Windows OS Hub
  • Windows
    • Windows 11
    • Windows Server 2022
    • Windows 10
    • Windows Server 2019
    • Windows Server 2016
  • Microsoft
    • Active Directory (AD DS)
    • Group Policies (GPOs)
    • Exchange Server
    • Azure and Microsoft 365
    • Microsoft Office
  • Virtualization
    • VMware
    • Hyper-V
  • PowerShell
  • Linux
  • Home
  • About

Windows OS Hub

  • Windows
    • Windows 11
    • Windows Server 2022
    • Windows 10
    • Windows Server 2019
    • Windows Server 2016
  • Microsoft
    • Active Directory (AD DS)
    • Group Policies (GPOs)
    • Exchange Server
    • Azure and Microsoft 365
    • Microsoft Office
  • Virtualization
    • VMware
    • Hyper-V
  • PowerShell
  • Linux

 Windows OS Hub / PowerShell / Set-ADUser: How to Change User Properties in Active Directory with PowerShell

March 12, 2024

Set-ADUser: How to Change User Properties in Active Directory with PowerShell

The Set-ADUser cmdlet allows to modify user properties (attributes) in Active Directory using PowerShell. Traditionally, a graphic MMC snap-in dsa.msc (Active Directory Users and Computers, ADUC) is used to edit the properties of AD users. The ADUC snap-in can be used to change user properties or advanced attributes in the Attribute Editor tab. However, you cannot bulk modify user attributes via the ADUC console (it is partially possible to do it using AD saved queries) . In this article, we’ll look at some examples of using the Set-ADUser cmdlet to change user properties in AD.

Contents:
  • Modifying User Properties in Active Directory with PowerShell
  • How to Bulk Modify Active Directory Users Attributes?
  • How to Show User’s Logged on Computer Name in ADUC?

The Set-ADUser cmdlet is part of the Active Directory module for Windows PowerShell and the module must be installed on your computer. On Windows Server, the RSAT-AD-PowerShell module is installed from the Windows features, and on Windows 10 you have to install it from RSAT:

Add-WindowsCapability –online –Name “Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0”

Modifying User Properties in Active Directory with PowerShell

The Get-ADUser cmdlet has about 50 options related to AD attributes (City, Company, Department, Description, EmailAddress, MobilePhone, Organization, UserPrincipalName, etc.). You can display the list of available attributes using the following command:

Get-Help Set-ADUser -Parameter *|ft

Set-ADUser user properties in powershell

The name of a user you want to change AD attributes for is specified in the mandatory Identity option (you can specify it as an sAMAccountName, SID, Distinguished Name or objectGUID).

For example, let’s get the value of the Title attribute of a user using the Get-ADUser cmdlet:

Get-ADUser -Identity M.Becker -Properties title|select-object name,title

Then change its job title in AD:

Set-ADuser M.Becker –title “Junior DevOps Engineer”

Using Set-ADUser PowerShell cmdlet to update user attributes in Active Directory

You can change the values of multiple attributes at once. For example, let’s set a new email address and a list of computers a user is allowed to log on to:

Set-ADUser M.Becker –EmailAddress [email protected] –LogonWorkstations 'munx32f2r13,munx32f2r15'

The following command will disable a user account in the domain:

Set-ADUser M.Becker -Enabled $False

You can change a user photo in AD:

Set-ADUser M.Becker -Replace @{thumbnailPhoto=([byte[]](Get-Content "C:\scripts\ad\m.becker.jpg" -Encoding byte))}

You can edit values of other user attributes (including extensionAttribute and custom attributes) in AD using these Set-ADUser options:

  • Add – adds an attribute value
  • Replace – replaces an attribute value
  • Clear – clears an attribute value
  • Remove — removes one of the attribute values

For example, to change a user phone number, you may use this command:

Set-ADUser M.Becker -MobilePhone $NewNumber

Or:

Set-ADUser M.Becker -replace @{'MobilePhone' = $($Number) }

To add a new value to the extensionAttribute5:

Set-ADUser M.Becker -Add @{extensionAttribute5 = "Test1"}

To clear an attribute value:

Set-ADUser M.Becker -Clear "extensionAttribute5"

You can change values of multiple attributes at a time:

Set-ADUser M.Becker -Replace @{title="Senior DevOps";company="XYZ"}

Also, using these options, you can change multi-valued attributes. For example, let’s add multiple ProxyAddresses (email aliases) to a user:

Set-ADUser M.Becker -add @{ProxyAddresses="smtp:[email protected], ,SMTP:[email protected] " -split ","}

How to Bulk Modify Active Directory Users Attributes?

