How to Manage User Accounts in Active Directory
Users are one of the most popular objects in AD. They are used for authentication and authorization on workstations. Also in many services which are integrated with AD. User management is the main routine for sysadmins and helpdesk specialists. This guide helps to manage such objects in multiple ways. For managing users there is a need to install RSAT tools or manage them from your DC. You have to be signed under domain admin or an Account Operators user or with delegation rights to create objects in the current OU.
Contents
- Creating User Accounts
- Deleting User Accounts
- Moving User Accounts
- Renaming User Accounts
- Enabling User Accounts
- Disabling User Accounts
- Setting Expiration Period for an Account
- Finding Locked-out Accounts
- Unlocking User Accounts
- Modifying Several Users in Bulk
Creating a User Account
There are many ways to create a user account in AD, lets consider several of them.
Creating User Account Using Active Directory Users and Computers(ADUC)
Run ADUC (dsa.msc).
Go to OU where new users should be located. In the taskbar, click the “New User” icon, or right-click on a white space in the main window and then click on “New -> User“. Another way is rightclicking the needed Org Unit and select “New -> User“.
“New Object — User” appears, specify parameters for your user:
• Full name, by either typing the full name into Full Name field or typing it in the First and Last name fields.
• User logon name, this field creates the userPrincipalName and the sAMAccountName attributes.
Click Next and specify strong password and then retype it in the next field and check the needed parameters, usually for regular user you should check “User must change password at next logon”.
Click Next and Finish. Congratulations new user was successfully created!
Creating User Account Using Command Prompt
To make the same thing in cmd we need to use dsadd.exe utility. The following parameters will help to create a user in “Users” container in AD and set default password for it:
dsadd.exe user "CN=GSoul,CN=Users,DC=office,DC=local" -upn GSoul@office.local -fn "Gordon" -ln "Soul" -display "Gordon Soul" -pwd "P@&&W0rd"Creating User Account Using Windows PowerShell
Run the following PowerShell code under Administrator privileges:
Import-Module ActiveDirectory
New-ADUser -Name FRobinson -Path "CN=Users,DC=office,DC=local" -GivenName "Frank" -Surname "Robinson" -sAMAccountName FRobinsonHow to Delete a User Account
Lets delete a user from AD environment, follow these easy methods. Note that this action will not completely delete a user account with enabled AD Recycle Bin, it will change its token attributes and move it to deleted objects.
Deleting User Account in Active Directory Users and Computers(ADUC)
Lets delete one user, to achieve that open Active Directory Users and Computers (dsa.msc).
Go to the OU or container where the user that you need to delete resides. Click on the Action menu or rightclick the OU and select Find.
Type in the name or last name of the user you want to delete into the name field and click “Find Now”. The results will be displayed to you, select the object you need to delete, rightclick it and then click on Delete and confirm your decision.
Deleting User Account Using Command Prompt
The following cmd string will delete a user “GSoul” from office.local domain:
dsrm.exe user "CN=GSoul,CN=Users,DC=office,DC=local"Deleting User Account Using PowerShell
Execute the following PowerShell code to delete a user GSoul from AD:
Import-Module ActiveDirectory
Remove-ADUser -Identity "CN=GSoul,CN=Users,DC=office,DC=local"Moving User Accounts
Moving a User Account via Active Directory Users and Computers(ADUC)
In ADUC (dsa.msc) go to the OU or container with needed user account. Rightclick it and select Find…. In the Name field, type the name of the user account and then click Find Now… From the list of Search results, select the needed user object.
Right-click on the user account. Select Move… from the menu.
The Move window appears:
In the Move window, navigate to the OU or container where you want to move the user object to, select it and click OK.
Moving a User Account via Command Prompt
In order to move user object(GSoul in our case) to “Employees” OU run dsmove.exe in cmd with the following parameters:
dsmove.exe "CN=GSoul,CN=Users,DC=office,DC=local" -newparent "OU=Employees,DC=office,DC=local"Moving a User Account via Windows PowerShell
Use the following Powershell code to move a user account (GSoul in our example) to “Employees” OU.
Import-Module ActiveDirectory
Move-ADObject -Identity:"CN=GSoul,CN=Users,DC=office,DC=local" -TargetPath:"OU=Employees,DC=office,DC=local"How to Rename a User Account in Active Directory
In order to rename a user account, follow these several instructions.
Renaming a User Account via Active Directory Users and Computers
In Active Directory Users and Computers (dsa.msc) in the View menu, enable Advanced Features.
Navigate to OU or container where needed user object resides. Right-click it and select Find…. In the Name field, type the name of the user and press “Find Now”. From the search results right-click the needed user account and select Rename. Type the new name and press Enter.
In the Rename User window, enter new data for other attributes and click OK.
Renaming a User Account via Command Prompt
Use dsmove.exe with the following parameters in order to rename a user:
dsmove.exe "CN=GSoul,CN=Users,DC=office,DC=local" -NewName "Gordon Gates"Renaming a User Account via PowerShell
In order to rename a user in AD enter this code into Windows PowerShell:
Import-Module ActiveDirectory
Rename-ADObject -Identity "CN=GSoul,CN=Users,DC=office,DC=local" -NewName "Gordon Gates"How to Enable and Disable a User Account in Active Directory
If you want to stop a user logging into their workstation you can disable it, but you need it again for some reason, for example, an employee returned from maternity leave, you can enable it again. Here is the guide to do that in multiple ways.
Enabling and Disabling a User Account Using Active Directory Users and Computers
To enable/disable a user in ADUC, follow these steps:
In ADUC (dsa.msc). Determine the OU or container storing needed accounts. Rightclick it and select Find…. In the Name field, type the name of the user account and then click Find Now… From the list of Search results, select the needed user object, right-click it and select Enable account or Disable account depending on what you need right now and click OK.
