Modify an AD computer object.
Syntax
Set-ADComputer [-Identity] ADComputer [-AccountExpirationDate [System.DateTime]]
[-AccountNotDelegated [bool]] [-Add hashtable]
[-AllowReversiblePasswordEncryption [bool]] [-AuthType {Negotiate | Basic}]
[-CannotChangePassword [bool]] [-Certificates hashtable]
[-ChangePasswordAtLogon [bool]] [-Credential PSCredential] [-Clear string[]]
[-Description string] [-DisplayName string] [-DNSHostName string]
[-Enabled [bool]] [-HomePage string]
[-Location string] [-ManagedBy ADPrincipal]
[-OperatingSystem string] [-OperatingSystemHotfix string]
[-OperatingSystemServicePack string] [-OperatingSystemVersion string]
[-PasswordNeverExpires [bool]] [-PasswordNotRequired [bool]]
[-Remove hashtable] [-Replace hashtable]
[-ServicePrincipalNames hashtable] [-SAMAccountName string]
[-Server string] [-TrustedForDelegation [bool]]
[-UserPrincipalName string]
[-Confirm] [-WhatIf] [CommonParameters]
Key
-AccountExpirationDate [System.DateTime]
The expiry date for the account. (0=never expires)
Use PowerShell DateTime syntax
Time is assumed to be local time unless otherwise specified.
The default time is 12:00 (Midday) local time.
The default date is the current date.
Examples using GMT, UTC and local time:
-AccountExpirationDate "Mon, 17 Apr 2011 21:22:48 GMT"
-AccountExpirationDate "2011-04-17T14:22:48.0000000"
-AccountExpirationDate "04/17/2011 2:22:48 PM"
The LDAP Display name (ldapDisplayName) for this property is accountExpires.
-AccountNotDelegated bool
Security delegation. When True, the security context of the account is not
delegated to a service even when the service account is set as trusted for
Kerberos delegation. Sets the AccountNotDelegated property for an AD account.
This parameter also sets the ADS_UF_NOT_DELEGATED flag of the AD User Account
Control (UAC) attribute.
Values for this parameter: $false or 0, $true or 1
-Add hashtable
Add values to add to an object property.
Use this for properties that cannot be modified using a cmdlet parameter.
To modify an object property, use the LDAP display name.
Specify multiple values as a comma-separated list of values
Specify more than one property by separating them with a semicolon
The format for this parameter is
-Add @{Attribute1LDAPDisplayName=value1, value2,... ; Attribute2LDAPDisplayName=value1, value2,... }
If the -Add, -Remove, -Replace and -Clear parameters are used together, the operations
will always be performed in the order: -Remove then -Add then -Replace then -Clear
-AllowReversiblePasswordEncryption bool
Whether reversible password encryption is allowed for the account.
This parameter sets the AllowReversiblePasswordEncryption property of the account.
This also sets the ADS_UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED flag of
the AD User Account Control (UAC) attribute.
Values for this parameter: $false or 0, $true or 1
-AuthType ADAuthType
The authentication method to use:
Negotiate or 0
Basic or 1
A Secure Sockets Layer (SSL) connection is required for the Basic authentication method.
-CannotChangePassword bool
Whether the account password can be changed.
Sets the 'CannotChangePassword' property of an account.
Values for this parameter: $false or 0, $true or 1
-Certificates X509Certificate[]
Modifies the DER-encoded X.509v3 certificates of the account.
These certificates include the public key certificates issued to
this account by the Microsoft Certificate Service.
Sets the Certificates property of the account object.
The LDAP Display Name for this property is "userCertificate".
Syntax to add/remove/replace/clear:
-Certificates @{Add=value1,value2,...}
-Certificates @{Remove=value3,value4,...}
-Certificates @{Replace=value1,value2,...}
-Certificates $null
Multiple operations may be specified by using a list separated by semicolons.
-Certificates @{Add=value1,value2,...};@{Remove=value3,value4,...}
Example - creating a certificate:
$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate cert1.cer certPassword
Set-ADUser saradavis -Certificates @{Add=$cert}
-ChangePasswordAtLogon bool
Whether a password must be changed during the next logon attempt.
Values for this parameter: $false or 0, $true or 1
This cannot be set to $true for an account that also has PasswordNeverExpires set.
-Clear string[]
An array of object properties that will be cleared.
Use this parameter to clear properties that cannot be modified using a cmdlet parameter.
To modify an object property, use the LDAP display name.
Modify more than one property by specifying a comma-separated list.
Example: Clear the value for the Phone-Office-Other attribute (LDAP display name 'otherTelephone')
-Clear otherTelephone
If the -Add, -Remove, -Replace and -Clear parameters are used together, the operations
will always be performed in the order: -Remove then -Add then -Replace then -Clear
-Credential PSCredential
A user account that has permission to perform this action.
The default is the current user unless the cmdlet is run from an AD PowerShell provider drive
in which case the account associated with the drive is the default.
