How-To Administer Active Directory Domain Services User Accounts Using Windows PowerShell

The Active Directory Module for Windows PowerShell, which is included with Windows Server 2008 R2, can be used to administer Active Directory Domain Services (AD DS) objects, including user accounts. What follows is an in-depth look at administering AD DS user accounts by using the Active Directory Module for Windows PowerShell. For an overview of the Active Directory Module for Windows PowerShell, please see Introducing the Active Directory Module for Windows PowerShell.

Overview

There are a number of tasks that can be performed on user accounts by using the cmdlets included with the Active Directory Module for Windows PowerShell, such as:

  • Retrieving user accounts
  • Creating user accounts
  • Deleting user accounts
  • Modifying user accounts
  • Disabling user accounts
  • Enabling user accounts
  • Unlocking user accounts

In fact, there are over 20 cmdlets that apply to AD DS user accounts. I will cover a number of these in the sections that follow.

Retrieving AD DS User Accounts

Get-ADUser can be used to retrieve AD DS user accounts. Get-ADUser allows you to find one or more AD DS user accounts that meet criteria you specify.

Get-ADUser allows you to specify the search criteria in multiple formats, including:

  • Distinguished name
  • GUID
  • SID
  • SAM account name
  • Name
  • LDAP filter

One of the advantages of Get-ADUser is that it automatically recognizes the format of the criteria for all but LDAP filter. In other words, you do not have include a parameter in the command to tell it which format you are using. The table below shows the different formats that can be used to find the same AD DS user account:

Criteria

Command

Distinguished name Get-ADUser “CN=John Policelli,OU=Toronto,DC=domain,DC=local”
GUID Get-ADUser bfd9d751-b6be-4c67-a716-9052c8fe7fff
SID Get-ADUser S-1-5-21-236992988-293544445-1879654059-1105
SAM account name Get-ADUser JPOLICELLI
Name Get-ADUser “John Policelli”

The LDAP filter format is particularly useful when you need to find more than one AD DS user account. You can use this parameter to specify any LDAP supported filter format. For example, to find all AD DS user accounts that have a given name of John, you can use the following command:

  • Get-ADUser -LDAPFilter "(GivenName=John)"

As shown in the figure below, Get-ADUser will return a default list of user account properties.

However, you can control which user account properties are returned by Get-ADUser. To control which user account properties are returned by Get-ADUser, you need to use the Properties parameter. As shown in the figure below, you can use a wildcard with the Properties parameter to return all properties for the AD DS user account(s) found:

As shown in the figure below, you can also expand the list of properties you want returned for the AD DS user account(s) found using a comma-separated list of the names of the properties you want returned:

You can also specify the search base and search scope by using the -SearchBase and -SearchScope parameters, respectively.

If you want to limit your search to a particular Organizational Unit, you can use the –SearchBase parameter and specify the distinguished name of the OU. The following command sets the search base to the Toronto OU:

  • Get-ADUser -LDAPFilter "(GivenName=John)" -SearchBase “OU=Toronto,DC=domain,dc=local”

The -SearchScope parameter allows you to control the scope of the search. The scope can be set to Base, OneLevel, or SubTree. Base searches the current path/object; OneLevel searches the immediate children of the path/object; SubTree searches the current path/object and its children.

Adding the to above example, you can refine the command so that it only searches the Toronto OU, and no child-OUs by typing the following command:

  • Get-ADUser -LDAPFilter "(GivenName=John)" -SearchBase “OU=Toronto,DC=domain,dc=local” -SearchScope Base

Creating AD DS User Accounts

New-ADUser can be used to create an AD DS user account. At minimum, you must specify the SAM account name when using New-ADUser to create an AD DS user account. The command to create an AD DS user account with a SAM account name of User1 is:

  • New-ADUser User1

The above command will create the AD DS user account in the default container for user accounts, which is the Users container by default. Because a password was not specified in the above command, the user account will be created in a disabled state. Lastly, most attributes, such as GivenName, Surname, and UPN will be blank when the above command is run.

As shown in the figure below, you can specify virtually any attribute when using New-ADUser to create an AD DS user account.

Here’s the actual command that was run:

  • New-ADUser –SamAccountName “JPOLICELLI” -UserPrincipalName "JPOLICELLI@domain.local” -GivenName “John” -Surname “Policelli” -DisplayName “John Policelli” -Name "John Policelli" -Enabled $true -path “OU=Toronto,DC=domain,DC=local” -AccountPassword (Read-Host -AsSecureString "AccountPassword")

The table below breaks down the above command. The Attributes column lists the attributes that were set by the above command. The Value column lists the value that was set for each attribute. The Cmdlet Parameter column lists the actual cmdlet parameter and value that was used to set the value for each attribute.