Enabling/Disabling a User Account Using cmd.exe
These tasks are for dsmod.exe, use it with the following settings to enable an account.
dsmod.exe "CN=GSoul,CN=Users,DC=office,DC=local" -disabled noAnd this will disable it:
dsmod.exe user "CN=GSoul,CN=Users,DC=office,DC=local" -disabled yesEnabling and Disabling a User Account Using Windows PowerShell
Here is the PowerShell code to enable a user account:
Import-Module ActiveDirectory
Enable-ADAccount -Identity "CN=GRobinson,CN=Users,DC=office,DC=local"And this one is for disabling a user account:
Import-Module ActiveDirectory
Disable-ADAccount -Identity "CN=GRobinson,CN=Users,DC=office,DC=local"How to Set Account Expiration Period to a User Account
User accounts can be set to automatically expire after certain period of time.
Setting Account Expiration Period in ADUC
To set account expiration in ADUC, follow these simple steps:
In ADUC (dsa.msc) go to the OU or container with needed user account. Rightclick it and select Find…. In the Name field, type the name of the user account and then click Find Now… From the list of Search results, select the needed user object. Right-click it and select Properties. Select the Account tab, at the bottom of this tab, change the Never option for “Account expires:” to End of:, and select needed date. Click OK to save the changes.
Setting Account Expiration Period Using cmd.exe
Use the dsmod.exe to set the quantity of days before an account expires:
dsmod.exe user "CN=GSoul,CN=Users,DC=office,DC=local" -acctexpires 90Setting Account Expiration Period Using Windows PowerShell
To set user expiration period in Employees OU execute the following PowerShell script:
Import-Module ActiveDirectory
Set-ADAccountExpiration -Identity "CN=GSoul,OU=Employees,DC=office,DC=local" -DateTime "11/11/2021 12:00:00"How to Find Locked-out User Accounts
User accounts may get locked-out for some reason and you need to troubleshoot the cause of account lockout, but first of all you need to get the list of them. There are several ways to get this list.
Finding Locked User Accounts with the Active Directory Administrative Center
Run Active Directory Administrative Center (dsac.exe). Select the OU or container where you want to search for locked out users. Expand the top bar by clicking on an arrow button in the right top corner.
Click on Add criteria and select the “Users with enabled but locked accounts” criteria. Click Add and the locked-out accounts will be displayed.
Finding Locked User Accounts with Windows PowerShell
In order to find locked out accounts in AD, user the following PowerShell script:
Import-Module ActiveDirectory
Search-ADAccount -LockedOut -UsersOnly | Format-Table Name,LockedOut -AutoSizeHow to Unlock a User Account
Account lockout in one of the most often cases for sysadmins in organization. Sometimes it is even hard to get its cause so it requires deep investigation. But it is not the point to disable an account lockout policy because it helps to protect your user accounts from brute force attacks. In this guide we will focus on easy techniques to unlock users.
Unlocking User Accounts via Active Directory Administrative Center
To unlock a user object, open the Active Directory Administrative Center (dsac.exe), navigate to the OU or container where users exist in. Right-click the object you want to unlock and select Properties.
In the User window click the Unlock account and then OK.
To unlock all locked-out accounts in a certain OU or container select the OU or container where you want to search for locked out users. Expand the top bar by clicking on an arrow button in the right top corner. Click on Add criteria and select the “Users with enabled but locked accounts criteria.” Click Add and the locked-out accounts will be displayed. Select all accounts, go to Properties and click on Unlock account.
Unlocking User Accounts via Windows PowerShell
To unlock a user account, you need to run the following PowerShell code:
Import-Module ActiveDirectory
Unlock-ADAccount -Identity "CN=GSoul,CN=Users,DC=office,DC=local"And in order to unlock all locked accounts use Search-ADAccount cmdlet:
Import-Module ActiveDirectory
Search-ADAccount -LockedOut -UsersOnly | Unlock-ADAccountHow to Modify Several Users in Bulk
Sometimes there is the need to modify one attribute for multiple objects. Modifying multiple objects at once is slightly different task from editing a single user, and there are several ways to achieve that.
Modify Several Users at Once Using ADUC
ADUC is great when you need simple filters to group users by certain criteria. It has selection mechanism, for example you can select multiple different users with Ctrl button pressed or a chunk with Shift button pressed. You can also easily select all users in an OU or container by pressing Ctrl + A.
So, you need to change some settings in multiple user accounts, let’s do that with AD:
In ADUC (dsa.msc) locate the OU that fits your needs. Select the user objects while the Shift button being pressed. Rightclick all these objects and select Properties.
Change the given attributes according to your needs and click OK.
Modify Several Users at Once Using Active Directory Administrative Center
The ADAC differs from ADUC by providing additional filters.
Run ADAC and select the OU to use as the base scope for the filter.
Expand the top bar by clicking on little arrow button at top right corner. Click the Add criteria button:
Add the criteria you want to use such as “Users with expired passwords” or you can create a filter by one of the attributes. Select the filter and click Add to load it. You can use matches such as starts with, equals, does not equal, is empty, and is not empty.
After you receive the list of objects based on your filter press Ctrl+A to select all of them and click Properties.
Change attributes that you want to modify and click OK.
Modify Several Users at Once Using Windows PowerShell
Filter customization in PowerShell is more advanced, it is best used to modify multiple user objects, repeatedly.
In our example we will filter all accounts with name starting with “admin” and enable “Prevent from accidental deletion” for all these accounts:
Import-Module ActiveDirectory
Get-ADUser -ldapfilter "(sAMAccountName=admin*)" | Set-ADObject - ProtectedFromAccidentalDeletion $true
sysadminpoint 