How to Manage User Accounts in Active Directory

How to Manage User Accounts in Active Directory

Users are one of the most popular objects in AD. They are used for authentication and authorization on workstations. Also in many services which are integrated with AD. User management is the main routine for sysadmins and helpdesk specialists. This guide helps to manage such objects in multiple ways. For managing users there is a need to install RSAT tools or manage them from your DC. You have to be signed under domain admin or an Account Operators user or with delegation rights to create objects in the current OU.

Contents

  • Creating User Accounts
  • Deleting User Accounts
  • Moving User Accounts
  • Renaming User Accounts
  • Enabling User Accounts
  • Disabling User Accounts
  • Setting Expiration Period for an Account
  • Finding Locked-out Accounts
  • Unlocking User Accounts
  • Modifying Several Users in Bulk

Creating a User Account

There are many ways to create a user account in AD, lets consider several of them.

Creating User Account Using Active Directory Users and Computers(ADUC)

Run ADUC (dsa.msc).

Go to OU where new users should be located. In the taskbar, click the “New User” icon, or right-click on a white space in the main window and then click on “New -> User“. Another way is rightclicking the needed Org Unit and select “New -> User“.

Creating New User

New Object — User” appears, specify parameters for your user:

• Full name, by either typing the full name into Full Name field or typing it in the First and Last name fields.

• User logon name, this field creates the userPrincipalName and the sAMAccountName attributes.

User Account Details

Click Next and specify strong password and then retype it in the next field and check the needed parameters, usually for regular user you should check “User must change password at next logon”.

User Password Settings

Click Next and Finish. Congratulations new user was successfully created!

Creating User Account Using Command Prompt

To make the same thing in cmd we need to use dsadd.exe utility. The following parameters will help to create a user in “Users” container in AD and set default password for it:

dsadd.exe user "CN=GSoul,CN=Users,DC=office,DC=local" -upn GSoul@office.local -fn "Gordon" -ln "Soul" -display "Gordon Soul" -pwd "P@&&W0rd"

Creating User Account Using Windows PowerShell

Run the following PowerShell code under Administrator privileges:

Import-Module ActiveDirectory
New-ADUser -Name FRobinson -Path "CN=Users,DC=office,DC=local" -GivenName "Frank" -Surname "Robinson" -sAMAccountName FRobinson

How to Delete a User Account

Lets delete a user from AD environment, follow these easy methods. Note that this action will not completely delete a user account with enabled AD Recycle Bin, it will change its token attributes and move it to deleted objects.

Deleting User Account in Active Directory Users and Computers(ADUC)

Lets delete one user, to achieve that open Active Directory Users and Computers (dsa.msc).

Go to the OU or container where the user that you need to delete resides. Click on the Action menu or rightclick the OU and select Find.

Find a User

Type in the name or last name of the user you want to delete into the name field and click “Find Now”. The results will be displayed to you, select the object you need to delete, rightclick it and then click on Delete and confirm your decision.

Deleting a User

Deleting User Account Using Command Prompt

The following cmd string will delete a user “GSoul” from office.local domain:

dsrm.exe user "CN=GSoul,CN=Users,DC=office,DC=local"

Deleting User Account Using PowerShell

Execute the following PowerShell code to delete a user GSoul from AD:

Import-Module ActiveDirectory
Remove-ADUser -Identity "CN=GSoul,CN=Users,DC=office,DC=local"

Moving User Accounts

Moving a User Account via Active Directory Users and Computers(ADUC)

In ADUC (dsa.msc) go to the OU or container with needed user account. Rightclick it and select Find…. In the Name field, type the name of the user account and then click Find Now… From the list of Search results, select the needed user object.

Right-click on the user account. Select Move… from the menu.

The Move window appears:

Moving a User Account

In the Move window, navigate to the OU or container where you want to move the user object to, select it and click OK.

Moving a User Account via Command Prompt

In order to move user object(GSoul in our case) to “Employees” OU run dsmove.exe in cmd with the following parameters:

dsmove.exe "CN=GSoul,CN=Users,DC=office,DC=local" -newparent "OU=Employees,DC=office,DC=local"

Moving a User Account via Windows PowerShell

Use the following Powershell code to move a user account (GSoul in our example) to “Employees” OU.

