Active Directory User Management using Windows PowerShell

Umendra Singh by   03.05.2014   General

There is no iota of doubt that Windows PowerShell gives more control than the traditional Windows tools to manage the Active Directory. This fact inspires the Administrators to stick with command line tool instead of using the Active Directory Users and Computers. Let us have a look at AD user management through Windows PowerShell. Here, we’ll learn how to create and remove the users using the PowerShell CMDlets.

Creating a Single User – Following is the New-ADUser CMDlet for creating a user through PowerShell.

New-ADUser –SamAccountName “username” –DisplayName “username” –givenName “Username” –Surname “surname” –AccountPassword (ReadHost –AsSecureString “Message”) –Enabled $true –Path ‘CN=Users,DC=Doc,DC=Com’ –CannotChangePassword $false –ChangePasswordAtLogon $true –PasswordNeverExpires $false -EmailAddress “email” –EmployeeID “ID” –Department “string”

Following is a description of some of the parameters provided in the above CMDlet.

  • SamAccountName
      – specifies the SAM Account name of the user. ”New-ADUser” command should have this parameter for creating a user. You can pass a string value in it.

    DisplayName

      – specifies the name to be displayed.

    Surname

      – specifies the surname of the user.

    AccountPassword

      – specifies the account password for the user. However, the password has to be provided after executing the command as a secured string. The default value for this parameter would be as follows.–AccountPassword (ReadHost –AsSecureString “Message”)

    Enabled

      – specifies whether the new user will be enabled or disabled. If you’re not providing the password, then the user will be disabled by default. You can provide $true for true and $false for false.

    Path

      – specifies the path of Active Directory where the new user will be created. Its value should be passed between single quotes, such as –Path ‘CN=Users,DC=Domain,DC=Com’

    CannotChangePassword

      – specifies whether the user can change the password or not. The two acceptable values will be $true and $false.

    ChangePasswordAtLogon

      – specifies whether the new user has to change the password on first logon or not. The two acceptable values will be $true and $false.

    PasswordNeverExpires

      – specifies whether the password will never expire. The two acceptable values will be $true and $false.

    EmailAddress

      – specifies the email address of the new user.

    Department

      – specifies the department of the new user.

    EmployeeID

      – specifies the employee ID of the new user.

After executing the command, the PowerShell will ask for the password.

Press Enter and the user will be created

Creating Bulk Users – It’s required to create a CSV file before going to create the bulk users through PowerShell using the Import-CSV CMDlet. Following is a screenshot of the required CSV file.

Now, execute the following command.

Import-CSV d:\Share\testing.csv | New-ADUser

In fact, the Import-CSV provides pipeline input to the New-ADUser CMDlet. The latter, in turn, process the values of the CSV file to create the new users. Executing this command will load the Active Directory module first.

After completing the action, you’ll return to the same prompt.

Check the Active Directory for the newly created users.

Modifying Users – Use the following Set-ADUser CMDlet to modify the user.

Set-ADUser –Identity “CN=TestUser7,CN=Users,DC=www,DC=DOC,DC=com” –SamAccountName “TestUser7” –LogonWorkStations “Test”

Some of the available parameters for this CMDlet are listed herein below.

  • ChangePasswordAtLogon
      – specifies whether the user has to change the password at the next logon or not.

    Identity

      – specifies the location of the user in the Active Directory. Its value can be in the following format.-Identity “CN=Username,CN=Users,DC=www,DC=doc,DC=com”

    PasswordNeverExpires

      – specifies whether the account password will never expire.

    PasswordNotRequired

      – specifies whether a password is required or not.

    SamAccountName

      – specifies the SAM Account name of the user.

    LogonWorkstations

      – specifies the workstations, on which the user can logon. Its values have to be provided in the following format.-LogonWorkstations “workstation1,workstation2.www.domain.com”

Reset Password – You can reset the password of a user with Set-ADAccountPassword CMDlet.

Some of the acceptable parameters for this CMDlet are listed herein below.

  • Identity
      – specifies the location of the user in the Active Directory. Its value can be in the following format.-Identity “CN=Username,CN=Users,DC=www,DC=doc,DC=com”

    OldPassword

      – specifies the old password.

    NewPassword

      – specifies the new password.

Both OldPassword and NewPassword have to be provided as the Secure String, therefore, their values should be in the following format.

–NewPassword (ReadHost –AsSecureString “Message”)
–OldPassword (ReadHost –AsSecureString “Message”)

After executing the command, PowerShell will ask for the new password. Enter the new password and hit Enter key to apply the change.

Removing a User Account – You can remove a user account using the Remove-ADUser CMDlet.

Remove-ADUser –Identity “CN=Username,CN=Users,DC=doc,DC=com”

Pressing the Enter key will ask for confirmation to delete the user.

Press Y to confirm the action.

We’ve discussed only a few commands herein above to manage the users in an Active Directory environment. However, remembering the complete path or identity of a user is very complex in a large organization. In addition, the complete management of users, groups, and computers requires other CMDlets along with some complex scripts.


Lepide® is a Registered Trademarks of Lepide Software Private Limited. © Copyright 2018 Lepide Software Private Limited. All Trademarks Acknowledged.