Need to update multiple users in your Active Directory? Or looking for a more efficient way of modifying users’ properties? Then the Set-ADuser cmdlet in PowerShell is really going to help you.
We have all learned to manage our users through the Active Directory Users and Computers management console (ADUC). It’s perfect to make quickly some changes to a single user. But when you need to update the properties of multiple users in different OU’s then using PowerShell is way more efficient.
In this article, we are going to take a look at how to use the Set-ADuser cmdlet. What options do we have, and I will give you a couple of useful examples.
PowerShell Active Directory Module
Before we can start we first need to make sure that we have the PowerShell Active Directory Module installed. To check if you have the module installed, you can simply run the following command in PowerShell:
Get-Module -name ActiveDirectory # Result: ModuleType Version Name ExportedCommands ---------- ------- ---- ---------------- Manifest 1.0.0.0 ActiveDirectory {Add-ADCentralAccessPolicyMember, Add-ADComputerServiceAccount, Add-A...
If the module isn’t listed then we need to install the RSAT module (Remote Server Administration). Use the following PowerShell command for this:
Install-WindowsFeature RSAT-AD-PowerShell
The module is automatically installed on the domain controller.
Install PowerShell Active Directory Module on Windows 10
But on Windows 10 or 11 we need to enable the RSAT feature. Instead of clicking through the settings screens, we are going to use PowerShell for this:
- Press Windows key + X (or right-click start)
- Open Windows PowerShell (Admin)
- Enter the following command:
Add-WindowsCapability –online –Name “Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0”
Using the Set-ADUser cmdlet
With the Set-ADUser cmdlet, we can modify all properties of an Active Directory user. To do this we can use one of the parameters of the cmdlet or use Add, Update, Replace parameter. All parameters of Set-ADUser are listed here in the Microsoft documentation.
Let’s say we want to change the job title of our user Alan Rhodes. His current job title is employee, and we are going to change this to floor manager.
Set-ADUser -Identity arhodes -Title "Floor manager"
We select the user based on the userprincipalname (identity) and set the title to Floor manager. As you can see in the screenshot below, the Set-ADUser
the cmdlet doesn’t give any output.
But we can simply check the results in PowerShell with Get-ADUser
Set Multiple Attributes
We can also change or set multiple attributes at once. Let’s say we also want to update Alan’s phone number, office, and department attributes.
Set-ADUser -Identity arhodes -OfficePhone "(012)-157-8923" -Office "A3.20" -Department Operations
Clear AD User Attributes
Sometimes you need to remove or clear an attribute. To do this you will need to use the clear parameter, this will remove the content of all select fields. If we want to remove the mobile phone we can do the following:
Set-ADUser -identity arhodes -Clear mobile
Or to clear multiple AD attributes you can use
Set-ADUser -identity arhodes -Clear mobile,title,department
Add and Remove Attributes with Set-ADUser
Some attributes can contain multiple values, like ProxyAddress or otherTelephone for example. To set or update values in these attributes we can use the Add and Remove parameter in Set-ADUser.
You can set multiple values by using a comma-separated list:
Set-ADUser -Identity arhodes -Add @{proxyAddresses="[email protected]","[email protected]"}
To remove a single value from the list we can simply specify which value we want to remove:
Set-ADUser -Identity arhodes -Remove @{proxyAddresses="[email protected]"}
Active Directory Disable Account with Set-ADuser
We can also use the Set-ADuser cmdlet to enable or disable an account in the Active Directory. The enabled
parameter is a boolean type, so we can set it to true or false.
To disable a user in your Active Directory you can use the following command:
# Disable a user Set-ADUser -identity cparker -Enabled:$false # Enable a user Set-ADUser -identity cparker -Enabled:$false
Bulk Update AD Users
Until now we only updated a single user with PowerShell, but the true power of the Set-ADUser cmdlet is with bulk updating AD users. Changing an attribute on a single user can also easily be done through the management console.