"User64" or "Domain01\User64" or a PSCredential object.
-Description string
A description of the object.
-DisplayName string
The display name of the object.
-DNSHostName string
The fully qualified domain name (FQDN) of the computer.
This parameter sets the DNSHostName property for a computer object.
The LDAP Display Name for this property is "dNSHostName".
-Enabled bool
Is the account enabled.
An enabled account requires a password.
This parameter sets the Enabled property for an account object.
Also sets the ADS_UF_ACCOUNTDISABLE flag of the AD User Account Control (UAC) attribute.
Values for this parameter: $false or 0, $true or 1
-HomePage string
The URL of the home page of the object.
-Identity ADComputer
An AD computer object:
Distinguished Name
Example: CN=PC1234,CN=Europe,CN=Users,DC=SS64,DC=com
GUID (objectGUID)
Example: 579c4d2e-f62d-4d20-8a88-030d97495f10
Security Identifier (objectSid)
Example: S-1-5-21-3164297828-301567370-526410523-1153
Security Accounts Manager Account Name (sAMAccountName)
Example: PC1234
The identifier in parentheses is the LDAP display name for the attribute.
The cmdlet searches the default naming context or partition to find the object.
If the identifier given is a DN, the partition to search will be computed from that DN.
If two or more objects are found, the cmdlet returns a non-terminating error.
This parameter can also accept an object through the pipeline.
-Instance ADComputer
Specifies a modified copy of a computer object to use to update the actual AD computer object.
When this parameter is used, any modifications made to the modified copy of the object are
also made to the corresponding AD object. This will only update the object properties that have changed.
The -Instance parameter can only update computer objects that have been retrieved with Get-ADComputer
you cannot specify other parameters that set properties on the object.
Example
# Retrieve a local instance of the object.
$computerInstance = Get-ADComputer -Identity PC001
# Modify one or more properties of the object instance.
$computerInstance.Description = "Graphic Design Computer"
# Save the changes
Set-ADComputer -Instance $computerInstance
-Location string
The location of the computer, such as an office number.
-ManagedBy ADPrincipal
The user or group that manages the object.
Note: The identifier in parentheses is the LDAP display name for the property.
Examples:
Distinguished Name: CN=SaraDavis,OU=Europe,CN=Users,DC=corp,DC=ss64,DC=com
GUID (objectGUID) : 599c3d2e-f72d-4d20-8a88-030d99495f20
Security Identifier (objectSid) : S-1-5-21-3165297888-301567370-576410423-1103
SAM Account Name (sAMAccountName): JDoe
This parameter sets the Active Directory attribute with an LDAP Display Name of "managedBy".
-OperatingSystem string
An operating system name. e.g. "Windows Server 2008 Enterprise"
-OperatingSystemHotfix string
An operating system hotfix name.
-OperatingSystemServicePack string
The name of an operating system service pack.
-OperatingSystemVersion string
An operating system version.
-Partition string
The distinguished name of an AD partition.
The distinguished name must be one of the naming contexts on the current directory server.
The cmdlet searches this partition to find the object defined by the -Identity parameter.
examples:
-Partition "CN=Configuration,DC=EUROPE,DC=TEST,DC=SS64,DC=COM"
-Partition "CN=Schema,CN=Configuration,DC=EUROPE,DC=TEST,DC=SS64,DC=COM"
In many cases, a default value will be used for -Partition if no value is specified.
-PassThru
Returns the new or modified object.
By default (i.e. if -PassThru is not specified), this cmdlet does not generate any output.
-PasswordNeverExpires bool
Whether the password of an account can expire.
This parameter also sets the ADS_UF_DONT_EXPIRE_PASSWD flag of the AD UAC attribute.
Values for this parameter: $false or 0, $true or 1
Note: This parameter cannot be set to $true for an account that also has the ChangePasswordAtLogon property set.
-PasswordNotRequired bool
Whether the account requires a password.
This parameter also sets the ADS_UF_PASSWD_NOTREQD flag of the AD UAC attribute.
Values for this parameter: $false or 0, $true or 1
-Remove hashtable
Remove values from an object property.
Use this for properties that cannot be modified using a cmdlet parameter.
To modify an object property, use the LDAP display name.
Specify multiple values as a comma-separated list of values
Specify more than one property by separating them with a semicolon
The format for this parameter is
-Remove @{Attribute1LDAPDisplayName=value1, value2,... ; Attribute2LDAPDisplayName=value1, value2,... }
If the -Add, -Remove, -Replace and -Clear parameters are used together, the operations
will always be performed in the order: -Remove then -Add then -Replace then -Clear
-Replace hashtable
Replace values for an object property.
Use this for properties that cannot be modified using a cmdlet parameter.
To modify an object property, use the LDAP display name.
