Set-AdUser – Modify Active Directory Users with PowerShell

Very often Admin has to update the Active Directory user’s properties manually. This process can be time-consuming. PowerShell Active Directory module provides Set-AdUser cmdlet to modify active directory user’s attributes.

Set-AdUser cmdlet modifies active directory user attributes. It allows us to modify commonly used user property using cmdlet parameters. Identity parameter to get specific active directory user to modify properties.

You can identify a user by GUID, Distinguished Name, SAMAccountName, Security Identifier (SID). You can use the Get-AdUser cmdlet to retrieve user objects and pass objects through the pipe (|) operator to Set-AdUser cmdlet to modify user attributes.

Prerequisites

Set-AdUser cmdlet is one of the Active Directory cmdlets. To use the set-aduser cmdlet, the system needs to have the following requirements:

• PowerShell ActiveDirectory Module to be installed
• User with administrator access or have enough access to read Active Directory information.

Tip: To know about which modules are available in the system, run the below command in PowerShell ISE

Get-Module -ListAvailable

This command returns all the modules installed and available in the system. If the Active Directory module is not available then follow the Active Directory installation steps.

Syntax

Set-AdUser cmdlet modifies an active directory user properties

Set-ADUser
   [-WhatIf]
   [-Confirm]
   [-AccountExpirationDate <DateTime>]
   [-AccountNotDelegated <Boolean>]
   [-Add <Hashtable>]
   [-AllowReversiblePasswordEncryption <Boolean>]
   [-AuthenticationPolicy <ADAuthenticationPolicy>]
   [-AuthenticationPolicySilo <ADAuthenticationPolicySilo>]
   [-AuthType <ADAuthType>]
   [-CannotChangePassword <Boolean>]
   [-Certificates <Hashtable>]
   [-ChangePasswordAtLogon <Boolean>]
   [-City <String>]
   [-Clear <String[]>]
   [-Company <String>]
   [-CompoundIdentitySupported <Boolean>]
   [-Country <String>]
   [-Credential <PSCredential>]
   [-Department <String>]
   [-Description <String>]
   [-DisplayName <String>]
   [-Division <String>]
   [-EmailAddress <String>]
   [-EmployeeID <String>]
   [-EmployeeNumber <String>]
   [-Enabled <Boolean>]
   [-Fax <String>]
   [-GivenName <String>]
   [-HomeDirectory <String>]
   [-HomeDrive <String>]
   [-HomePage <String>]
   [-HomePhone <String>]
   [-Identity] <ADUser>
   [-Initials <String>]
   [-KerberosEncryptionType <ADKerberosEncryptionType>]
   [-LogonWorkstations <String>]
   [-Manager <ADUser>]
   [-MobilePhone <String>]
   [-Office <String>]
   [-OfficePhone <String>]
   [-Organization <String>]
   [-OtherName <String>]
   [-Partition <String>]
   [-PassThru]
   [-PasswordNeverExpires <Boolean>]
   [-PasswordNotRequired <Boolean>]
   [-POBox <String>]
   [-PostalCode <String>]
   [-PrincipalsAllowedToDelegateToAccount <ADPrincipal[]>]
   [-ProfilePath <String>]
   [-Remove <Hashtable>]
   [-Replace <Hashtable>]
   [-SamAccountName <String>]
   [-ScriptPath <String>]
   [-Server <String>]
   [-ServicePrincipalNames <Hashtable>]
   [-SmartcardLogonRequired <Boolean>]
   [-State <String>]
   [-StreetAddress <String>]
   [-Surname <String>]
   [-Title <String>]
   [-TrustedForDelegation <Boolean>]
   [-UserPrincipalName <String>]
   [<CommonParameters>]

Set-ADUser Examples

Let’s see below Set-AdUser examples to set aduser attributes, email address, set-aduser manager, and so on.

Using Set-Aduser to set aduser email address

if you want to set active directory user email address, use PowerShell Set-AdUser cmdlet to update the EmailAddress attribute of aduser.

Set-ADUser -Identity smith -EmailAddress '[email protected]'

In the above example, Set-ADUser command updates user “smith” email address in the active directory account.

It uses Set-ADUser -Identity parameter to identify user based on a distinguished name.

Cool Tip: Get email address using Get-ADUser in PowerShell!

Set active directory user job title and department

Set-ADUser -Identity "smith" -Department "Asia_Sales" -Title "Manager"

In the above example, Set-ADUser command sets job, title, and department properties to the user object with SAM account name smith.

Set active directory user HomePage property

Set-ADUser smith -HomePage 'https://shellgeek.com/powershell/' -LogonWorkstations 'it-20-dekstop,it-20-laptop'

In the above example, Set-ADUser command update SAM account smith user HomePage property to https://shellgeek.com/powershell/ and LogonWorkstations property to it-20-dekstop and it-20-laptop

Get AD User and set-aduser manager property

Let’s consider an example to set aduser Smith manager. Set-AdUser has a manager attribute that is used to set active directory user manager.

Get-ADUser -Identity "Smith" | Set-ADUser -Manager "JohnKelly"

In the above example, it get active directory user Smith using PowerShell Get-ADUser and pass through user object to PowerShell Set-ADUser cmdlet to update Manager property. You can get ad user using userprincipalname or upn.

