for an account object.
       Also sets the ADS_UF_ACCOUNTDISABLE flag of the AD User Account Control (UAC) attribute.
       Values for this parameter: $false or 0, $true or 1

   -Fax string
       The user's fax phone number. 
       The LDAP provider name for this property is "facsimileTelephoneNumber". 

   -GivenName string
       The user's given name.In western countries this is often the first name. In Eastern
       countries this is often the last name.
       The LDAP provider name for this property is "givenName".

   -HomeDirectory string
       Specifies a user's home directory.
       The LDAP provider name for the 'HomeDirectory' property is "homeDirectory".

   -HomeDrive string
       Specifies a drive that is associated with the UNC path defined by -HomeDirectory.
       The drive letter is specified as "DriveLetter:" where DriveLetter is a single,
       uppercase letter. 
       The LDAP provider name for this property is "homeDrive". 

   -HomePage string
       The URL of the home page of the object.
       The LDAP provider name for this property is "wWWHomePage".

   -HomePhone string
       The user's home telephone number. 
       The LDAP provider name for this property is "homePhone".

   -Identity ADUser
       Specify an AD user object by providing one of the following values.
       (The identifier in parentheses is the LDAP provider name for the attribute.)

          Distinguished Name 
            Example: CN=JimSmith,OU=europe,CN=users,DC=corp,DC=SS64,DC=com 
          GUID (objectGUID) 
            Example: 599c3d2e-f72d-4d20-8a88-030d99495f20
          Security Identifier (objectSid) 
            Example: S-1-5-21-3165297888-301567370-576410423-1103
          Security Accounts Manager (SAM) Account Name (sAMAccountName)
            Example: AnnualReports

       The cmdlet searches the default naming context or partition to find the object.
       If two or more objects are found, the cmdlet returns a non-terminating error.

       This parameter can also get this object through the pipeline or you can set this
       parameter to an object instance.
       Examples:
          -Identity "CN=JimSmith,OU=europe,CN=users,DC=corp,DC=SS64,DC=com"
          -Identity $ADUserInstance

   -Initials string
       The initials that represent part of a user's name.
       Use this value for the user's middle initial. 
       The LDAP provider name for this property is "initials".

   -Instance ADUser
       An ADUser object that identifies the AD user object that should be modified and the
       set of changes that should be made to that object.
       When this parameter is used, any modifications made to the ADUser object are also made
       to the corresponding AD object. The cmdlet only updates the object properties that have changed.  

       The ADUser object specified as the value of the -Instance parameter must be
       retrieved with Get-ADUser.
       Do not specify other parameters that set individual properties on the object.
       Example:

          # Retrieve a local instance of the object.
          $userInstance = Get-ADUser  -Identity GSHeron
          # Modify one or more properties of the object instance.
          $userInstance.EmailAddress = "gill@ss64.com"
          # Save changes
          Set-ADUser -Instance $userInstance

   -LogonWorkstations string
       The computers that the user can access.
       To specify more than one computer, create a single comma-separated list.
       Identify each computer with a Security Accounts Manager (SAM) account name or the DNS 
       host name of the computer. The SAM account name is the same as the NetBIOS name of the computer.

       Example using SAMAccountName (NetBIOS) and DNSHostName values:
          -LogonWorkstations "pc064,pc065,pc1025.corp.ss64.com"

       The LDAP provider name for this property is "userWorkStations". 

   -Manager ADUser
       The user's manager. 
       Set this by providing one of the following property values.
          Examples:
          Distinguished Name: CN=JohnDoe,OU=Europe,CN=Users,DC=corp,DC=ss64,DC=com
          GUID (objectGUID) : 599c3d2e-f72d-4d20-8a88-030d99495f20 
          Security Identifier (objectSid) : S-1-5-21-3165297888-301567370-576410423-1103
          SAM Account Name (sAMAccountName): JDoe

       The LDAP provider name of this property is "manager".

   -MobilePhone string
       The user's mobile phone number. 
       The LDAP provider name of this property is "mobile".

   -Office string
       The location of the user's office or place of business. 
       The LDAP provider name of this property is "office".

   -OfficePhone string
       The user's office telephone number. 
       The LDAP provider name of this property is "telephoneNumber".

   -Organization string
       The user's organization. 
       The LDAP provider name of this property is "o".

   -OtherName string
       A name in addition to a user's given name and surname, such as the user's middle name.
       The LDAP provider name of this property is "middleName".

   -Partition string
       The distinguished name of an AD partition.
       The distinguished name must be one of the naming contexts on the current
       directory server. The cmdlet searches this partition to find the object defined by
       the -Identity parameter. 
       The following two examples show how to specify a value for this parameter.
          -Partition "CN=Configuration,DC=Europe,DC=Test,DC=SS64,DC=com"
          -Partition "CN=Schema,CN=Configuration,DC=Europe,DC=Test,DC=SS64,DC=com"

       In many cases, a default value will be used for the Partition parameter if no value
       is specified.

   -PassThru
       Returns the new or modified object.
       By default (i.e. if -PassThru is not specified), this cmdlet does not generate any output.

