Manage AD Users Account With PowerShell - AventisTech

Home » Active Directory Pwdlastset 0 » Manage AD Users Account With PowerShell - AventisTech

Maybe your like

Tutorial on how to manage AD Users Account with PowerShell

Force User’s Password to be expired

Set the User’s Attribute called pwdlastset to 0

Set-ADUser -Identity UAT1 -Replace @{pwdlastset="0"}

Lock Users Account

Lock AD User’s Account by performing several login with wrong password

$LockoutThreshold = Get-ADDefaultDomainPasswordPolicy | Select LockoutThreshold $Password = ConvertTo-SecureString 'WrongPassword' -AsPlainText -Force $User = "uat1" for ($i = 0; $i -le $LockoutThreshold.LockoutThreshold; $i++) { Invoke-Command -ComputerName AVENTIS-AD01 {Get-Process } -Credential (New-Object System.Management.Automation.PSCredential ($user, $Password)) -ErrorAction SilentlyContinue } #Verify User's Account is locked after X number of attempts Get-ADUser -Identity uat1 -Properties SamAccountName, UserPrincipalName, LockedOut #Unlock User Account after testing Unlock-ADAccount -Identity uat1

List Users’s Last Logon Date

List users’ last logon date from identified Organization Unit (OU)

LastLogonTimeStamp is a field that is replicated but is only updated when the LAST time it was updated is over 2 weeks ago. So if you log in 2 days later it WILL NOT update. This field was meant to be used to locate stale accounts.

$OU = "OU=O365,DC=LAB,DC=AVENTISLAB,DC=COM" Get-ADUser -Filter * -SearchBase $OU -Properties * | Select SamAccountName, DisplayName, @{n = "LastLogonDate"; e = { ([datetime]::FromFileTime($_.lastLogonTimestamp)).toString("dd-MM-yyyy HH:mm")}}, PasswordNeverExpires

LastLogon is the only accurate field in Active Directory for when a user logs in. The problem is it is not replicated and is only stored on the DC that the user registered with.

Seach User’s LastLogon in all Domain Controllers

$DCs = Get-ADDomainController -Filter * foreach ($DC in $DCs) { $OU = "OU=UAT,DC=THPROP,DC=local" Get-ADUser -Filter * -Server $DC.HostName -SearchBase $OU -Properties * | Select SamAccountName, DisplayName, @{n = "LastLogonDate"; e = { ([datetime]::FromFileTime($_.lastLogon)).toString("dd-MM-yyyy HH:mm")}}, @{n = "DC Name"; e = {$DC.HostName}} | Sort-Object LastLogonDate -Descending }

List User’s Password Expired Date

List user’s password expired date in human readable format. Users with Password Never Expired Enabled will not have any value.

$User = "Group2" Get-ADUser -Identity group2 -Properties msDS-UserPasswordExpiryTimeComputed | Select Name, @{Name="ExpiryDate";Expression={[datetime]::FromFileTime($_."msDS-UserPasswordExpiryTimeComputed")}}

Output

Name ExpiryDate ---- ---------- group2 8/15/2017 9:58:08 AM

Delete AD User

Remove AD User with the following PowerShell

Remove-ADUser test2 -Confirm:$false

Remove AD Users who are connecting thier mobile devices to Microsoft Exchange Server or you will get the error message as below

Remove-ADobject (Get-ADUser test2).distinguishedname -Recursive -Confirm:$false

Remove-ADObject : The directory service can perform the requested operation only on a leaf object

Restore Deleted AD User

List all the deleted users

Get-ADObject -Filter ‘isDeleted -eq $true‘ -IncludeDeletedObjects -Properties * | Select Name, whenchanged,ObjectClass | ? ObjectClass -eq "user" Name whenchanged ObjectClass ---- ----------- ----------- test2... 26/10/2020 4:59:39 PM user

Restore Deleted AD User’s Object (test2) – Refer to Restore-ADObject for more detail

Get-ADObject -Filter 'samaccountname -eq "test2"' -IncludeDeletedObjects | Restore-ADObject -NewName "TEST2"

You have to fill up the user’s information, like FirstName, LastName, DisplayName manually, and finally reset the password to enable the deleted AD User account

Related

Tag » Active Directory Pwdlastset 0