Use PowerShell to Modify Existing User Accounts in Active Directory

Doctor Scripto

Summary: Microsoft Scripting Guy, Ed Wilson, shows how to use Windows PowerShell to modify existing user accounts in Active Directory.

Microsoft Scripting Guy, Ed Wilson, is here. The other day, I recorded a TechNet Radio podcast with Blain Barton and Matt Hester named, “The 10 non-scary things about Windows PowerShell 3.0.” It should be released today, and it will be available through my Learn Windows PowerShell page at the Script Center. All of the TechNet Radio podcasts are linked at the bottom of the page. I have been doing a monthly series with Blain for more than a year, so there are quite a few posts in the series.

Note   This is the second in a series of posts about creating a test Active Directory environment. In yesterday’s blog post, I wrote a script to create a test organizational unit with 100 test user accounts. You should refer to that post prior to reading today’s post.

Adding user information in Active Directory

To add information to a user account in Active Directory, use the Set-ADUser cmdlet in the Active Directory module.

Note   For more information about the Active Directory module, see this Hey, Scripting Guy! Blog post.

A quick look at the Help for the Set-ADUser cmdlet reveals that the most common attributes are available directly as parameters of the cmdlet, as shown here.

PS C:> help set-aduser | select -expand syntax

Set-ADUser [-Identity] <ADUser> [-AccountExpirationDate <DateTime>] [-AccountNotDelegated <Boolean>] [-Add

<Hashtable>] [-AllowReversiblePasswordEncryption <Boolean>] [-AuthType <ADAuthType>] [-CannotChangePassword

<Boolean>] [-Certificates <Hashtable>] [-ChangePasswordAtLogon <Boolean>] [-City <String>] [-Clear <String[]>]

[-Company <String>] [-CompoundIdentitySupported <Boolean>] [-Country <String>] [-Credential <PSCredential>]

[-Department <String>] [-Description <String>] [-DisplayName <String>] [-Division <String>] [-EmailAddress

<String>] [-EmployeeID <String>] [-EmployeeNumber <String>] [-Enabled <Boolean>] [-Fax <String>] [-GivenName

<String>] [-HomeDirectory <String>] [-HomeDrive <String>] [-HomePage <String>] [-HomePhone <String>]

[-Initials <String>] [-KerberosEncryptionType <ADKerberosEncryptionType>] [-LogonWorkstations <String>]

[-Manager <ADUser>] [-MobilePhone <String>] [-Office <String>] [-OfficePhone <String>] [-Organization

<String>] [-OtherName <String>] [-Partition <String>] [-PassThru [<SwitchParameter>]] [-PasswordNeverExpires

<Boolean>] [-PasswordNotRequired <Boolean>] [-POBox <String>] [-PostalCode <String>]

[-PrincipalsAllowedToDelegateToAccount <ADPrincipal[]>] [-ProfilePath <String>] [-Remove <Hashtable>]

[-Replace <Hashtable>] [-SamAccountName <String>] [-ScriptPath <String>] [-Server <String>]

[-ServicePrincipalNames <Hashtable>] [-SmartcardLogonRequired <Boolean>] [-State <String>] [-StreetAddress

<String>] [-Surname <String>] [-Title <String>] [-TrustedForDelegation <Boolean>] [-UserPrincipalName

<String>] [-Confirm [<SwitchParameter>]] [-WhatIf [<SwitchParameter>]] [<CommonParameters>]

Set-ADUser [-AuthType <ADAuthType>] [-Credential <PSCredential>] [-PassThru [<SwitchParameter>]]

[-SamAccountName <String>] [-Server <String>] -Instance <ADUser> [-Confirm [<SwitchParameter>]] [-WhatIf

[<SwitchParameter>]] [<CommonParameters>] 

One thing to keep in mind is that the parameter names do not line up with the ADSI attribute names that appear in ADSI Edit. This can be a bit confusing when trying to update an older script that used ADSI. EmailAddress is mail in ADSI, and HomePage is wWWHomePage in ADSI.

The first thing I do is import the Active Directory module. In reality, I do not have to do this because when I begin using tab expansion on Windows PowerShell 3.0, the module imports automatically. However, it is faster to go ahead and import the module in the first place. Additionally, doing this step ensures compatibility with Windows PowerShell 2.0, if you are still using that version.

Note   Be very careful using the Windows 8 RSAT tools and the Active Directory module from Windows Server 2012 in a mixed environment because the updated Active Directory module adds many additional cmdlets, which, obviously, would not work on a computer with an older version of the module. When in doubt, use the #Requires –version 3.0 to ensure compatibility.

After I import the Active Directory module, I create a variable to store the old company name (the one I will change in Friday’s blog post). I debated about doing this, but, in the end, because I am using the company name in three different places, I decided it would save some time and not add too much complexity to the script. The two lines of code that create the variable and import the module are shown here.

Import-Module ActiveDirectory

$c = “oldcompany”

Now, I need to retrieve all the users in the test organizational unit (OU). To do this, I use the Get-ADUser cmdlet. I specify the OU as the value for the SearchBase parameter. I use a wildcard for the filter. This command is shown here.

Get-ADUser -SearchBase ‘ou=testou,dc=iammred,dc=net’ -Filter *

Then, I use the ForEach-Object cmdlet to permit me to create email addresses and home pages. If I did not need to access individual portions of the user object as it crosses the pipeline, I could have directly piped the user objects to the Set-ADUser cmdlet. For example, if I wanted to specify only the company name, I could have used the command shown here.

Get-ADUser -SearchBase ‘ou=testou,dc=iammred,dc=net’ -Filter * |

Set-ADUser –company “mycompany”

But, instead, I am using the user name property to create email addresses and web page values. Here is the ForEach portion of the script.

ForEach-Object {

    Set-ADUser -identity $_ -EmailAddress (“{0}@{1}” -f $, “$”) `

    -Company $c -HomePage (“{0}/{1}” -f “http://www.$”, $ }

Note   I use parameter substitution here to replace the tokens in the string. I discuss this technique in the Hey, Scripting Guy! Blog post, where I also contrast it to string concatenation. When you get the hang of this technique, you may find it easier to use and to read than direct concatenation and subexpressions.

The complete script is shown here.

Import-Module ActiveDirectory

$c = “oldcompany”

Get-ADUser -SearchBase ‘ou=testou,dc=iammred,dc=net’ -Filter * |

   Foreach-Object {

    Set-ADUser -identity $_ -EmailAddress (“{0}@{1}” -f $, “$”) `

    -Company $c -HomePage (“{0}/{1}” -f “http://www.$”, $ }

Active Directory week will continue tomorrow when I will talk about standardizing titles in Active Directory by using Windows PowerShell.

I invite you to follow me on Twitter and Facebook. If you have any questions, send email to me at, or post your questions on the Official Scripting Guys Forum. See you tomorrow. Until then, peace.

Ed Wilson, Microsoft Scripting Guy


Discussion is closed.

Feedback usabilla icon