Active Directory Recycle Bin enables a feature for administrators to restore deleted objects.
Finding Domain Naming Master Server
We recommend enabling Recycle Bin feature on your DC with Domain Naming Master role. In order to get what domain controller holds this role, you need to use netdom.exe application with following parameters (run it in cmd):
netdom.exe query fsmo
Alternatively, this can be achieved in PowerShell console under elevated privileges:
Get-ADForest | Format-List DomainNamingMaster
How to Enable Recycle Bin in AD Administrative Center.
To do this, you need a domain admin user account. Start AD Administrative Center(start->run->dsac.exe).
Click on your domain name and in the “Tasks” pane click “Enable Recycle Bin…“.
Alternatively, right-click your domain in overview, and click “Enable Recycle Bin…”.
The confirmation window appears, which tells us that Recycle Bin can only be enabled once without a disabling option. Click OK.
After enabling the bin we need to refresh ADAC window click OK in appeared warning and refresh ADAC by clicking on refresh button in top right corner of the window:
You will see that new container named “Deleted Objects” appears near “Computers” container.
How to Enable Recycle Bin in PowerShell Console.
Recycle Bin can also be enabled with PowerShell console. You need to run PowerShell.exe under elevated permissions and type in the following code:
Replace office, local, office.local with your own domain parameters. System will ask for confirmation, type in “y” to continue and “Deleted Objects” container appears.
So now after an AD object is deleted it’s “isDeleted” attribute is set to “true”, however it’s “isRecycled” attribute is untouched. With these parameters deleted object moves to “Deleted Objects” from where you can easily restore it by right-clicking it and selecting restore.
In 60 days the recycle lifetime expires, and “isRecycled” parameter changes to “true“, in this case an object is deleted permanently.
Users are one of the most popular objects in AD. They are used for authentication and authorization on workstations. Also in many services which are integrated with AD. User management is the main routine for sysadmins and helpdesk specialists. This guide helps to manage such objects in multiple ways. For managing users there is a need to install RSAT tools or manage them from your DC. You have to be signed under domain admin or an Account Operators user or with delegation rights to create objects in the current OU.
Creating User Accounts
Deleting User Accounts
Moving User Accounts
Renaming User Accounts
Enabling User Accounts
Disabling User Accounts
Setting Expiration Period for an Account
Finding Locked-out Accounts
Unlocking User Accounts
Modifying Several Users in Bulk
Creating a User Account
There are many ways to create a user account in AD, lets consider several of them.
Creating User Account Using Active Directory Users and Computers(ADUC)
Run ADUC (dsa.msc).
Go to OU where new users should be located. In the taskbar, click the “New User” icon, or right-click on a white space in the main window and then click on “New -> User“. Another way is rightclicking the needed Org Unit and select “New -> User“.
“New Object — User” appears, specify parameters for your user:
• Full name, by either typing the full name into Full Name field or typing it in the First and Last name fields.
• User logon name, this field creates the userPrincipalName and the sAMAccountName attributes.
Click Next and specify strong password and then retype it in the next field and check the needed parameters, usually for regular user you should check “User must change password at next logon”.
Click Next and Finish. Congratulations new user was successfully created!
Creating User Account Using Command Prompt
To make the same thing in cmd we need to use dsadd.exe utility. The following parameters will help to create a user in “Users” container in AD and set default password for it:
Lets delete a user from AD environment, follow these easy methods. Note that this action will not completely delete a user account with enabled AD Recycle Bin, it will change its token attributes and move it to deleted objects.
Deleting User Account in Active Directory Users and Computers(ADUC)
Lets delete one user, to achieve that open Active Directory Users and Computers (dsa.msc).
Go to the OU or container where the user that you need to delete resides. Click on the Action menu or rightclick the OU and select Find.
Type in the name or last name of the user you want to delete into the name field and click “Find Now”. The results will be displayed to you, select the object you need to delete, rightclick it and then click on Delete and confirm your decision.