PowerShell Set-AdUser attributes for multiple users

 Get-ADUser -Filter 'Name -like "*"' -SearchBase 'OU=Sales,OU=UserAccounts,DC=shellgeek,DC=COM' -Properties DisplayName | % {Set-ADUser $_ -DisplayName ($_.Surname + ' ' + $_.GivenName)}

In the above example, Get-ADUser cmdlet gets a list of all users that are located in OU=Sales,OU=UserAccounts,DC=shellgeek,DC=COM organization unit.

PowerShell Set-ADUser cmdlet update DisplayName property on user objects to the concatenation of Surname property and GivenName property.

PowerShell Set Ad users attributes from csv

Let’s consider an example, to update AD user multiple attributes like ad user title and department from CSV file, run below command

Import-Module ActiveDirectory  

$users = Import-csv -Path c:\powershell\ad_users.csv

foreach ($user in $users) {

Get-ADUser -Filter "employeeID -eq '$($user.employeeID)'" -Properties * -SearchBase "OU=Asia_Sales,dc=shellgeek,dc=com" |Set-ADUser -department $($user.department) -title $($user.title) 
}

In the above example, ad_users.csv file contains employeeID, title, and department. User Import-CSV to read CSV file and store file data in $users variable.

Iterate over $user to get user from active directory in specific OU using Get-AdUser cmdlet. Use retrieved employee user object and pass-through pipeline (|) to Set-AdUser cmdlet to update department and title.

Cool Tip: Learn how to get ad user attributes from csv using Get-ADUser cmdlet

Set-ADUser Replace to set properties

PowerShell Set-ADUser replace the specific values for an object property with current values. Use LDAP display name to modify object property. You can use Set-ADUser replace to update multiple attributes values.

Let’s consider a case to update title and email address of an employee, using set-ADuser replace, we can do it as below

Set-ADUser -Identity Smith -Replace @{title="manager";mail="[email protected]"}

This command updates Smith user title as manager and email address to [email protected]

Set-AdUser Company name

If you want to set aduser company name for active directory users in specific OU, run below command

Get-ADUser -SearchBase "OU=SALES,DC=SHELLPRO,DC=LOCAL" -filter * |  Set-ADUser  -Replace @{company="SHELLGEEK"}

Above PowerShell script, Get-AdUser SearchBase parameter get active directory users in specified OU and output to second command.

The second command uses Set-ADUser to update company name with the provided value.

Cool Tip: Learn how to get ad user using userprincipalname or upn in PowerShell!

PowerShell Set-AdUser Replace Multiple Attributes

If you want to update multiple attributes for active directory user like update department, company name , run below command

 Get-ADUser -SearchBase "OU=SALES,DC=SHELLPRO,DC=LOCAL" -filter * -Properties Department,Company | Set-ADUser  -Replace @{Department=101;Company="ShellGeek"}

In the above PowerShell script to replace multiple attributes for ad user, the first command gets aduser from specified OU and passes the output to the second command.

The second command uses Set-ADUser to replace multiple attributes like Department and Company name.

Run script to get aduser for specified OU to check the output of Set-ADUser replace multiple attributes command as below

Set-AdUser Clear Attribute Value

If you want to clear attribute value for ad user account, use AdUser -Clear parameter to clear attribute value.

For example, consider an example to clear department value, run below command

Get-ADUser -filter * -SearchBase "OU=SALES,DC=SHELLPRO,DC=LOCAL" | Set-AdUser -clear department

In the above PowerShell script, Get-Aduser cmdlet get user from specified OU and pass the output to the second command.

The second command uses Set-ADUser to clear attribute values.

The output of above command after we run get ad user command as below

The above image display set-aduser clear attribute value of department for users from specified OU.

Cool Tip: Learn how to query active directory users info!

Set-AdUser Disable Account

As an administrator, we need to keep a check on active user accounts and accounts which are no longer in use. When an employee leaves an organization, we need to disabled active directory user.

Let’s take an example to use set-aduser disable account scenario for employee Don who leaves an organization.

First, we will use the Get-AdUser cmdlet to get ad user account status enabled or disabled.

If Get-AdUser Enabled attribute has True value, it means the account is active, False value means the account is disabled.

 Get-ADUser -Identity Don -Properties Enabled | Select Enabled

Output of above command about ad user enabled status as below

PS C:\Windows\system32> Get-ADUser -Identity Don -Properties Enabled | Select Enabled

Enabled
-------
   True

Now, after the user leave and organization, we need to update his active directory status to disabled. Using the Set-AdUser cmdlet we will disabled account as below

Get-ADUser -Identity Don -Properties Enabled | Set-ADUser -Enabled $False

In the above PowerShell script, the first command get aduser enabled status for user object and passes output to the second command.

The second command uses Set-ADUser to disabled user account using Enable = False.

The output of above PowerShell Set-ADUser Disabled account command, after we check user status as below

Do you know: How to use cat command in Windows using PowerShell !

Powershell Set-AdUser FAQ

Conclusion

In this article, we go through one of the powerful PowerShell Set-ADUser to update active directory user attributes with different examples.

Get-ADUser to get one or more specific user objects and use objects for updating multiple attributes using PowerShell Set-AdUser cmdlet.

You can find more topics about PowerShell Active Directory commands and PowerShell basics on the ShellGeek home page.