But how do you change the manager of 10 users or update the company address of all your users? To do this we are going to use the Get-ADUser
cmdlet together with Set-ADUser
. Get allows us to filter the users, where we can use Set to update each user in the result.
In the first example, we made Alan Rhodes a floor manager. So let’s give him some direct reports. We are going to select all users that have currently Andre West as manager and change that to Alan Rhodes.
Get-ADUser -Filter 'manager -eq "awest"' | Set-ADUser -Manager arhodes
It’s always a good idea to check the results of your Get-ADUser cmdlet first before you change attributes with Set-ADuser.
Filter on OU
The Get-ADUser also allows us to filter on OU. This can be really useful when you have a lot of users and want to limit the results or when you only need a selection of the users.
Let’s say that our marketing department is going to move to another office. We can’t simply select the users based on the office address, because we only want the marketing department. So what we can do is this:
Get-ADUser -Filter 'city -eq "Amsterdam"' -SearchBase "OU=Marketing,OU=Amsterdam,OU=Sites,DC=Lazyadmin,DC=NL" | Set-ADUser -StreetAddress "Westerdok 1" -PostalCode "2312ab"
Use a CSV list to update users
Another great way to bulk update users in your Active Directory is to use a CSV list. The advantage of the CSV file is that you can set different values for each user, using the convenience of an Excel file.
I have created in Excel a simple CSV file within the first column the display names of the users and in the second and third columns their new telephone numbers. Simply save the excel file as CSV.
Name;MobilePhone;OfficePhone Bob Davis;(732)-016-9810;(933)-701-6542 Erik Parker;(732)-016-9720;(933)-701-6543 Jean Miles;(732)-016-9821;(933)-701-6544 Kelly Rice;(732)-016-9813;(933)-701-6545 Mathew Scott;(732)-016-9620;(933)-701-6546 Oscar May;(732)-016-9851;(933)-701-6547 Regina Clark;(732)-016-9811;(933)-701-6548
We can now create a small PowerShell script that will read the CSV file, find each user and update the attributes with the correct value:
Import-Csv -Delimiter ";" -Path c:\temp\PhoneNumberUpdate.csv | Foreach { # Find user $ADUser = Get-ADUser -Filter "name -eq '$($_.name)'" if ($ADUser){ Set-ADUser -Identity $ADUser -MobilePhone $_.MobilePhone -OfficePhone $_.OfficePhone }else{ Write-Warning ("Failed to update " + $($_.name)) } }
Using the Instance parameter
A common issue with importing data from a CSV file is null values. Take the example above, not all users might have a mobile phone number. If we run the script using the method above, we will get an error because some fields don’t contain a value. To solve this we can use the -Instance
parameter.
With the Instance parameter, only values that are changed will be updated. This also allows us to handle empty values in the CSV file. I have changed the example CSV by removing some of the (mobile)phone numbers:
Name;MobilePhone;OfficePhone Bob Davis;(732)-016-9810;(933)-701-6542 Erik Parker;;(933)-701-6543 Jean Miles;;(933)-701-6544 Kelly Rice;(732)-016-9813;(933)-701-6545 Mathew Scott;(732)-016-9620; Oscar May;;(933)-701-6547 Regina Clark;(732)-016-9811;(933)-701-6548
To update the fields, we first get the user with the required properties, then set the new values and update the user with Set-ADUser. If the field is empty in the CSV file, then we will skip it. Keep in mind that this method doesn’t clear the value in the Active Directory.
Import-Csv -Delimiter ";" -Path c:\temp\PhoneNumberUpdate.csv | Foreach { # Find user $ADUser = Get-ADUser -Filter "name -eq '$($_.name)'" -Properties MobilePhone,OfficePhone if ($ADUser){ if ($_.MobilePhone) {$ADUser.MobilePhone = $_.MobilePhone} if ($_.OfficePhone) {$ADUser.OfficePhone= $_.OfficePhone} Set-ADUser -Instance $ADUser }else{ Write-Warning ("Failed to update " + $($_.name)) } }
In this article, I go more into detail on how to use a CSV file to update user attributes in the Active Directory.
