Manage AD Users Account with PowerShell

  • Main
  • Manage AD Users Account with PowerShell
< All Topics

Tutorial on how to manage AD Users Account with PowerShell

Force User’s Password to be expired

Set the User’s Attribute called pwdlastset to 0

Set-ADUser -Identity UAT1 -Replace @{pwdlastset="0"}

Lock Users Account

Lock AD User’s Account by performing several login with wrong password

$LockoutThreshold = Get-ADDefaultDomainPasswordPolicy | Select LockoutThreshold

$Password = ConvertTo-SecureString 'WrongPassword' -AsPlainText -Force
$User = "uat1"

for ($i = 0; $i -le $LockoutThreshold.LockoutThreshold; $i++) {

    Invoke-Command -ComputerName AVENTIS-AD01 {Get-Process
    } -Credential (New-Object System.Management.Automation.PSCredential ($user, $Password)) -ErrorAction SilentlyContinue

#Verify User's Account is locked after X number of attempts
Get-ADUser -Identity uat1 -Properties SamAccountName, UserPrincipalName, LockedOut

#Unlock User Account after testing 
Unlock-ADAccount -Identity uat1

List Users’s Last Logon Date

List users’ last logon date from identified Organization Unit (OU)

LastLogonTimeStamp is a field that is replicated but is only updated when the LAST time it was updated is over 2 weeks ago. So if you log in 2 days later it WILL NOT update. This field was meant to be used to locate stale accounts.

Get-ADUser -Filter * -SearchBase $OU -Properties * | Select SamAccountName, DisplayName, 
@{n = "LastLogonDate"; e = { ([datetime]::FromFileTime($_.lastLogonTimestamp)).toString("dd-MM-yyyy HH:mm")}}, PasswordNeverExpires

LastLogon is the only accurate field in Active Directory for when a user logs in. The problem is it is not replicated and is only stored on the DC that the user registered with.

Seach User’s LastLogon in all Domain Controllers

$DCs = Get-ADDomainController -Filter * 
foreach ($DC in $DCs) {

    $OU = "OU=UAT,DC=THPROP,DC=local"
    Get-ADUser -Filter * -Server $DC.HostName -SearchBase $OU -Properties * | Select SamAccountName, DisplayName, 
    @{n = "LastLogonDate"; e = { ([datetime]::FromFileTime($_.lastLogon)).toString("dd-MM-yyyy HH:mm")}}, @{n = "DC Name"; e = {$DC.HostName}} | Sort-Object LastLogonDate -Descending

List User’s Password Expired Date

List user’s password expired date in human readable format. Users with Password Never Expired Enabled will not have any value.

$User = "Group2"
Get-ADUser -Identity group2 -Properties msDS-UserPasswordExpiryTimeComputed | Select Name, @{Name="ExpiryDate";Expression={[datetime]::FromFileTime($_."msDS-UserPasswordExpiryTimeComputed")}}


Name                                                                                                       ExpiryDate                                                                                                
----                                                                                                       ----------                                                                                                
group2                                                                                                     8/15/2017 9:58:08 AM   

Delete AD User

Remove AD User with the following PowerShell

Remove-ADUser test2 -Confirm:$false

Remove AD Users who are connecting thier mobile devices to Microsoft Exchange Server or you will get the error message as below

Remove-ADobject (Get-ADUser test2).distinguishedname -Recursive -Confirm:$false

Remove-ADObject : The directory service can perform the requested operation only on a leaf object

Restore Deleted AD User

List all the deleted users

Get-ADObject -Filter ‘isDeleted -eq $true‘ -IncludeDeletedObjects -Properties * | Select Name, whenchanged,ObjectClass | ? ObjectClass -eq "user"

Name                                                     whenchanged                                              ObjectClass                                            
----                                                     -----------                                              -----------                                                                            
test2...                                                 26/10/2020 4:59:39 PM                                    user                                                  

Restore Deleted AD User’s Object (test2) – Refer to Restore-ADObject for more detail

Get-ADObject -Filter 'samaccountname -eq "test2"' -IncludeDeletedObjects | Restore-ADObject -NewName "TEST2"

You have to fill up the user’s information, like FirstName, LastName, DisplayName manually, and finally reset the password to enable the deleted AD User account

Table of Contents