Deleting User Account Using Command Prompt
The following cmd string will delete a user “GSoul” from office.local domain:
dsrm.exe user "CN=GSoul,CN=Users,DC=office,DC=local"
Deleting User Account Using PowerShell
Execute the following PowerShell code to delete a user GSoul from AD:
Moving a User Account via Active Directory Users and Computers(ADUC)
In ADUC (dsa.msc) go to the OU or container with needed user account. Rightclick it and select Find…. In the Name field, type the name of the user account and then click Find Now… From the list of Search results, select the needed user object.
Right-click on the user account. Select Move… from the menu.
The Move window appears:
In the Move window, navigate to the OU or container where you want to move the user object to, select it and click OK.
Moving a User Account via Command Prompt
In order to move user object(GSoul in our case) to “Employees” OU run dsmove.exe in cmd with the following parameters:
In order to rename a user account, follow these several instructions.
Renaming a User Account via Active Directory Users and Computers
In Active Directory Users and Computers (dsa.msc) in the View menu, enable Advanced Features.
Navigate to OU or container where needed user object resides. Right-click it and select Find…. In the Name field, type the name of the user and press “Find Now”. From the search results right-click the needed user account and select Rename. Type the new name and press Enter.
In the Rename User window, enter new data for other attributes and click OK.
Renaming a User Account via Command Prompt
Use dsmove.exe with the following parameters in order to rename a user:
How to Enable and Disable a User Account in Active Directory
If you want to stop a user logging into their workstation you can disable it, but you need it again for some reason, for example, an employee returned from maternity leave, you can enable it again. Here is the guide to do that in multiple ways.
Enabling and Disabling a User Account Using Active Directory Users and Computers
To enable/disable a user in ADUC, follow these steps:
In ADUC (dsa.msc). Determine the OU or container storing needed accounts. Rightclick it and select Find…. In the Name field, type the name of the user account and then click Find Now… From the list of Search results, select the needed user object, right-click it and select Enable account or Disable account depending on what you need right now and click OK.
Enabling/Disabling a User Account Using cmd.exe
These tasks are for dsmod.exe, use it with the following settings to enable an account.
dsmod.exe "CN=GSoul,CN=Users,DC=office,DC=local" -disabled no
And this will disable it:
dsmod.exe user "CN=GSoul,CN=Users,DC=office,DC=local" -disabled yes
Enabling and Disabling a User Account Using Windows PowerShell
Here is the PowerShell code to enable a user account:
How to Set Account Expiration Period to a User Account
User accounts can be set to automatically expire after certain period of time.
Setting Account Expiration Period in ADUC
To set account expiration in ADUC, follow these simple steps:
In ADUC (dsa.msc) go to the OU or container with needed user account. Rightclick it and select Find…. In the Name field, type the name of the user account and then click Find Now… From the list of Search results, select the needed user object. Right-click it and select Properties. Select the Account tab, at the bottom of this tab, change the Never option for “Account expires:” to End of:, and select needed date. Click OK to save the changes.
Setting Account Expiration Period Using cmd.exe
Use the dsmod.exe to set the quantity of days before an account expires:
dsmod.exe user "CN=GSoul,CN=Users,DC=office,DC=local" -acctexpires 90
Setting Account Expiration Period Using Windows PowerShell
To set user expiration period in Employees OU execute the following PowerShell script:
User accounts may get locked-out for some reason and you need to troubleshoot the cause of account lockout, but first of all you need to get the list of them. There are several ways to get this list.
Finding Locked User Accounts with the Active Directory Administrative Center
Run Active Directory Administrative Center (dsac.exe). Select the OU or container where you want to search for locked out users. Expand the top bar by clicking on an arrow button in the right top corner.
Click on Add criteria and select the “Users with enabled but locked accounts” criteria. Click Add and the locked-out accounts will be displayed.
Finding Locked User Accounts with Windows PowerShell
In order to find locked out accounts in AD, user the following PowerShell script:
Account lockout in one of the most often cases for sysadmins in organization. Sometimes it is even hard to get its cause so it requires deep investigation. But it is not the point to disable an account lockout policy because it helps to protect your user accounts from brute force attacks. In this guide we will focus on easy techniques to unlock users.