Import-Module ActiveDirectory
Move-ADObject -Identity:"CN=GSoul,CN=Users,DC=office,DC=local" -TargetPath:"OU=Employees,DC=office,DC=local"

How to Rename a User Account in Active Directory

In order to rename a user account, follow these several instructions.

Renaming a User Account via Active Directory Users and Computers

In Active Directory Users and Computers (dsa.msc) in the View menu, enable Advanced Features.

Navigate to OU or container where needed user object resides. Right-click it and select Find…. In the Name field, type the name of the user and press “Find Now”. From the search results right-click the needed user account and select Rename. Type the new name and press Enter.

Renaming a User Account

In the Rename User window, enter new data for other attributes and click OK.

Renaming a User Account via Command Prompt

Use dsmove.exe with the following parameters in order to rename a user:

dsmove.exe "CN=GSoul,CN=Users,DC=office,DC=local" -NewName "Gordon Gates"

Renaming a User Account via PowerShell

In order to rename a user in AD enter this code into Windows PowerShell:

Import-Module ActiveDirectory
Rename-ADObject -Identity "CN=GSoul,CN=Users,DC=office,DC=local" -NewName "Gordon Gates"

How to Enable and Disable a User Account in Active Directory

If you want to stop a user logging into their workstation you can disable it, but you need it again for some reason, for example, an employee returned from maternity leave, you can enable it again. Here is the guide to do that in multiple ways.

Enabling and Disabling a User Account Using Active Directory Users and Computers

To enable/disable a user in ADUC, follow these steps:

In ADUC (dsa.msc). Determine the OU or container storing needed accounts. Rightclick it and select Find…. In the Name field, type the name of the user account and then click Find Now… From the list of Search results, select the needed user object, right-click it and select Enable account or Disable account depending on what you need right now and click OK.

Disabling a User Account

Enabling/Disabling a User Account Using cmd.exe

These tasks are for dsmod.exe, use it with the following settings to enable an account.

dsmod.exe "CN=GSoul,CN=Users,DC=office,DC=local" -disabled no

And this will disable it:

dsmod.exe user "CN=GSoul,CN=Users,DC=office,DC=local" -disabled yes

Enabling and Disabling a User Account Using Windows PowerShell

Here is the PowerShell code to enable a user account:

Import-Module ActiveDirectory
Enable-ADAccount -Identity "CN=GRobinson,CN=Users,DC=office,DC=local"

And this one is for disabling a user account:

Import-Module ActiveDirectory
Disable-ADAccount -Identity "CN=GRobinson,CN=Users,DC=office,DC=local"

How to Set Account Expiration Period to a User Account

User accounts can be set to automatically expire after certain period of time.

Setting Account Expiration Period in ADUC

To set account expiration in ADUC, follow these simple steps:

In ADUC (dsa.msc) go to the OU or container with needed user account. Rightclick it and select Find…. In the Name field, type the name of the user account and then click Find Now… From the list of Search results, select the needed user object. Right-click it and select Properties. Select the Account tab, at the bottom of this tab, change the Never option for “Account expires:” to End of:, and select needed date. Click OK to save the changes.

Setting User Account Expiration Period

Setting Account Expiration Period Using cmd.exe

Use the dsmod.exe to set the quantity of days before an account expires:

dsmod.exe user "CN=GSoul,CN=Users,DC=office,DC=local" -acctexpires 90

Setting Account Expiration Period Using Windows PowerShell

To set user expiration period in Employees OU execute the following PowerShell script:

Import-Module ActiveDirectory
Set-ADAccountExpiration -Identity "CN=GSoul,OU=Employees,DC=office,DC=local" -DateTime "11/11/2021 12:00:00"

How to Find Locked-out User Accounts

User accounts may get locked-out for some reason and you need to troubleshoot the cause of account lockout, but first of all you need to get the list of them. There are several ways to get this list.

Finding Locked User Accounts with the Active Directory Administrative Center

Run Active Directory Administrative Center (dsac.exe). Select the OU or container where you want to search for locked out users. Expand the top bar by clicking on an arrow button in the right top corner.

Click on Add criteria and select the “Users with enabled but locked accounts” criteria. Click Add and the locked-out accounts will be displayed.