Specify multiple values as a comma-separated list of values
Specify more than one property by separating them with a semicolon
The format for this parameter is
-Replace @{Attribute1LDAPDisplayName=value1, value2,... ; Attribute2LDAPDisplayName=value1, value2,... }
If the -Add, -Remove, -Replace and -Clear parameters are used together, the operations
will always be performed in the order: -Remove then -Add then -Replace then -Clear
-SAMAccountName string
The Security Account Manager (SAM) account name of the user, group, computer, or service account.
The maximum length of the description is 256 characters.
To be compatible with older operating systems use 20 characters or less.
Note: If the SAMAccountName string provided, does not end with a '$', one will be appended if needed.
-Server string
The AD Domain Services instance to connect to, this may be a Fully qualified domain name,
NetBIOS name, Fully qualified directory server name (with or without port number) or AD Snapshot instance.
Examples: demo.SS64.com demo demoDC02.demo.ss64.com demoDC02.demo.ss64.com:3268
-ServicePrincipalNames string[]
The service principal names for the account.
Use the following syntax to add remove, replace or clear service principal name values:
-ServicePrincipalNames @{Add=value1,value2,...}
-ServicePrincipalNames @{Remove=value3,value4,...}
-ServicePrincipalNames @{Replace=value1,value2,...}
-ServicePrincipalNames $null
Multiple operations may be specified by using a list separated by semicolons.
-ServicePrincipalNames @{Add=value1,value2,...};@{Remove=value3,value4,...}
Example:
-ServicePrincipalNames @{Add="SQLservice\NewService.ss64.com:1456"};{Remove="SQLservice\demo.ss64.com:1456"}
-TrustedForDelegation bool
Whether an account is trusted for Kerberos delegation.
A service that runs under an account that is trusted for Kerberos delegation can
assume the identity of a client requesting the service.
This value also sets the ADS_UF_TRUSTED_FOR_DELEGATION flag of the AD UAC attribute.
Values for this parameter: $false or 0, $true or 1
-UserPrincipalName string
Each user account has a user principal name (UPN) in the format
user@DNS-domain-name
A UPN is a friendly name assigned by an administrator that is shorter than the LDAP
distinguished name used by the system and easier to remember.
The UPN is independent of the user object's DN, so a user object can be moved or
renamed without affecting the user logon name. When logging on using a UPN, users
no longer have to choose a domain from a list on the logon dialog box.
-Confirm
Prompt for confirmation before executing the command.
-WhatIf
Describe what would happen if you executed the command, without actually executing the command.
CommonParameters:
-Verbose, -Debug, -ErrorAction, -ErrorVariable, -WarningAction, -WarningVariable,
-OutBuffer -OutVariable.
Set-ADComputer modifies the properties of an AD computer object. Commonly used property values can be modified using the cmdlet parameters. Property values that are not associated with cmdlet parameters
can be modified by using the -Add, -Replace, -Clear and -Remove parameters.
The -Identity parameter specifies the AD computer to modify. Identify a computer by its distinguished name Members (DN), GUID, security identifier (SID) or Security Accounts Manager (SAM) account name. The -Identity parameter can also be set to an object variable, or you can pass an object through the PowerShell pipeline. For example, from Get-ADComputer.
The -Instance parameter provides a way to update a computer by applying the changes made to a copy of the computer object. When you specify the -Instance parameter you should not pass the -identity parameter.
Three ways to modify the Location property of a computer object:
Method 1: Set-ADComputer -Identity PC00189 -Location "London"
Method 2: Get-ADComputer PC00189 | Set-ADcomputer -Location "London"
Method 3:
$computer = Get-ADcomputer PC00189
$computer.Location= "London"
Set-ADComputer -Instance $computer
Examples
Modify the SPN value for a given computer:
PS C:\> Set-ADComputer "SRV251" -ServicePrincipalName @{Replace="MSSQLSVC/SRV251.ss64.com:1456","MS OLAPSVC.3/SRV251.ss64.com:analyze"}
Modify the location for a given computer to "Stavanger, Norway":
PS C:\> Set-ADComputer "SRV251" -Location "Stavanger, Norway"
Set the 'managed by' attribute value for a given computer using the SAM account name of the user:
PS C:\> Set-ADComputer "SRV251" -ManagedBy "CN=SQL Administrator 01,OU=UserAccounts,OU=Managed,DC=ss64,DC=com"
Set the 'location' and 'managed-by' attributes of a given computer using the instance parameter set:
PS C:\> $comp = Get-ADComputer "SRV251"; $comp.Location = "Stavanger, Norway"
PS C:\> $comp.ManagedBy = "CN=SQL Administrator 01,OU=UserAccounts,OU=Managed,DC=ss64,DC=com"
PS C:\> Set-ADComputer -Instance $comp
“A happy person is not a person in a certain set of circumstances, but rather a person with a certain set of attitudes” ~ Hugh Downs
Related PowerShell Cmdlets:
Get-ADComputer - Get one or more AD computers.
New-ADComputer - Create a new AD computer.
Remove-ADComputer - Remove an AD computer.
Add-Computer - Add a computer to the domain.