Wrapping Up
The Set-ADUser cmdlet makes it really easy to update the attributes of multiple users in your Active Directory. Always make sure that you verify your filters with Get-ADUser first or by using the –whatif
parameter.
If you have any questions, then just drop a comment below.
Any ideas on why this is not working?
PS C:\Windows\system32> Import-Csv -Path c:\temp\TestImport1.csv | Foreach {
>> # Find user
>> $ADUser = Get-ADUser -Filter “name -eq ‘$($_.name)'” -Properties DisplayName,Company
>>
>> if ($ADUser){
>> Set-ADUser -Identity $ADUser -DisplayName $_.DisplayName -Company $_.Company
>> }else{
>> Write-Warning (“Failed to update ” + $($_.name))
>> }
>> }
WARNING: Failed to update test.user
WARNING: Failed to update test.user2
WARNING: Failed to update test.user3
The code looks ok. First step is to check if $aduser returns anything, might be a mismatch with the name property
Yup you weree right. My first column with the AD User name was not found. I changed it to Name the Name in AD and it worked. Thanks for your help appreciate it.
Hi Thank for such a great resource. I have 200 Users that I need to change their office location in Active Directory
this command works on an individual basis and it confirms I can put office instead of the attrubute “I” Set-ADUser -Identity etes -Office “Epsom”
I have tried to amend your script so that I can change just the office attribute
this is the amendment
Import-Csv -Delimiter “;” -Path C:\Admins\ChangeAttributes\Attributechange.csv | Foreach {
# Find user
$ADUser = Get-ADUser -Filter “name -eq ‘$($_.name)'” -Properties -Office
if ($ADUser){
Set-ADUser -Identity $ADUser -Office $_.Epsom
}else{
Write-Warning (“Failed to update ” + $($_.name))
}
}
and this is the error
Get-ADUser : One or more properties are invalid.
Parameter name: -Office
At line:3 char:15
+ … $ADUser = Get-ADUser -Filter “name -eq ‘$($_.name)'” -Properties -O …
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (:) [Get-ADUser], ArgumentException
+ FullyQualifiedErrorId : ActiveDirectoryCmdlet:System.ArgumentException,Microsoft.ActiveDirectory.Management.Commands.GetADUser
WARNING: Failed to update
Get-ADUser : One or more properties are invalid.
Parameter name: -Office
At line:3 char:15
+ … $ADUser = Get-ADUser -Filter “name -eq ‘$($_.name)'” -Properties -O …
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (:) [Get-ADUser], ArgumentException
+ FullyQualifiedErrorId : ActiveDirectoryCmdlet:System.ArgumentException,Microsoft.ActiveDirectory.Management.Commands.GetADUser
WARNING: Failed to update
can see what i am doing wrong ?
Remove the – before office in the Get-Aduser:
# Find user
$ADUser = Get-ADUser -Filter “name -eq ‘$($_.name)'” -Properties Office
Hi everyone!
I need your help with the script below witch now helping me to create bulk AD users.
Now i need to do something else with it .
I need to modifiy it to just update email adress and phone number and nothing more!
Could you help me?
Thank you!
foreach ($User in $ADUsers)
{
$Username = $User.username
$Password = $User.password
$Firstname = $User.firstname
$Lastname = $User.lastname
$Department = $User.department
$Description = $User.description
$emailAddress = $User.email
$OU = $User.ou
$HomeDrive = $User.homefolder
if (Get-ADUser -F {SamAccountName -eq $Username})
{
l
Write-Warning “Contul userului $Allready exist.”
