Active Directory Users Management: Complete Guide

Overview

User management is one of the core responsibilities of Active Directory (AD) administrators. This guide covers everything you need to know about managing user accounts in Active Directory, from basic concepts to advanced PowerShell automation.

What You’ll Learn:

• How user accounts work in Active Directory
• Creating, modifying, and deleting user accounts
• Managing user properties and attributes
• Using PowerShell for efficient user management
• Best practices for user administration
• Troubleshooting common user issues

---

Table of Contents

1. User Account Basics
2. Creating User Accounts
3. Modifying User Properties
4. Querying Users
5. Managing User Groups
6. User Account Status
7. Password Management
8. Best Practices
9. Troubleshooting

---

User Account Basics

What is an Active Directory User Account?

An Active Directory user account is a digital identity that represents a person in your organization. It contains:

• Identity Information

  • Username (SAM account name)
  • User Principal Name (UPN)
  • Display name
  • Email address

• Organizational Information

  • Department
  • Title
  • Manager
  • Office location
  • Phone numbers

• Authentication & Authorization

  • Password
  • Group memberships
  • Account status (enabled/disabled)
  • Account expiration

• Contact Information

  • Email address
  • Phone numbers (office, mobile)
  • Address and location
  • Website/homepage

User Account Naming Conventions

SAM Account Name (Pre-Windows 2000 Logon Name)

• Maximum 20 characters
• Used for backward compatibility
• Examples: jsmith, s.jones, john.smith

User Principal Name (UPN)

• Email-like format: jsmith@contoso.com
• Used for modern authentication
• Should be unique across forest

Best Practice: Use consistent naming conventions

SAM Account Name:  firstname.lastname (lowercase)
UPN:              firstname.lastname@domain.com
Email Address:    firstname.lastname@domain.com
Display Name:     First Name Last Name
```powershell

---

## Creating User Accounts

### Method 1: Using Active Directory Users and Computers (GUI)

**Steps:**
1. Open "Active Directory Users and Computers"
2. Right-click on OU → New → User
3. Enter user information (first name, last name, UPN)
4. Set password
5. Configure additional properties
6. Click Finish

### Method 2: Using PowerShell (Recommended)

**Basic User Creation:**
```powershell
$password = ConvertTo-SecureString -AsPlainText "TempPassword@123" -Force

New-ADUser -Name "John Smith" `
    -SamAccountName "jsmith" `
    -GivenName "John" `
    -Surname "Smith" `
    -EmailAddress "john.smith@contoso.com" `
    -Path "OU=Users,DC=contoso,DC=com" `
    -AccountPassword $password `
    -Enabled $true
```powershell

**With Additional Properties:**
```powershell
New-ADUser -Name "Sarah Jones" `
    -SamAccountName "sjones" `
    -GivenName "Sarah" `
    -Surname "Jones" `
    -EmailAddress "sarah.jones@contoso.com" `
    -Department "IT" `
    -Title "Systems Administrator" `
    -Office "New York" `
    -OfficePhone "+1-555-123-4567" `
    -MobilePhone "+1-555-234-5678" `
    -AccountPassword $password `
    -Enabled $true
```powershell

**Bulk User Creation from CSV:**
See [PowerShell New-ADUser](/powershell-new-aduser) for detailed examples.

### Required vs. Optional Properties

| Property | Required | Notes |
|----------|----------|-------|
| Name | Yes | Display name |
| SAM Account Name | Yes | Pre-Windows 2000 name |
| GivenName | No | First name |
| Surname | No | Last name |
| EmailAddress | No | User email |
| Password | No | Can be set later |
| Enabled | No | Default is disabled |
| Department | No | Organizational info |
| Title | No | Job title |

---

## Modifying User Properties

### Using GUI (Active Directory Users and Computers)
1. Find the user
2. Right-click → Properties
3. Update information on tabs:
   - General (names, descriptions)
   - Address (street, city, state, zip)
   - Telephones (office, mobile, fax)
   - Organization (title, department, company, manager)
   - Account (options, expiration)

### Using PowerShell

**Single Property Update:**
```powershell
Set-ADUser -Identity jsmith -EmailAddress "newemail@contoso.com"
```powershell

**Multiple Properties:**
```powershell
Set-ADUser -Identity jsmith `
    -EmailAddress "john.smith@newdomain.com" `
    -Title "Senior Systems Administrator" `
    -Department "Information Technology" `
    -OfficePhone "+1-555-999-1234"
```powershell

**Bulk Updates:**
```powershell
# Update all Marketing users to new department
Get-ADUser -Filter "department -eq 'Marketing'" |
Set-ADUser -Department "Marketing & Communications"
```powershell

See [PowerShell Set-ADUser](/powershell-set-aduser) for detailed guide.

---

## Querying Users

### Using GUI
1. Open "Active Directory Users and Computers"
2. Right-click on domain → Find
3. Enter search criteria
4. Click Find Now

### Using PowerShell

**Get Single User:**
```powershell
Get-ADUser -Identity jsmith
```powershell

**Get User with Properties:**
```powershell
Get-ADUser -Identity jsmith -Properties EmailAddress, Department, Title, Manager
```powershell

**Search by Filter:**
```powershell
# All enabled users
Get-ADUser -Filter "enabled -eq $true"