Attribute

Value

Cmdlet Parameter

SAM account name JPOLICELLI -SamAccountName “JPOLICELLI”
User Principal Name JPOLICELLI@domain.local -UserPrincipalName "JPOLICELLI@domain.local”
Given name John -GivenName “John”
Surname Policelli -Surname “Policelli”
Display name John Policelli -DisplayName “John Policelli”
Name John Policelli -Name “John Policelli”
Account status Enabled -Enabled $true
Location Toronto OU -path “OU=Toronto,DC=domain,DC=local”
Account password Prompt for password -AccountPassword (Read-Host -AsSecureString "AccountPassword")

Deleting AD DS User Accounts

Remove-ADUser can be used to delete AD DS user accounts. Remove-ADUser simply requires that you specify the object you want to delete. This can be specified in the following formats:

  • Distinguished name
  • GUID
  • SID
  • SAM account name

The table below shows the different formats that can be used to delete the same AD DS user account:

Criteria

Command

Distinguished name Remove-ADUser “CN=John Policelli,OU=Toronto,DC=domain,DC=local”
GUID Remove-ADUser bfd9d751-b6be-4c67-a716-9052c8fe7fff
SID Remove-ADUser S-1-5-21-236992988-293544445-1879654059-1105
SAM account name Remove-ADUser JPOLICELLI

As shown in the figure below, Remove-ADUser will prompt you to confirm the deletion.

Modifying AD DS User Accounts

Set-ADUser can be used to modify the properties of an AD DS user account. Set-ADUser has a predefined list of 47 properties that can modified, including the following:

  • AccountExpirationDate
  • AccountNotDelegated
  • AllowReversiblePasswordEncryption
  • CannotChangePassword
  • Certificates
  • ChangePasswordAtLogon
  • City
  • Company
  • Country
  • Delegated
  • Department
  • Description
  • DisplayName
  • Division
  • EmailAddress
  • EmployeeID
  • EmployeeNumber
  • Enabled
  • Fax
  • GivenName
  • HomeDirectory
  • HomeDrive
  • HomePage
  • HomePhone
  • Initials
  • LogonWorkstations
  • Manager
  • MobilePhone
  • Office
  • OfficePhone
  • Organization
  • OtherName
  • PasswordNeverExpires
  • PasswordNotRequired
  • POBox
  • PostalCode
  • ProfilePath
  • SAMAccountName
  • ScriptPath
  • ServicePrincipalNames
  • SmartcardLogonRequired
  • State
  • StreetAddress
  • Surname
  • Title
  • TrustedForDelegation
  • UserPrincipalName

When using Set-ADUser, you must specify the user you want to modify the properties for. You can use the following formats to specify the user account(s) you want to modify:

  • Distinguished name
  • GUID
  • SID
  • SAM account name

You can modify one or multiple properties at the same time using Set-ADUser. For example, to modify the City for a user, you can use the following command:

  • Set-ADUser JPOLICELLI -City Toronto

To modify the City, Province, and Country for an AD DS user account, you can use the following command:

  • Set-ADUser JPOLICELLI -City Toronto -State Ontario -Country CA

Disabling AD DS User Accounts

Disable-ADAccount can be used to disable AD DS user accounts. When using Disable-ADAccount, you must specify the user you want to disable. You can use the following formats to specify the user account you want to disable:

  • Distinguished name
  • GUID
  • SID
  • SAM account name

To disable an AD DS user account that has a SAM account name of JPOLICELLI, you would run the following command:

  • Disable-ADAccount JPOLICELLI

Enabling AD DS User Accounts

Enable-ADAccount can be used to enable AD DS user accounts. When using Enable-ADAccount, you must specify the user you want to enable. You can use the following formats to specify the user account you want to enable:

  • Distinguished name
  • GUID
  • SID
  • SAM account name

To enable an AD DS user account that has a SAM account name of JPOLICELLI, you would run the following command:

  • Enable-ADAccount JPOLICELLI

Unlocking AD DS User Accounts

Unlock-ADAccount can be used to unlock AD DS user accounts. When using Unlock-ADAccount, you must specify the user you want to unlock. You can use the following formats to specify the user account you want to unlock:

  • Distinguished name
  • GUID
  • SID
  • SAM account name

To unlock an AD DS user account that has a SAM account name of JPOLICELLI, you would run the following command:

  • Unlock-ADAccount JPOLICELLI

Wrapping Up

The Active Directory Module for Windows PowerShell provides a powerful solution for managing Active Directory Domain Services user accounts with PowerShell. This module can be used to perform virtually every task on AD DS user accounts. What’s more, the cmdlets specific to AD DS user accounts are robust and easy to learn.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Related:
Now read: Getting grounded in IoT