The Set-ADObject cmdlet in Active Directory modifies the properties of an Active Directory object. You can modify commonly used property values using Set-ADObject cmdlet parameters like Add, Replace, Remove, and Clear parameters.
You can use the Identity parameter to specify which Active Directory object to retrieve for modification. You can identify an object by its distinguished name or GUID.
Another way to get an Active Directory object is to use the Get-ADObject cmdlet to retrieve an AD object and pass the object through the pipeline to the Set-ADObject cmdlet.
In this article, I will explain how to use Set-ADObject to modify properties of an active directory object like sets descriptions for the site, and protect objects from accidental deletion.
Set-ADObject Syntax
Set-ADObject cmdlet modifies active directory object properties.
Syntax:
Set-ADObject [-WhatIf] [-Confirm] [-Add <Hashtable>] [-AuthType <ADAuthType>] [-Clear <String[]>] [-Credential <PSCredential>] [-Description <String>] [-DisplayName <String>] [-Identity] <ADObject> [-Partition <String>] [-PassThru] [-ProtectedFromAccidentalDeletion <Boolean>] [-Remove <Hashtable>] [-Replace <Hashtable>] [-Server <String>] [<CommonParameters>]
Parameters:
-AuthType: It specifies the authentication method to use. The acceptable values for this parameter are Basic or Negotiate. The default authentication method is Negotiate.
-Credential: It specifies the user account credentials to perform the task. By default, it uses currently logged-on user credentials. You can use the Get-Credential cmdlet to get user credentials.
-Identity: It specifies an Active Directory object using the distinguished name, GUID. You can also use Get-ADObject to get adobject and pass the object through the pipeline to Set-ADObject.
Set-ADObject Identity parameter accepts either DistinguishedName or GUID. It doesn’t accept SAMAccountName.
-Description: It Specifies the description of the object. This parameter sets the value of the Description property for the object.
-DisplayName: It Specifies the display name of the object. This parameter sets the value of the DisplayName property for the object.
-Add: It Specifies values to add to an ad object property.
–Clear: It specifies an array of object properties that are cleared in the directory. Use this parameter to clear one or more values of properties that cannot be modified using a cmdlet parameter.
-Remove: It specifies to remove one or more values of property that cannot be modified using a cmdlet.
-Replace: Use this parameter to replace one or more values of property that cannot be modified using a cmdlet parameter.
Let’s understand the Set-ADObject cmdlet to modify active directory object properties using examples.
Set-ADObject Description for Site
You can set the Description property for the active directory object Site using the below command.
Get-ADObject -Identity "CN=Houston,CN=Sites,CN=Configuration,DC=SHELLPRO,DC=LOCAL" | Set-ADObject -Description "Houston Site"
In the above PowerShell script, the Get-ADObject cmdlet gets the active directory object by its distinguishedname and passes the output to the Set-ADObject cmdlet.
The Set-ADObject uses the Description parameter to set the Description property for the site.
The output of the above command is below.
Cool Tip: How to use the get-adprincipalgroupmembership in Active Directory!
Use Set-ADObject to Protect from Accidental Delete
The Set-ADObject cmdlet in PowerShell has ProtectedFromAccidentalDeletion the property that accepts either $True or $False value to prevent active directory objects from accidental deletion.
Use the below command to protect organizational unit instances from accidental deletion.
Set-ADObject -Identity "OU=FINANCE,DC=SHELLPRO,DC=LOCAL" -ProtectedFromAccidentalDeletion $True
How to Use Set ADObject to Modify Displayname
You can use the Set-ADObject cmdlet to modify the DisplayName property for the active directory group.
Get-ADObject -Identity "CN=SALESLeader,OU=SALES,DC=SHELLPRO,DC=LOCAL" | Set-ADObject -DisplayName "Sales Leader"
In the above Set-ADObject example script,
Get-ADObject cmdlets get active directory group and pass output object to Set-ADObject cmdlet.
Set-ADObject uses the DisplayName parameter to modify the AD group display name property.
Using Set-ADObject Replace Parameter
The set-ADObject cmdlet Replace and Remove parameters are used to modify commonly used property values of an active directory object.
Set-ADObject -Identity "CN=Aron Seth,OU=HR,DC=SHELLPRO,DC=LOCAL" -Remove @{url="www.example.com"} -Replace @{description="HR Manager"}
Set-ADObject uses the Identity parameter to modify active directory user attribute values like URL and description.
Set-ADObject uses the Remove parameter to remove the URL attribute.
Set-ADObject Replace parameter replace existing aduser description property with specified Description value.
Cool Tip: How to use the search-adaccount cmdlet in PowerShell!
Conclusion
I hope the above article on how to use Set-ADObject to modify the property value of an active directory is helpful to you.
Use the Get-ADObject cmdlet to get an active directory object and pass the ad object pipeline to the Set-ADObject cmdlet.
The Set-ADObject cmdlet does not work with a read-only domain controller and active directory snapshot.
You can find more topics about PowerShell Active Directory commands and PowerShell basics on the ShellGeek home page.