# Users in specific department
Get-ADUser -Filter "department -eq 'IT'"

# Users with email domain
Get-ADUser -Filter "mail -like '*@contoso.com'"

# Users without email
Get-ADUser -Filter "mail -notlike '*'"
```powershell

**Find Inactive Users:**
```powershell
$date = (Get-Date).AddDays(-90)
Get-ADUser -Filter "lastLogonDate -lt '$date'" -Properties LastLogonDate
```powershell

**Export to CSV:**
```powershell
Get-ADUser -Filter "enabled -eq $true" -Properties EmailAddress, Department |
Export-Csv -Path "C:\users.csv" -NoTypeInformation
```powershell

See [PowerShell Get-ADUser](/powershell-get-aduser) for comprehensive guide.

---

## Managing User Groups

### Group Types in Active Directory

**Distribution Groups**
- Used for email distribution
- Cannot be used for security permissions
- Members: Users, computers, other groups, external contacts

**Security Groups**
- Used for security permissions
- Can grant/deny permissions on resources
- Members: Users, computers, other groups

### Adding Users to Groups

**GUI Method:**
1. Find the group
2. Right-click → Members → Add
3. Type user names → Check Names → OK

**PowerShell Method:**
```powershell
# Add single user
Add-ADGroupMember -Identity "IT-Support" -Members "jsmith"

# Add multiple users
Add-ADGroupMember -Identity "VPN-Users" -Members "jsmith", "sjones", "mdavis"

# Add from filter
Get-ADUser -Filter "department -eq 'IT'" |
Add-ADGroupMember -Identity "IT-AllStaff"
```powershell

### Removing Users from Groups

**PowerShell:**
```powershell
Remove-ADGroupMember -Identity "IT-Support" -Members "jsmith" -Confirm:$false
```powershell

---

## User Account Status

### Enabled vs. Disabled Accounts

**Enabled Accounts**
- User can log in
- Receive emails
- Access resources
- Default for new accounts: DISABLED

**Disabled Accounts**
- User cannot log in
- Often for contractors, temporary staff
- Good for archiving accounts before deletion

### Enabling/Disabling Accounts

**Enable Account:**
```powershell
Enable-ADAccount -Identity jsmith
```powershell

**Disable Account:**
```powershell
Disable-ADAccount -Identity jsmith
```powershell

**Check Account Status:**
```powershell
Get-ADUser -Identity jsmith -Properties Enabled | Select-Object Name, Enabled
```powershell

### Account Expiration

**Set Expiration Date:**
```powershell
Set-ADAccountExpiration -Identity jsmith -DateTime "2026-12-31"
```powershell

**Remove Expiration:**
```powershell
Set-ADAccountExpiration -Identity jsmith -Clear
```powershell

**Find Expiring Accounts:**
```powershell
Get-ADUser -Filter "accountExpires -ne 0" -Properties AccountExpires |
Select-Object Name, @{name="ExpirationDate";expression={[datetime]::FromFileTime($_.accountExpires)}}
```powershell

---

## Password Management

### Setting User Password

**Initial Password Setup:**
```powershell
$password = ConvertTo-SecureString -AsPlainText "TempPassword@123" -Force
Set-ADAccountPassword -Identity jsmith -NewPassword $password -Reset
```powershell

**Force Password Change at Next Logon:**
```powershell
Set-ADUser -Identity jsmith -ChangePasswordAtLogon $true
```powershell

### Password Policy

**Enforce Password Requirements:**
- Minimum length: 8-14 characters
- Complexity: uppercase, lowercase, numbers, special characters
- Password history: remember last 5-10 passwords
- Age: change every 30-90 days

### Reset Forgotten Passwords

**Admin Password Reset:**
```powershell
$password = ConvertTo-SecureString -AsPlainText "NewTempPassword@123" -Force
Set-ADAccountPassword -Identity jsmith -NewPassword $password -Reset
Set-ADUser -Identity jsmith -ChangePasswordAtLogon $true
```powershell

---

## Best Practices

### ✅ User Account Naming

```powershell
# Good: Consistent, readable naming
SAM Account Name:  john.smith
UPN:              john.smith@contoso.com
Display Name:     John Smith
Email:            john.smith@contoso.com

