Manage AD Users Account with PowerShell
Tutorial on how to manage AD Users Account with PowerShell
Force User’s Password to be expired
Set the User’s Attribute called pwdlastset to 0
Set-ADUser -Identity UAT1 -Replace @{pwdlastset="0"}
Lock Users Account
Lock AD User’s Account by performing several login with wrong password
$LockoutThreshold = Get-ADDefaultDomainPasswordPolicy | Select LockoutThreshold
$Password = ConvertTo-SecureString 'WrongPassword' -AsPlainText -Force
$User = "uat1"
for ($i = 0; $i -le $LockoutThreshold.LockoutThreshold; $i++) {
Invoke-Command -ComputerName AVENTIS-AD01 {Get-Process
} -Credential (New-Object System.Management.Automation.PSCredential ($user, $Password)) -ErrorAction SilentlyContinue
}
#Verify User's Account is locked after X number of attempts
Get-ADUser -Identity uat1 -Properties SamAccountName, UserPrincipalName, LockedOut
#Unlock User Account after testing
Unlock-ADAccount -Identity uat1
List Users’s Last Logon Date
List users’ last logon date from identified Organization Unit (OU)
LastLogonTimeStamp is a field that is replicated but is only updated when the LAST time it was updated is over 2 weeks ago. So if you log in 2 days later it WILL NOT update. This field was meant to be used to locate stale accounts.
$OU = "OU=O365,DC=LAB,DC=AVENTISLAB,DC=COM"
Get-ADUser -Filter * -SearchBase $OU -Properties * | Select SamAccountName, DisplayName,
@{n = "LastLogonDate"; e = { ([datetime]::FromFileTime($_.lastLogonTimestamp)).toString("dd-MM-yyyy HH:mm")}}, PasswordNeverExpires
LastLogon is the only accurate field in Active Directory for when a user logs in. The problem is it is not replicated and is only stored on the DC that the user registered with.
Seach User’s LastLogon in all Domain Controllers
$DCs = Get-ADDomainController -Filter *
foreach ($DC in $DCs) {
$OU = "OU=UAT,DC=THPROP,DC=local"
Get-ADUser -Filter * -Server $DC.HostName -SearchBase $OU -Properties * | Select SamAccountName, DisplayName,
@{n = "LastLogonDate"; e = { ([datetime]::FromFileTime($_.lastLogon)).toString("dd-MM-yyyy HH:mm")}}, @{n = "DC Name"; e = {$DC.HostName}} | Sort-Object LastLogonDate -Descending
}
List User’s Password Expired Date
List user’s password expired date in human readable format. Users with Password Never Expired Enabled will not have any value.
$User = "Group2"
Get-ADUser -Identity group2 -Properties msDS-UserPasswordExpiryTimeComputed | Select Name, @{Name="ExpiryDate";Expression={[datetime]::FromFileTime($_."msDS-UserPasswordExpiryTimeComputed")}}
Output
Name ExpiryDate
---- ----------
group2 8/15/2017 9:58:08 AM
Delete AD User
Remove AD User with the following PowerShell
Remove-ADUser test2 -Confirm:$false
Remove AD Users who are connecting thier mobile devices to Microsoft Exchange Server or you will get the error message as below
Remove-ADobject (Get-ADUser test2).distinguishedname -Recursive -Confirm:$false
Remove-ADObject : The directory service can perform the requested operation only on a leaf object
Restore Deleted AD User
List all the deleted users
Get-ADObject -Filter ‘isDeleted -eq $true‘ -IncludeDeletedObjects -Properties * | Select Name, whenchanged,ObjectClass | ? ObjectClass -eq "user"
Name whenchanged ObjectClass
---- ----------- -----------
test2... 26/10/2020 4:59:39 PM user
Restore Deleted AD User’s Object (test2) – Refer to Restore-ADObject for more detail
Get-ADObject -Filter 'samaccountname -eq "test2"' -IncludeDeletedObjects | Restore-ADObject -NewName "TEST2"
You have to fill up the user’s information, like FirstName, LastName, DisplayName manually, and finally reset the password to enable the deleted AD User account