Finding Locked Out Accounts

Finding Locked User Accounts with Windows PowerShell

In order to find locked out accounts in AD, user the following PowerShell script:

Import-Module ActiveDirectory
Search-ADAccount -LockedOut -UsersOnly | Format-Table Name,LockedOut -AutoSize

How to Unlock a User Account

Account lockout in one of the most often cases for sysadmins in organization. Sometimes it is even hard to get its cause so it requires deep investigation. But it is not the point to disable an account lockout policy because it helps to protect your user accounts from brute force attacks. In this guide we will focus on easy techniques to unlock users.

Unlocking User Accounts via Active Directory Administrative Center

To unlock a user object, open the Active Directory Administrative Center (dsac.exe), navigate to the OU or container where users exist in. Right-click the object you want to unlock and select Properties.

In the User window click the Unlock account and then OK.

To unlock all locked-out accounts in a certain OU or container select the OU or container where you want to search for locked out users. Expand the top bar by clicking on an arrow button in the right top corner. Click on Add criteria and select the “Users with enabled but locked accounts criteria.” Click Add and the locked-out accounts will be displayed. Select all accounts, go to Properties and click on Unlock account.

Unlocking User Accounts via Windows PowerShell

To unlock a user account, you need to run the following PowerShell code:

Import-Module ActiveDirectory
Unlock-ADAccount -Identity "CN=GSoul,CN=Users,DC=office,DC=local"

And in order to unlock all locked accounts use Search-ADAccount cmdlet:

Import-Module ActiveDirectory
Search-ADAccount -LockedOut -UsersOnly | Unlock-ADAccount

How to Modify Several Users in Bulk

Sometimes there is the need to modify one attribute for multiple objects. Modifying multiple objects at once is slightly different task from editing a single user, and there are several ways to achieve that.

Modify Several Users at Once Using ADUC

ADUC is great when you need simple filters to group users by certain criteria. It has selection mechanism, for example you can select multiple different users with Ctrl button pressed or a chunk with Shift button pressed. You can also easily select all users in an OU or container by pressing Ctrl + A.

So, you need to change some settings in multiple user accounts, let’s do that with AD:

In ADUC (dsa.msc) locate the OU that fits your needs. Select the user objects while the Shift button being pressed. Rightclick all these objects and select Properties.

Change the given attributes according to your needs and click OK.

Modifying Multiple Users via ADUC

Modify Several Users at Once Using Active Directory Administrative Center

The ADAC differs from ADUC by providing additional filters.

Run ADAC and select the OU to use as the base scope for the filter.

Expand the top bar by clicking on little arrow button at top right corner. Click the Add criteria button:

Filtering Search in ADAC

Add the criteria you want to use such as “Users with expired passwords” or you can create a filter by one of the attributes. Select the filter and click Add to load it. You can use matches such as starts with, equals, does not equal, is empty, and is not empty.

After you receive the list of objects based on your filter press Ctrl+A to select all of them and click Properties.

Modifying Multiple Users via ADAC

Change attributes that you want to modify and click OK.

Modify Several Users at Once Using Windows PowerShell

Filter customization in PowerShell is more advanced, it is best used to modify multiple user objects, repeatedly.

In our example we will filter all accounts with name starting with “admin” and enable “Prevent from accidental deletion” for all these accounts:

Import-Module ActiveDirectory
Get-ADUser -ldapfilter "(sAMAccountName=admin*)" | Set-ADObject - ProtectedFromAccidentalDeletion $true

Credits

How to Manage User Accounts in Active Directory. Part 1: Creating and Deleting User Accounts – Serverspace.us

How to Manage User Accounts in Active Directory. Part 2: Moving and Renaming User Accounts – Serverspace.us

How to Manage User Accounts in Active Directory. Part 3: Enabling, Disabling and Setting Expiration Period for Accounts – Serverspace.us

How to Manage User Accounts in Active Directory. Part 4: Finding Locked-out Accounts and Unlocking them. – Serverspace.us

How to Manage User Accounts in Active Directory. Part 5: Modifying Several Users in Bulk – Serverspace.us

How to Change User Password in AD via PowerShell

How to Change User Password in AD via PowerShell

In this article we will see how to change (reset) the password of one or more Active Directory users from the PowerShell command line using the Set-ADAccountPassword cmdlet.

Most system administrators reset user passwords in AD using the dsa.msc (Active Directory Users & Computers – ADUC) snap-in. They simply find the user account in AD, right-click on it and select Reset password.

Reset password in AD

But it is not possible to use the ADUC console when you need to reset the password to multiple users at once. In this case, you can change AD passwords from the PowerShell command line.