You can change the attributes of multiple users at once. For example, the following command will change the value of UserAccountControl attribute and force all users from the specified OU to change their passwords at the next logon:

Get-ADUser -Filter * -SearchBase "OU=Users,OU=DE,DC=woshub,DC=loc" | Set-ADUser -ChangePasswordAtLogon $true

You can bulk update the AD user attributes with the values from a CSV file. For example, you have a CSV file with the list of accounts, titles and phone numbers (the file format is: SamAccountName, Title, MobilePhone).

Modifying Active Directory Users in Bulk using CSV File

To update user attributes using the values from the CSV file, run the following PowerShell command:

Import-Csv "C:\scripts\ad\update_ad_users.csv" | foreach {Set-ADUser -Identity $_.SamAccountName –Title $_.Title -MobilePhone $_.MobilePhone}

You can delegate privileges to update user attributes in AD to an HR employee and even teach them how to work with such CSV/Excel files from PowerShell.

How to Show User’s Logged on Computer Name in ADUC?

In one of the previous articles we showed how to add user information to computer properties in AD using the Set-ADComputer cmdlet. Now let’s consider another approach and try to add information about a computer a user is logged on to the user properties in Active Directory.

To do it, it is enough to add the following PowerShell script to the logon GPO scripts to be run when a user logs on to the computer (User Configuration -> Policies -> Windows Settings -> Scripts -> Logon):

Set-ADUser -identity $env:UserName –Description $env:computername

The script assumes that the PowerShell module for Active Directory is installed on users’ computers. If you don’t want to install RSAT on all computers, you can use the AD PowerShell module without installation by copying its files to all computers using GPO or a logon script.

This will allow you quickly find the name of the computer the user is logged on.

Show user logged on ComputerName In AD

In this example, we save the name of the current computer to the standard Description attribute. You can use another attribute, say one of ExtensionAttributes.
0 comment
0
Facebook Twitter Google + Pinterest
Active DirectoryPowerShell
previous post
Windows Defender Threat Service Has Stopped, Restart It Now
next post
How to Check Disk Performance (IOPS and Latency) in Linux

Related Reading

PowerShell: Get Folder Size on Windows

April 2, 2024

How to Download Offline Installer (APPX/MSIX) for Microsoft...

March 12, 2024

Protecting Remote Desktop (RDP) Host from Brute Force...

February 5, 2024

Install and Manage Windows Updates with PowerShell (PSWindowsUpdate)

March 17, 2024

How to Refresh (Update) Group Policy Settings on...

August 13, 2024

How to Backup and Restore Websites and IIS...

June 8, 2023

Slow Access to Shared Folders and Network Drives...

March 11, 2024

How to Uninstall Built-in UWP (APPX) Apps on...

June 6, 2024

Leave a Comment Cancel Reply

join us telegram channel https://t.me/woshub
Join WindowsHub Telegram channel to get the latest updates!

Recent Posts

  • Map a Network Drive over SSH (SSHFS) in Windows

    May 13, 2025
  • Configure NTP Time Source for Active Directory Domain

    May 6, 2025
  • Cannot Install Network Adapter Drivers on Windows Server

    April 29, 2025
  • Change BIOS from Legacy to UEFI without Reinstalling Windows

    April 21, 2025
  • How to Prefer IPv4 over IPv6 in Windows Networks

    April 9, 2025
  • Load Drivers from WinPE or Recovery CMD

    March 26, 2025
  • How to Block Common (Weak) Passwords in Active Directory

    March 25, 2025
  • Fix: The referenced assembly could not be found error (0x80073701) on Windows

    March 17, 2025
  • Exclude a Specific User or Computer from Group Policy

    March 12, 2025
  • AD Domain Join: Computer Account Re-use Blocked

    March 11, 2025

Follow us

  • Facebook
  • Twitter
  • Telegram
Popular Posts
  • Configure Google Chrome Settings with Group Policy
  • Get-ADUser: Find Active Directory User Info with PowerShell
  • How to Find the Source of Account Lockouts in Active Directory
  • How to Disable or Enable USB Drives in Windows using Group Policy
  • Get-ADComputer: Find Computer Properties in Active Directory with PowerShell
  • Configuring Proxy Settings on Windows Using Group Policy Preferences
  • Adding Domain Users to the Local Administrators Group in Windows
Footer Logo

@2014 - 2024 - Windows OS Hub. All about operating systems for sysadmins


Back To Top