   -PasswordNeverExpires bool
       Whether the password of an account can expire.
       This parameter also sets the ADS_UF_DONT_EXPIRE_PASSWD flag of the AD UAC attribute.
       Values for this parameter: $false or 0, $true or 1

       Note: This parameter cannot be set to $true for an account that also has ChangePasswordAtLogon set.

   -PasswordNotRequired bool
       Whether the account requires a password.
       This parameter also sets the ADS_UF_PASSWD_NOTREQD flag of the AD UAC attribute.
       Values for this parameter: $false or 0, $true or 1

   -POBox string
       The user's post office box number. 
       The LDAP provider name of this property is "postOfficeBox".

   -PostalCode string
       The user's postal code or zip code. 
       The LDAP provider name of this property is "postalCode".

   -ProfilePath string
       A path to the user's profile.
       This value can be a local absolute path or a UNC path. 
       The LDAP provider name of this property is "profilePath".

       Examples:  -ProfilePath "E:\users\profiles\GailMoss"
                  -ProfilePath "\\users\profiles\GailMoss"

   -Remove hashtable
       Remove values of an object property.
       Use this parameter to remove one or more values of a property that cannot be modified
       using a cmdlet parameter. To remove an object property, you must use the LDAP provider name.
       You can remove more than one property by specifying a semicolon-separated list.
       The format for this parameter is 
          -Remove @{Attribute1LDAPName=value[];   Attribute2LDAPName=value[]}

       For example, to add the values blue and green and remove the value pink from a property with a LDAP
       display name of FavColors, set the Add and Remove parameters as follows.
          -Add @{FavColors='Blue','Green'} -Remove @{FavColors='Pink'}

        When you use the -Add, -Remove, -Replace and -Clear parameters together, the operations will be
        performed in the order: Remove, then Add, then Replace, then clear.

   -Replace hashtable
       Specify values for an object property that will replace the current values.
       Use this parameter to replace one or more values of a property that cannot be modified
       using a cmdlet parameter. To modify an object property, you must use the LDAP provider name.
       You can modify more than one property by specifying a comma-separated list. 
       The format for this parameter is 
          -Replace @{Attribute1LDAPName=value[],   Attribute2LDAPName=value[]}

   -SamAccountName string
       The Security Account Manager (SAM) account name of the user, group, computer, or service account.
       The maximum length of the description is 256 characters.
       For compatibility with older operating systems use 20 characters or less.
       The LDAP provider name of this property is "sAMAccountName".
       If the value provided is not terminated with a '$' character, the system will add one if needed.

   -ScriptPath string
       A path to the user's log-on script.
       The default path is the NetLogon share
       The LDAP provider name of this property is "scriptPath".

       Example:
           -ScriptPath "Logon.cmd"

   -Server string
       The AD Domain Services instance to connect to, this may be a Fully qualified domain name,
       NetBIOS name or Fully qualified directory server name (with or without port number).

       Examples: demo.SS64.com  demo  demoDC02.demo.ss64.com  demoDC02.demo.ss64.com:3268

   -ServicePrincipalNames string[]
       The service principal names for the account.
       Use the following syntax to add remove, replace or clear service principal name values:

          -ServicePrincipalNames @{Add=value1,value2,...}
          -ServicePrincipalNames @{Remove=value3,value4,...}
          -ServicePrincipalNames @{Replace=value1,value2,...}
          -ServicePrincipalNames $null

       Multiple operations may be specified by using a list separated by semicolons.
         -ServicePrincipalNames @{Add=value1,value2,...};@{Remove=value3,value4,...}

       Example:
         -ServicePrincipalNames @{Add="SQLservice\NewService.ss64.com:1456"};{Remove="SQLservice\demo.ss64.com:1456"}

   -SmartcardLogonRequired bool
       Whether a smart card is required to logon.
       This parameter also sets the ADS_UF_SMARTCARD_REQUIRED flag of the AD User Account
       Control attribute.
       Values for this parameter: $false or 0, $true or 1

   -State string
       The user's or Organizational Unit's state or province.
       The LDAP provider name of this property is "st".

   -StreetAddress string
       The user's street address.
       The LDAP provider name of this property is "streetAddress".

   -Surname string
       The user's Surname. In western countries this is often the last name. In Eastern
       countries this is often the first name.
       The LDAP provider name of this property is "sn".

   -Title string
       The user's title.
       The LDAP provider name of this property is "title".

   -TrustedForDelegation bool
       Whether an account is trusted for Kerberos delegation.
       A service that runs under an account that is trusted for Kerberos delegation can
       assume the identity of a client requesting the service. 
       This value also sets the ADS_UF_TRUSTED_FOR_DELEGATION flag of the AD UAC attribute.
       Values for this parameter: $false or 0, $true or 1

   -UserPrincipalName string
       Each user account has a user principal name (UPN) in the format
         user@DNS-domain-name
       A UPN is a friendly name assigned by an administrator that is shorter than the LDAP 
       distinguished name used by the system and easier to remember.
       The UPN is independent of the user object's DN, so a user object can be moved or
       renamed without affecting the user logon name. When logging on using a UPN, users
       no longer have to choose a domain from a list on the logon dialog box.