}
else
{
New-ADUser `
-SamAccountName $Username `
-UserPrincipalName “[email protected]” `
-Name “$Firstname $Lastname” `
-GivenName $Firstname `
-Surname $Lastname `
-Enabled $True `
-ChangePasswordAtLogon $False `
-DisplayName “$Firstname $Lastname” `
-Department $Department `
-Description $Description `
-EmailAddress $User.email `
-Path $OU `
-Homedrive “H:” `
-HomeDirectory “path” `
-HomePage $User.email `
-HomePhone $User.email `
-AccountPassword (convertto-securestring $Password -AsPlainText -Force)
Add-ADGroupMember “group name” $User.username;
if ( $Username -like ‘S*’)
{
Add-ADGroupMember “group name” $User.username;
}
}
}
Have you seen this article?
I simply cant get it to work.
I’m testing it with 1 person.
This is the information im trying to add to Alena Kumel.
It is created in a csv file.
Name,Street,City,postalCode,Mobile,Title,Company
Alena Kumel,Ramsherred 25,Aabenraa,6200,76106350,Underviser,Job&Dansk
Here is my script:
Import-Csv -Delimiter “,” -Path C:\Users\Administrator\Desktop\test.csv | Foreach {
# Find user
$ADUser = Get-ADUser -Filter “Name -eq ‘$($_.name)'” -Properties Name,Street,City,postalCode,Mobile,Title,Company
if ($ADUser){
if ($_.MobilePhone) {$ADUser.Name = $_.Name}
if ($_.OfficePhone) {$ADUser.Street = $_.Street}
if ($_.OfficePhone) {$ADUser.City = $_.City}
if ($_.OfficePhone) {$ADUser.postalCode = $_.postalCode}
if ($_.OfficePhone) {$ADUser.Mobile = $_.Mobile}
if ($_.OfficePhone) {$ADUser.Title = $_.Title}
if ($_.OfficePhone) {$ADUser.Company = $_.Company}
Set-ADUser -Instance $ADUser
}else{
Write-Warning (“Failed to update ” + $($_.name))
}
}
You have a typo in the Get-Aduser line. The single quote after Name -eg is incorrect.
It should be:
$ADUser = Get-ADUser -Filter “Name -eq '$($_.name)'” -Properties Name,Street,City,postalCode,Mobile,Title,Company
I copied your line and replaced it into the script.
I wish I could show you a screenshot.
This is now the script:
Import-Csv -Delimiter “,” -Path C:\Users\Administrator\Desktop\test.csv | Foreach {
# Find user
$ADUser = Get-ADUser -Filter “Name -eq ‘$($_.name)’” -Properties Name,Street,City,postalCode,Mobile,Title,Company
if ($ADUser){
if ($_.MobilePhone) {$ADUser.Name = $_.Name}
if ($_.OfficePhone) {$ADUser.Street = $_.Street}
if ($_.OfficePhone) {$ADUser.City = $_.City}
if ($_.OfficePhone) {$ADUser.postalCode = $_.postalCode}
if ($_.OfficePhone) {$ADUser.Mobile = $_.Mobile}
if ($_.OfficePhone) {$ADUser.Title = $_.Title}
if ($_.OfficePhone) {$ADUser.Company = $_.Company}
Set-ADUser -Instance $ADUser
}else{
Write-Warning (“Failed to update ” + $($_.name))
}
}
It just says “WARNING: failed to update Alena Kumel”
I can see when im copying from my text note into this reply, the “ is not showing up as yours, but I can promise you they look exactly like yours in my text note.
So i dont know why they are not showing up like yours.
I tripled check the script, and they are correct.
i need help regarding office attribute i want to clear office attribute but it is not working my script is
“”””””””$users = Get-Content C:\Users\ADM-in305907\Desktop\DisableUsers.csv
foreach ($user in $users)
{ Get-ADUser -Server india.accretivehealth.local -Identity $user -Properties office | Set-ADUser -Clear office
}””””””””””””
what’s wrong with this.
