Manage AD Users Account with PowerShell

You are here:
  • Main
  • Manage AD Users Account with PowerShell
← All Topics

Tutorial on how to manage AD Users Account with PowerShell

Force User’s Password to be expired

Set the User’s Attribute called pwdlastset to 0

Set-ADUser -Identity UAT1 -Replace @{pwdlastset="0"}

Lock Users Account

Lock AD User’s Account by performing several login with wrong password

$LockoutThreshold = Get-ADDefaultDomainPasswordPolicy | Select LockoutThreshold

$Password = ConvertTo-SecureString 'WrongPassword' -AsPlainText -Force
$User = "uat1"

for ($i = 0; $i -le $LockoutThreshold.LockoutThreshold; $i++) {

    Invoke-Command -ComputerName AVENTIS-AD01 {Get-Process
    } -Credential (New-Object System.Management.Automation.PSCredential ($user, $Password)) -ErrorAction SilentlyContinue

#Verify User's Account is locked after X number of attempts
Get-ADUser -Identity uat1 -Properties SamAccountName, UserPrincipalName, LockedOut

#Unlock User Account after testing 
Unlock-ADAccount -Identity uat1

List Users’s Last Logon Date

List users’ last logon date from identified Organization Unit (OU)

LastLogonTimeStamp is a field that is replicated but is only updated when the LAST time it was updated is over 2 weeks ago. So if you log in 2 days later it WILL NOT update. This field was meant to be used to locate stale accounts.

Get-ADUser -Filter * -SearchBase $OU -Properties * | Select SamAccountName, DisplayName, 
@{n = "LastLogonDate"; e = { ([datetime]::FromFileTime($_.lastLogonTimestamp)).toString("dd-MM-yyyy HH:mm")}}, PasswordNeverExpires

LastLogon is the only accurate field in Active Directory for when a user logs in. The problem is it is not replicated and is only stored on the DC that the user registered with.

Seach User’s LastLogon in all Domain Controllers

$DCs = Get-ADDomainController -Filter * 
foreach ($DC in $DCs) {

    $OU = "OU=UAT,DC=THPROP,DC=local"
    Get-ADUser -Filter * -Server $DC.HostName -SearchBase $OU -Properties * | Select SamAccountName, DisplayName, 
    @{n = "LastLogonDate"; e = { ([datetime]::FromFileTime($_.lastLogon)).toString("dd-MM-yyyy HH:mm")}}, @{n = "DC Name"; e = {$DC.HostName}} | Sort-Object LastLogonDate -Descending

List User’s Password Expired Date

List user’s password expired date in human readable format. Users with Password Never Expired Enabled will not have any value.

$User = "Group2"
Get-ADUser -Identity group2 -Properties msDS-UserPasswordExpiryTimeComputed | Select Name, @{Name="ExpiryDate";Expression={[datetime]::FromFileTime($_."msDS-UserPasswordExpiryTimeComputed")}}


Name                                                                                                       ExpiryDate                                                                                                
----                                                                                                       ----------                                                                                                
group2                                                                                                     8/15/2017 9:58:08 AM   

Leave a Reply

Your email address will not be published. Required fields are marked *

Scroll to Top