Unlocking User Accounts via Active Directory Administrative Center
To unlock a user object, open the Active Directory Administrative Center (dsac.exe), navigate to the OU or container where users exist in. Right-click the object you want to unlock and select Properties.
In the User window click the Unlock account and then OK.
To unlock all locked-out accounts in a certain OU or container select the OU or container where you want to search for locked out users. Expand the top bar by clicking on an arrow button in the right top corner. Click on Add criteria and select the “Users with enabled but locked accounts criteria.” Click Add and the locked-out accounts will be displayed. Select all accounts, go to Properties and click on Unlock account.
Unlocking User Accounts via Windows PowerShell
To unlock a user account, you need to run the following PowerShell code:
Sometimes there is the need to modify one attribute for multiple objects. Modifying multiple objects at once is slightly different task from editing a single user, and there are several ways to achieve that.
Modify Several Users at Once Using ADUC
ADUC is great when you need simple filters to group users by certain criteria. It has selection mechanism, for example you can select multiple different users with Ctrl button pressed or a chunk with Shift button pressed. You can also easily select all users in an OU or container by pressing Ctrl + A.
So, you need to change some settings in multiple user accounts, let’s do that with AD:
In ADUC (dsa.msc) locate the OU that fits your needs. Select the user objects while the Shift button being pressed. Rightclick all these objects and select Properties.
Change the given attributes according to your needs and click OK.
Modify Several Users at Once Using Active Directory Administrative Center
The ADAC differs from ADUC by providing additional filters.
Run ADAC and select the OU to use as the base scope for the filter.
Expand the top bar by clicking on little arrow button at top right corner. Click the Add criteria button:
Add the criteria you want to use such as “Users with expired passwords” or you can create a filter by one of the attributes. Select the filter and click Add to load it. You can use matches such as starts with, equals, does not equal, is empty, and is not empty.
After you receive the list of objects based on your filter press Ctrl+A to select all of them and click Properties.
Change attributes that you want to modify and click OK.
Modify Several Users at Once Using Windows PowerShell
Filter customization in PowerShell is more advanced, it is best used to modify multiple user objects, repeatedly.
In our example we will filter all accounts with name starting with “admin” and enable “Prevent from accidental deletion” for all these accounts:
In this article we will see how to change (reset) the password of one or more Active Directory users from the PowerShell command line using the Set-ADAccountPassword cmdlet.
Most system administrators reset user passwords in AD using the dsa.msc (Active Directory Users & Computers – ADUC) snap-in. They simply find the user account in AD, right-click on it and select Reset password.
But it is not possible to use the ADUC console when you need to reset the password to multiple users at once. In this case, you can change AD passwords from the PowerShell command line.
Import Active Directory Module
To reset a user password in AD, the Set-ADAccountPassword cmdlet is used, which is included in the Active Directory module for Windows PowerShell. In Windows desktop versions it is included in RSAT, and in server editions it is installed as a separate component of AD DS Snap-Ins and Command-Line Tools. Before using the module, you must import it into a PowerShell session:
Check for Password Reset Rights
To reset your password, your account must have the appropriate rights. Naturally, normal AD users by default cannot reset other accounts’ passwords for this feature to be available, the user (user group) must be delegated the right to reset the password on the AD container, or add it to the domain Account Operators group.
To verify that your account has the right to reset a particular user’s password, open its properties, go to the Security -> Advanced -> Effective Accesstab, specify your account name and make sure that you have Reset Password permission.
Reset Password for a Single User Account
To reset a password for a user with a testuser logon name and set a new password to it, follow the command:
When the password is reset, EventID 4724 is logged on the domain controller (DC) in security settings of the event log. This event helps to define who has reset the password on the domain controller.
Change the Password of Several Users in AD at Once
We’ve showed you how to reset a single user’s password in AD using PowerShell. Lets consider another scenario where you need to change passwords of multiple users at the same time.
The simplest scenario is when you need to reset passwords of all users with certain account properties. For example, you need to force all employees from marketing department to reset their passwords to default password and force them to change their passwords the next time they log on:
Now let’s consider another case. Let’s say you have a CSV / Excel file that contains a list of users who need to reset passwords with a unique password for each user. The format of the file testusers.csv: