Flexible Security For Your Peace of Mind

How to bulk modify Active Directory user attributes

(Last updated on October 5, 2020)

Active Directory attributes often contain a wealth of information about users, including their phone numbers, department, location, and much more. Even so, this information is only valid if it is kept up-to-date. Sometimes this means updating an individual attribute, such as is needed when a user gets a new phone number. In other cases, bulk operations may be required. For instance, a corporate reorganization may require changing dozens of users’ locations.

Managing users attributes with ADUC

The Active Directory Users and Computers console has a limited ability to make bulk changes to user account attributes. Administrators can select multiple user accounts, right-click, and then choose the Properties command from the resulting shortcut menu. This exposes a window that lets administrators make a few basic updates, such as specifying the user description or office. More often however, bulk changes to user account attributes are performed through PowerShell.

Using PowerShell to make bulk changes to User Account Attributes

At a high level, there are two steps involved in using PowerShell to make bulk changes to user account attributes. The first of these steps is to define the accounts that need to be modified. The second step is to perform the actual modification.

Defining the accounts to be modified can be done in a number of different ways. Suppose for instance, that all of the users in an organization’s Redmond office were being transferred to an office in Miami. In such a situation, the HR department might provide the IT department with CSV file containing a list of the users who are moving. In such a case, you might use the Import-CSV cmdlet to read the CSV file. You would then need to set up a loop to process all of the accounts listed within the CSV file.

Of course it is also possible that the HR department doesn’t provide the IT department with a list, but instead simply tells the IT department that everyone in Redmond is being transferred to Miami. In that type of situation, you would need to compile your own user list based on existing user account attributes. You could find all of the users in the Redmond office by using this command:

Get-ADUser -Filter ‘Office -eq “Redmond”’

Of course the ultimate goal is to modify the user’s office location, so a better option would be to map this command’s output to a variable by using a command like this one:

$A = Get-ADUser -Filter ‘Office -eq “Redmond” ‘ -Property *

In case you are wondering, the Property switch was added in order to make the Office property accessible. You can view the users and their office by using this command:

$A | Select-Object Name, Office

The next step is to use the Set-ADUser location to modify the user’s office. Assuming that there is more than one user account being modified however, it is necessary to use a ForEach look to ensure that only one user account is processed at a time. Here is what the loop looks like:

ForEach ($User in $A){Set-ADUser -Identity $User -Office ‘Miami’}

Once this command completes, we need to verify that the modification was successful. The easiest way to do this is to use the Get-ADUser command to display a list of users in the Miami office. Here is what the command looks like:

Get-ADUser -Filter ‘Office -eq “Miami” ‘ -Property * | Select-Object Name, Office

The entire sequence of commands will look like this:


This is how you bulk modify active directory user attributes through PowerShell.

As you can see, making bulk modifications to Active Directory attributes through PowerShell is tedious, time consuming, and prone to human error. There is however, a better option. Rather than forcing the IT department to act as a curator of Active Directory attributes, users can be given the ability to manage their own Active Directory attributes. That way, if a user gets a new phone number, moves to a different office, or goes through various other changes, the user can update their account accordingly.

Enable users to manage their mobile number with Specops

Providing users with the ability to update their mobile number can be helpful to everyone. For the end user, it means that they can quickly make the change without having to take the time to contact the help desk. With Specops uReset, users can manage their mobile number when enrolling for the self-service password reset solution. This not only ensures that their contact information is up-to-date, but also, provides a secure way for users to verify their identity (via SMS codes) when unlocking their account, or resetting their password.

For more information about the Specops password reset solution, or to request your free trial, click here.

>

Written by

Brien Posey

Brien Posey is a freelance author and speaker, and 15-time Microsoft MVP with 20+ years of IT experience.

More Articles
Back to Blog