The Set-ADUser cmdlet modifies the properties of an Active Directory user.
You can modify commonly used property values by using the cmdlet parameters.
You can set property values that are not associated with cmdlet parameters by using the Add, Remove, Replace, and Clear parameters.
Here at Ibmi Media, as part of our Server Management Services, we regularly help our Customers to perform related Powershell queries.
In this context, we shall look into how to use the Set-ADUser cmdlet to modify user properties in AD.
The Set-ADUser cmdlet is part of the Active Directory module for Windows PowerShell
The Get-ADUser cmdlet has about 50 options related to AD attributes (City, Company, Department, Description, EmailAddress, MobilePhone, Organization, UserPrincipalName, etc.). We can display the list of available attributes using the following command:
Get-Help Set-ADUser -Parameter *|ft
The name of a user we want to change AD attributes for is specified in the mandatory Identity option (we can specify it as an sAMAccountName, SID, Distinguished Name or objectGUID).
For example, let us get the value of the Title attribute of a user using the Get-ADUser cmdlet:
Get-ADUser -Identity C.IbmiMedia -Properties title|select-object name,title
Then change its job title in AD:
Set-ADuser C.IbmiMedia –title “Junior Engineer”
We can change the values of multiple attributes at once.
For example, let us set a new email address and a list of computers a user is allowed to log on to:
Set-ADUser C.IbmiMedia –EmailAddress C.IbmiMedia@ibmimedia.com –LogonWorkstations 'munx32f2r13,munx32f2r15'
The following command will disable a user account in the domain:
Set-ADUser C.IbmiMedia -Enabled $False
We can change a user photo in AD:
Set-ADUser C.IbmiMedia -Replace @{thumbnailPhoto=([byte[]](Get-Content "C:\scripts\ad\c.IbmiMedia.jpg" -Encoding byte))}
We can edit values of other user attributes (including extensionAttribute and custom attributes) in AD using these Set-ADUser options:
i. Add – adds an attribute value
ii. Replace – replaces an attribute value
iii. Clear – clears an attribute value
iv. Remove — removes one of the attribute values
For example, to change a user phone number, we may use this command:
Set-ADUser C.Ibmimedia -MobilePhone $NewNumber
Or
Set-ADUser C.Ibmimedia -replace @{'MobilePhone' = $($Number) }
To add a new value to the extensionAttribute5:
Set-ADUser C.Ibmimedia -Add @{extensionAttribute5 = "Test1"}
To clear an attribute value:
Set-ADUser C.Ibmimedia -Clear "extensionAttribute5"
We can change values of multiple attributes at a time:
Set-ADUser C.Ibmimedia -Replace @{title="Senior Engineer";company="XYZ"}
Also, using these options, we can change multi-valued attributes. For example, let us add multiple ProxyAddresses (email aliases) to a user:
Set-ADUser C.Ibmimedia -add @{ProxyAddresses="smtp:C.Ibmimedia@ibmimedia.com, ,SMTP:chris.Ibmimedia@ibmimedia.com " -split ","}
We can change the attributes of multiple users at once. For example, the following command will change the value of UserAccountControl attribute and force all users from the specified OU to change their passwords at the next logon:
Get-ADUser -Filter * -SearchBase "OU=Users,OU=DE,DC=ibmimedia,DC=loc" | Set-ADUser -ChangePasswordAtLogon $true
We can bulk update the AD user attributes with the values from a CSV file.
For example, we have a CSV file with the list of accounts, titles and phone numbers (the file format is: SamAccountName, Title, MobilePhone).
To update user attributes using the values from the CSV file, run the following PowerShell command:
Import-Csv "C:\scripts\ad\update_ad_users.csv" | foreach {Set-ADUser -Identity $_.SamAccountName –Title $_.Title -MobilePhone $_.MobilePhone}
Let us try to add information about a computer a user has logged on to the user properties in Active Directory.
To do it, it is enough to add the following PowerShell script to the logon GPO scripts to be run when a user logs on to the computer (User Configuration -> Policies -> Windows Settings -> Scripts -> Logon):
Set-ADUser -identity $env:UserName –Description $env:computername
The script assumes that the PowerShell module for Active Directory is installed on users computers.
If we do not want to install RSAT on all computers, we can use the AD PowerShell module without installation by copying its files to all computers using GPO or a logon script.
This will allow us to find the name of the computer that the user logged on to.
In this example, we save the name of the current computer to the standard Description attribute.
We can use another attribute, say one of ExtensionAttributes.
While trying to update user properties using Set-ADUser, we received the following error:
Set-ADUser : replace
At C:\ADUpdate.ps1:30 char:1
+ Set-ADUser -Identity $_.name -Department $_.department -title $_.titl ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (BobUser:ADUser) [Set-ADUser], ADInvalidOperationException
+ FullyQualifiedErrorId : ActiveDirectoryServer:0,Microsoft.ActiveDirectory.Management.Commands.SetADUser
We can use the Set-ADUser command as given below:
Set-ADUser -Identity $_.name -Department $_.department -title $_.title -Office $_.office -StreetAddress $_.streetAddress -State $_.state -PostalCode $_.postalCode -MobilePhone $_.mobile -OfficePhone $_.telephoneNumber -City $_.city
The error occurs because command used is incorrect.
So, use the below command instead:
Set-ADUser -Identity $_.name -Department $department -title $title -Office $office -StreetAddress $streetAddress -State $state -PostalCode $postalCode -MobilePhone $mobile -OfficePhone $telephoneNumber -City $city
This article covers how to use Set-ADUser Modify Active Directory Users with PowerShell.
Basically, the Set-ADUser cmdlet is part of the Active Directory module for Windows PowerShell.
The Identity parameter specifies the Active Directory user to modify.
You can identify a user by its distinguished name, GUID, security identifier (SID), or Security Account Manager (SAM) account name.
You can also set the Identity parameter to an object variable such as $<localUserObject>, or you can pass an object through the pipeline to the Identity parameter.