Have a Question?
< All Topics

Manage AD Users Account with PowerShell

Tutorial on how to manage AD Users Account with PowerShell

Force User’s Password to be expired

Set the User’s Attribute called pwdlastset to 0

Set-ADUser -Identity UAT1 -Replace @{pwdlastset="0"}

Lock Users Account

Lock AD User’s Account by performing several login with wrong password

$LockoutThreshold = Get-ADDefaultDomainPasswordPolicy | Select LockoutThreshold

$Password = ConvertTo-SecureString 'WrongPassword' -AsPlainText -Force
$User = "uat1"

for ($i = 0; $i -le $LockoutThreshold.LockoutThreshold; $i++) {

    Invoke-Command -ComputerName AVENTIS-AD01 {Get-Process
    } -Credential (New-Object System.Management.Automation.PSCredential ($user, $Password)) -ErrorAction SilentlyContinue

#Verify User's Account is locked after X number of attempts
Get-ADUser -Identity uat1 -Properties SamAccountName, UserPrincipalName, LockedOut

#Unlock User Account after testing 
Unlock-ADAccount -Identity uat1

List Users’s Last Logon Date

List users’ last logon date from identified Organization Unit (OU)

LastLogonTimeStamp is a field that is replicated but is only updated when the LAST time it was updated is over 2 weeks ago. So if you log in 2 days later it WILL NOT update. This field was meant to be used to locate stale accounts.

Get-ADUser -Filter * -SearchBase $OU -Properties * | Select SamAccountName, DisplayName, 
@{n = "LastLogonDate"; e = { ([datetime]::FromFileTime($_.lastLogonTimestamp)).toString("dd-MM-yyyy HH:mm")}}, PasswordNeverExpires

LastLogon is the only accurate field in Active Directory for when a user logs in. The problem is it is not replicated and is only stored on the DC that the user registered with.

Seach User’s LastLogon in all Domain Controllers

$DCs = Get-ADDomainController -Filter * 
foreach ($DC in $DCs) {

    $OU = "OU=UAT,DC=THPROP,DC=local"
    Get-ADUser -Filter * -Server $DC.HostName -SearchBase $OU -Properties * | Select SamAccountName, DisplayName, 
    @{n = "LastLogonDate"; e = { ([datetime]::FromFileTime($_.lastLogon)).toString("dd-MM-yyyy HH:mm")}}, @{n = "DC Name"; e = {$DC.HostName}} | Sort-Object LastLogonDate -Descending

List User’s Password Expired Date

List user’s password expired date in human readable format. Users with Password Never Expired Enabled will not have any value.

$User = "Group2"
Get-ADUser -Identity group2 -Properties msDS-UserPasswordExpiryTimeComputed | Select Name, @{Name="ExpiryDate";Expression={[datetime]::FromFileTime($_."msDS-UserPasswordExpiryTimeComputed")}}


Name                                                                                                       ExpiryDate                                                                                                
----                                                                                                       ----------                                                                                                
group2                                                                                                     8/15/2017 9:58:08 AM   

Delete AD User

Remove AD User with the following PowerShell

Remove-ADUser test2 -Confirm:$false

Remove AD Users who are connecting thier mobile devices to Microsoft Exchange Server or you will get the error message as below

Remove-ADobject (Get-ADUser test2).distinguishedname -Recursive -Confirm:$false

Remove-ADObject : The directory service can perform the requested operation only on a leaf object

Restore Deleted AD User

List all the deleted users

Get-ADObject -Filter ‘isDeleted -eq $true‘ -IncludeDeletedObjects -Properties * | Select Name, whenchanged,ObjectClass | ? ObjectClass -eq "user"

Name                                                     whenchanged                                              ObjectClass                                            
----                                                     -----------                                              -----------                                                                            
test2...                                                 26/10/2020 4:59:39 PM                                    user                                                  

Restore Deleted AD User’s Object (test2) – Refer to Restore-ADObject for more detail

Get-ADObject -Filter 'samaccountname -eq "test2"' -IncludeDeletedObjects | Restore-ADObject -NewName "TEST2"

You have to fill up the user’s information, like FirstName, LastName, DisplayName manually, and finally reset the password to enable the deleted AD User account

Table of Contents
Scroll to Top