# Avoid: Inconsistent naming
SAM Account Name:  jsmith2
UPN:              jsmith@contoso.com
Display Name:     John Michael Smith
Email:            john_smith@contoso.com
```powershell

### ✅ Organizational Structure

1. **Use OUs for organization** - Separate by department, location, or function
2. **Consistent property values** - Standardize departments, titles, offices
3. **Complete information** - Always fill in manager, department, email, phone
4. **Regular maintenance** - Review and clean up regularly

### ✅ Security

1. **Use strong passwords** - Meet complexity requirements
2. **Enforce password changes** - New temporary password, force change at logon
3. **Disable unused accounts** - Don't delete immediately, disable first
4. **Regular audits** - Review group memberships, permissions
5. **Least privilege** - Only grant needed permissions

### ✅ Bulk Operations

1. **Test first** - Run on test user before bulk updates
2. **Use filters** - Target specific users with -Filter
3. **Automate repetitive tasks** - Use scripts for consistency
4. **Log changes** - Document what was changed and why
5. **Backup before changes** - Export user list before bulk modifications

### ❌ Common Mistakes

- Creating accounts without setting required properties
- Not assigning users to groups after creation
- Leaving accounts enabled after employee departure
- Hardcoding passwords in scripts
- Not following naming conventions
- Forgetting to set manager relationships

---

## Troubleshooting

### Issue: User Cannot Log In

**Check:**
1. Is account enabled?
```powershell
Get-ADUser -Identity jsmith -Properties Enabled | Select-Object Enabled
```powershell

2. Is account expired?
```powershell
Get-ADUser -Identity jsmith -Properties AccountExpires | Select-Object AccountExpires
```powershell

3. Is password correct?
```powershell
# Reset password and force change
$password = ConvertTo-SecureString -AsPlainText "NewPassword@123" -Force
Set-ADAccountPassword -Identity jsmith -NewPassword $password -Reset
Set-ADUser -Identity jsmith -ChangePasswordAtLogon $true
```powershell

### Issue: User Not Receiving Emails

**Check:**
1. Is email address set?
```powershell
Get-ADUser -Identity jsmith -Properties EmailAddress | Select-Object EmailAddress
```powershell

2. Update email:
```powershell
Set-ADUser -Identity jsmith -EmailAddress "john.smith@contoso.com"
```powershell

### Issue: User Not Appearing in Group

**Check:**
1. Is user in group?
```powershell
Get-ADGroupMember -Identity "IT-Support" | Where-Object { $_.SamAccountName -eq "jsmith" }
```powershell

2. Add to group:
```powershell
Add-ADGroupMember -Identity "IT-Support" -Members "jsmith"
```powershell

### Issue: Cannot Create User

**Common Causes:**
- No permissions to OU
- Invalid OU path
- Duplicate SAM account name

**Fix:**
```powershell
# Verify OU exists
Get-ADOrganizationalUnit -Filter "name -eq 'Users'"

# Check permissions
$ou = Get-ADOrganizationalUnit -Filter "name -eq 'Users'"
Get-Acl -Path "AD:\$($ou.DistinguishedName)"
```powershell

---

## Related Topics

### PowerShell Cmdlets
- **[Get-ADUser](/powershell-get-aduser)** - Query users
- **[New-ADUser](/powershell-new-aduser)** - Create users
- **[Set-ADUser](/powershell-set-aduser)** - Modify users
- **[Remove-ADUser](/powershell-remove-aduser)** - Delete users
- **[Get-ADGroup](/powershell-get-adgroup)** - Query groups
- **[Add-ADGroupMember](/powershell-add-adgroupmember)** - Add to groups

### Complete Guides
- **Complete Active Directory Guide** - AD overview
- **Complete PowerShell Guide** - PowerShell basics
- **[Active Directory Groups Guide](/active-directory-groups)** - Group management
- **[PowerShell Bulk AD Operations](/powershell-bulk-ad-operations)** - Bulk operations

---

## FAQs

**Q: What's the difference between SAM Account Name and UPN?**
A: SAM is pre-Windows 2000 name (limited to 20 characters), UPN is modern email-like format used for authentication.

**Q: Can I change a user's SAM account name?**
A: Yes, but it can break things. Avoid changing if possible.

**Q: How long are passwords valid?**
A: Depends on group policy. Default is 42 days, but this varies by organization.

**Q: Can users reset their own passwords?**
A: Yes, with Ctrl+Alt+Delete on domain computer or through web-based password reset tool.

**Q: What happens when I delete a user?**
A: User cannot log in, loses resource access, SID is not reused. Best practice: disable instead of delete.

**Q: How do I find all users in a department?**
A: Use Get-ADUser with -Filter: `Get-ADUser -Filter "department -eq 'IT'"`

---

## Summary

User management in Active Directory is fundamental to IT administration. Key takeaways:

1. **Use PowerShell** - More efficient and scriptable than GUI
2. **Follow naming conventions** - Consistency across organization
3. **Maintain complete information** - Accurate department, title, manager, email
4. **Use groups** - Simplify permission management
5. **Regular audits** - Keep your AD clean and organized
6. **Security first** - Strong passwords and least privilege

---

**Last Updated:** February 6, 2026
**Difficulty Level:** Beginner-Intermediate
**Reading Time:** 15 minutes