   -Confirm
       Prompt for confirmation before executing the command.

   -WhatIf
       Describe what would happen if you executed the command, without actually executing the command.

New-ADUser creates a new AD user.

Property values that are not associated with cmdlet parameters can be set by using the -OtherAttributes parameter.

You must specify the SAMAccountName parameter to create a user.

New-ADUser can also create different types of user accounts such as iNetOrgPerson accounts. To do this, set the -Type parameter.

The -Path parameter specifies the container or organizational unit (OU) for the new user. If not specified the user object will be created in the default container for user objects in the domain.

There are 3 different ways to create a user object with this cmdlet:

Method 1: Use New-ADUser, specify the required parameters, and set any additional property values by using the cmdlet parameters.

Method 2: Use a template to create the new object. Create a new user object or retrieve a copy of an existing user object and set the -Instance parameter to this object. The object provided to the Instance parameter is used as a template for the new object.

Method 3: Use Import-CSV with the New-ADUser cmdlet to create multiple AD user objects. To do this, use the Import-CSV cmdlet to create the custom objects from a CSV file that contains a list of object properties. Then pass these objects through the pipeline to New-ADUser.

The Set-ADUser cmdlet will allows assigning a sAMAccountName containing the "@" character. But you cannot logon to a domain using such a sAMAccountName. In such cases, logon using the userPrincipalName (UPN).

Examples

Set the job title of the user with samAccountName 'user64' to 'Crane Operator'

PS C:\> Set-ADUser -Identity user64 -Title 'Crane Operator'

Set the email address of the user with samAccountName 'user64' to 'jane.doe@example.com'

PS C:\> Set-ADUser -Identity user64 -EmailAddress 'jane.doe@example.com'

Set the user with samAccountName JimSmith's property homepage to https://ss64.com/ps/ and the LogonWorkstations property to PC64,PC65:

PS C:\> Set-ADUser JimSmith -HomePage 'https://ss64.com/ps/' -LogonWorkstations 'PC64,PC65'

Set a value for the extensionAttribute1 property (which is not in the default property set) and display the results:

PS C:\> Set-ADUser ShriyaB -replace @{'extensionAttribute1' = 'demo text'} -passthru

Replace multiple LDAP properties: Set the property 'title' of the user with samAccountName 'StevieWonder' to 'musician' and the property 'mail' to stevie@StevieWonder.net:

PS C:\> Set-ADUser StevieWonder -Replace @{title='Musician';mail="stevie@StevieWonder.net"}

Set the mail property on the user object with samAccountName StevieWonder using the instance parameter:

PS C:\> $user = Get-ADUser StevieWonder -Properties mail
PS C:\> $user.mail = "stevie@StevieWonder.net"
PS C:\> Set-ADUser -instance $user

Get all the users in the directory that are located underneath the OU=Spain,OU=UserAccounts,DC=SS64,DC=com organizationalUnit. Set the DisplayName property on these user objects to the concatentation of the Surname property and the GivenName property.:

PS C:\> Get-ADUser -Filter 'Name -like "*"' -SearchBase 'OU=Spain,OU=UserAccounts,DC=SS64,DC=com' -Properties DisplayName | % {Set-ADUser $_ -DisplayName ($_.Surname + ' ' + $_.GivenName)}

Now set the user logon hours to Monday through Friday from 8:00 AM to 6:00 PM and add a description:

PS C:\> [byte[]]$hours = @(0,0,0,0,255,3,0,255,3,0,255,3,0,255,3,0,255,3,0,0,0)
PS C:\> # create a hashtable to update the logon hours and a description
PS C:\> $replaceHashTable = New-Object HashTable
PS C:\> $replaceHashTable.Add("logonHours", $hours)
PS C:\> $replaceHashTable.Add("description", "Logon M-F from 8:00 AM to 6:00 PM")
PS C:\> Set-ADUser "StevieWonder" -Replace $replaceHashTable

The logon hours are stored as an array of 21 bytes, 7 sets of 3 bytes - one per day, 1 bit per hour. For each bit 0 means 'logon denied' and 1 means 'logon allowed'. The default is to allow logon all day: 255,255,255 (ie all bits = 1).
You can view the numbers set for an account with ADSIEdit.msc and that is probably the easiest way to derive the right numbers.

“A human being should be able to change a diaper, plan an invasion, butcher a hog, conn a ship, design a building, write a sonnet, balance accounts, build a wall, set a bone, comfort the dying, take orders, give orders, cooperate, act alone, solve equations, analyze a new problem, pitch manure, program a computer, cook a tasty meal, fight efficiently, die gallantly. Specialization is for insects” ~ Robert Anson Heinlein

Related PowerShell Cmdlets

New-adUser - Create a new AD user.
Remove-adUser - Remove an AD user.
IE Language codes - docs.microsoft.com.
Set-adAccountPassword - Modify the password of an AD account.


 
Copyright © 1999-2024 SS64.com
Some rights reserved