Active Directory User Accounts with PowerShell, ADSI, and LDAP

Posted on April 6, 2017 by Jeff Hicks in Active Directory, PowerShell with

We have been exploring some alternatives to the Active Directory (AD) PowerShell module. Most of the time, this module should meet your needs. It is always good to have options so I have been demonstrating how to use the ADSI type accelerator with the LDAP moniker. As long as you know the distinguished name to an AD object, you can reference it in PowerShell. When we ended last time, we were beginning to look at AD user objects. Let’s pick up that idea with a single-user account.



User LDAP Properties (Image Credit: Jeff Hicks)

User LDAP Properties (Image Credit: Jeff Hicks)

To display user properties, I have been using Select-Object to expand each property value. There is an alternative that takes a list of property names and then creates an ordered hashtable. This gets the value from the user object. The [ordered] directive keeps all of the properties in the same order. This is not required but I like the look.

Once the hashtable is complete, it can be treated as a PowerShell custom object.

Selected properties (Image Credit: Jeff Hicks)

Selected Properties (Image Credit: Jeff Hicks)

You could use this technique for most properties. Let’s say you want to change a property. In most cases, all you need to do is assign a new value to the object.

An alternative is to use the Put() method.

You have modified the locally-cached instance of the user account. To commit the change, invoke the Setinfo() method.

You will not see this method with Get-Member but it is there. You can refresh the local version of the object.

And once replication finishes, you can see the change in Active Directory Users and Computers.

Viewing the change (Image Credit: Jeff Hicks)

Viewing the Change (Image Credit: Jeff Hicks)

Some information, like whether the account is enabled or not, is tucked away. This particular tidbit is the UserAccountControl value.

User account control (Image Credit: Jeff Hicks)

User Account Control (Image Credit: Jeff Hicks)

In order to determine if the account is enabled, you need to perform a bitwise operation using a hex flag value.

Bitwise operation (Image Credit: Jeff Hicks)

Bitwise Operation (Image Credit: Jeff Hicks)

This is to be expected. Let’s disable the account.

Testing the new value (Image Credit: Jeff Hicks)

Testing the New Value (Image Credit: Jeff Hicks)

Another property that you might want to get is the password last set. This is stored as a COM object. This is also a large-integer value.

Converting large AD integer (Image Credit: Jeff Hicks)

Converting Large AD Integer (Image Credit: Jeff Hicks)

This is actually a datetime value, which we can convert like this:

Calculating Password Last Set Date (Image Credit: Jeff Hicks)

Calculating Password Last Set Date (Image Credit: Jeff Hicks)

It does not take much more effort to figure out the age of the password.

Calculating Password Age (Image Credit: Jeff Hicks)

Calculating Password Age (Image Credit: Jeff Hicks)

The last bit of the user account that needs coaxing is the account properties. An example of this is figuring out whether the user’s password ever expires.

Account Properties (Image Credit: Jeff Hicks)

Account Properties (Image Credit: Jeff Hicks)

This is also stored in the UserAccountControl property. We will perform a bitwise operation to determine if the password can expire.

Testing User Account Flag (Image Credit: Jeff Hicks)

Testing User Account Flag (Image Credit: Jeff Hicks)

The “user cannot change password” is actually an access control rule that uses an extended right.

Change Password Rule (Image Credit: Jeff Hicks)

Change Password Rule (Image Credit: Jeff Hicks)

If the AccessControlType is set to Deny, then the user cannot change their password. This is the case with Al Fredo.

Let’s put all of this together into a single function. This will create a custom object with a user’s LDAP properties.

I wrote the function so that you can pipe a user object to it.

Getting LDAP user properties (Image Credit: Jeff Hicks)

Getting LDAP User Properties (Image Credit: Jeff Hicks)

Or you can get all users from a particular OU.

User Report (Image Credit: Jeff Hicks)

User Report (Image Credit: Jeff Hicks)


I hope you will give some of this a try in a test environment. Next time, we will look at creating user accounts with ADSI.

Tagged with , ,

Register for this Webinar

How Replication Supports Your Company’s RTOs & RPOs
Join us for this free webinar

Can you have your workloads running within the agreed RTOs? Join this webinar with expert speakers from Veeam to exceed business objectives with an RPTO<15 min for ALL of your application and data.

Thursday, December 14, 2017 at 11 a.m EST