Import Active Directory Module

To reset a user password in AD, the Set-ADAccountPassword cmdlet is used, which is included in the Active Directory module for Windows PowerShell. In Windows desktop versions it is included in RSAT, and in server editions it is installed as a separate component of AD DS Snap-Ins and Command-Line Tools. Before using the module, you must import it into a PowerShell session:

Import-module ActiveDirectory

Check for Password Reset Rights

To reset your password, your account must have the appropriate rights. Naturally, normal AD users by default cannot reset other accounts’ passwords for this feature to be available, the user (user group) must be delegated the right to reset the password on the AD container, or add it to the domain Account Operators group.

To verify that your account has the right to reset a particular user’s password, open its properties, go to the Security -> Advanced -> Effective Access tab, specify your account name and make sure that you have Reset Password permission.

Effective access tab

Reset Password for a Single User Account

To reset a password for a user with a testuser logon name and set a new password to it, follow the command:

Set-ADAccountPassword testuser -Reset -NewPassword (ConvertTo-SecureString -AsPlainText "newP@$$w0rD" -Force -Verbose) -PassThru

By default, the cmdlet returns the object and displays nothing in the console. To display information about the user object in AD we are using the -PassThru option.

As username you can specify SamAccountName (our case), objectGUID, SID of the user, or his DN (Distinguished Name, e.g. CN=TestUser,OU=Users,DC=testdomain,DC=com).

If you do not specify the -Reset parameter when changing the user password, you must specify the old password first and only then a new one.

Note. If the following error occurs when resetting the password using the Set-ADAccountPassword command:

Set-ADAccountPassword : The password does not meet the length, complexity, or history requirement of the domain.

This means that complexity, length or history requirements are defined in the domain password policy or granular password policy but the enetered password doesnt meet them.

If you have PowerShell command history enabled and you do not want passwords to be visible in the PoSh console, the password must be converted to a secure string:

$NewPwd=Read-Host "Enter new user password" -AsSecureString

Now let’s reset the password:

Set-ADAccountPassword testuser -Reset -NewPassword $NewPwd -PassThru

Additional Commands after Resetting User Account Password

When resetting a password, you can force unlock the user account even if it is locked using the following command afterwards:

Unlock-ADAccount -Identity testuser

In order to change a user password to a new one the next time he logs in to the domain, follow the command:

Set-ADUser -Identity testuser -ChangePasswordAtLogon $true

You can combine the command to change the password and enable the password change requirement in a single string:

Set-ADAccountPassword testuser -NewPassword $NewPwd -Reset -PassThru | Set-ADuser -ChangePasswordAtLogon $True

Verify the Password Change

Using the Get-ADUser command, you can verify that the password has been reset successfully by displaying the last time the account was changed:

Get-ADUser testuser -Properties * | select name, pass *

When the password is reset, EventID 4724 is logged on the domain controller (DC) in security settings of the event log. This event helps to define who has reset the password on the domain controller.

Change the Password of Several Users in AD at Once

We’ve showed you how to reset a single user’s password in AD using PowerShell. Lets consider another scenario where you need to change passwords of multiple users at the same time.

The simplest scenario is when you need to reset passwords of all users with certain account properties. For example, you need to force all employees from marketing department to reset their passwords to default password and force them to change their passwords the next time they log on:

get-aduser -filter "department -eq 'Marketing' -AND enabled -eq 'True'" | Set-ADAccountPassword -NewPassword $NewPasswd -Reset -PassThru | Set-ADuser -ChangePasswordAtLogon $True

Now let’s consider another case. Let’s say you have a CSV / Excel file that contains a list of users who need to reset passwords with a unique password for each user. The format of the file testusers.csv:

SamAccountName;NewPwd
testuser1;u9anklenX7Uf57d
testuser2;ucBclay4wcZKqQ
testuser3;vbullDJNxaG%y

With the following PowerShell script, you can reset the password for each account from the file:

Import-Csv testusers.csv -Delimiter ";" | Foreach {
$NewPwd = ConvertTo-SecureString -AsPlainText $_.NewPassword -Force
Set-ADAccountPassword -Identity $_.sAMAccountName -NewPassword $NewPwd -Reset -PassThru | Set-ADUser -ChangePasswordAtLogon $false
}

After this code is executed, a new unique password will be set for each user from the file.