How do you Bulk update display name to match GivenName and Surname with Set-ADUser?
Write a little for-each loop script. Get the AD user with get-aduser, and select the fields GivenName and Surname. Combine the fields and set the display name.
Read more about writing scripts in this article.
thank you Rudy for your response. i am looking for a way to script it to first scan Active directory for users who have the initials and email address empty , then use the Set-ADUser to fill in the details for these users . if you get what i mean . thank you
I haven’t fully tested it, but something like this should do the job:
$users = Get-AdUser -Filter "Initials -notlike '*' -or EmailAddress -notlike '*'" -Properties Initials,EmailAddress | Select UserPrincipalName, GivenName,Surname,Initials,EmailAddress,Enabled
$users.ForEach{
Write-Host "User" $_.GivenName $_.SurName
if ($null -eq $_.Initials) {
$initials = Read-host -Prompt "Enter the initials of the user"
}
if ($null -eq $_.EmailAddress) {
$email = Read-host -Prompt "Enter the emailsaddress of the user"
}
Set-ADUser -Identity $_.UserPrincipalName -Initials $initials -EmailAddress $email
}
You can limit the Get-AdUser cmdlet with a searchbase for example.
Oh My Goodness!!! i am so grateful you went out of your way to look into this . i will go and test this out and come back with a feedback. ohh thanks so much
cheers
Hi ,
i am trying to set email and initail field for users who have it empty , without using a csv, do you know how i can do this with powershell
You can do it per user:
Set-ADUser -identity name -Initials "N.M" -EmailAddress [email protected]
Hello,
thank you for this script which works perfectly, is it possible to add a condition? Because if there is an empty column in the csv file, the script returns an error.
Thank you for your comeback.
I have updated the article with an example using the -Instance parameter
Hi
Trying to add/replace an extension with the following command:
$OUsers = Get-ADUser -Filter * -SearchBase “OU=Service Accounts,OU=Users,OU=xx yyyyy,OU=xxx yyy,DC=xxxxx,DC=yy,DC=se”
ForEach ($User in $OUsers) {Set-ADUser –$User -Add @{employeeType = “Servicekonto”}
But is do not work, any ideas?
Try this inside the foreach
Set-ADUser –identity $_ -Add @{employeeType = “Servicekonto”}
How can I change the following script to update the user and/or add user if the user doesn’t exist. Right now it works to add users if they don’t exist.
#Import active directory module for running AD cmdlets
Import-Module activedirectory
#Store the data from ADUsers.csv in the $ADUsers variable
$Users = Import-csv c:\powershell_create_bulk_users-CBPS-NEWSTUDENTS\bulk_import.csv
#Loop through each row containing user details in the CSV file
foreach ($User in $Users) {
# Read user data from each field in each row
# the username is used more often, so to prevent typing, save that in a variable
$Username = $User.SamAccountName
# Check to see if the user already exists in AD
if (Get-ADUser -F {SamAccountName -eq $Username}) {
#If user does exist, give a warning
Write-Warning "A user account with username $Username already exist in Active Directory."
}
else {
# User does not exist then proceed to create the new user account
# create a hashtable for splatting the parameters
$userProps = @{
SamAccountName = $User.SamAccountName
Path = $User.path
GivenName = $User.GivenName
Surname = $User.Surname
Initials = $User.Initials
Name = $User.Name
DisplayName = $User.DisplayName
Description = $User.Description
UserPrincipalName = $user.UserPrincipalName
EmailAddress = $User.EmailAddress
Company = $User.Company
AccountPassword = (ConvertTo-SecureString $User.password -AsPlainText -Force)
Enabled = $true
ChangePasswordAtLogon = $true
} #end userprops
New-ADUser @userProps
# Write-Host "The user account $User is created." -ForegroundColor Cyan
} #end else
}
Thanks for this script! name-eq should be name -eq 🙂
Thanks, fixed the typo.