AD 账户批量操作

移动

dsmove "CN=username,OU=ouname,DC=domain,DC=Com" -newparent "OU=ouname,DC=domain,DC=Com"

重命名CN

dsmove "CN=username,OU=ouname,DC=tfsad,DC=com" -newname "newname"

组添加成员

dsmod group "CN=group,OU=ouname,DC=domain,DC=com" -addmbr "CN=username,OU=ouname,DC=domain,DC=Com"

获取组成员

dsget group "CN=group,OU=ouname,DC=domain,DC=com" -members

循环处理

for /f "Tokens=*" %s in ('dsquery user "OU=ouname, DC=domain, DC=com" -disabled -limit 0') do DSMOVE %s -newparent "ou=Disabled,dc=domain,dc=com"

For /F "delims=" %%w IN ('dsquery user -desc Archived "OU=Data Has Been Archived,OU=Base,OU=Staff,OU=Accounts - Archive,DC=Home,DC=co,DC=uk"') DO (
For /F "delims=*" %%g IN ('dsget user %%w -memberof -expand') DO (
dsmod group %%g -rmmbr %%w
)
)

使用PS

Set-ADUser $user -SamAccountName ("{0}" -f "newsam") -UserPrincipalName ("{0}@{1}" -f "upn","domain.com") 
Rename-ADObject -Identity "CN=oldcn,OU=ou,DC=domain,DC=Com" -NewName "newcn"

用PowerShell配合CSV文件批量操作：

批量修改登录名称

$UserList=IMPORT-CSV C:\Users\ricky\Desktop\user.csv
FOREACH ($Person in $UserList) {
   $CurrentName=$Person.ADCN
   $NewName=$Person.EmployeeID
   $UPN     ="[email protected]"
   Get-ADUser -Identity $CurrentName | Set-ADUser -SamAccountName $NewName -UserPrincipalName $UPN 
   Rename-ADObject -Identity "CN=$CurrentName,OU=ou,OU=ou,DC=domain,DC=Com" -NewName $NewName
}

批量修改用户信息

$UserList=IMPORT-CSV C:\Users\ricky\Desktop\user.csv
FOREACH ($Person in $UserList) {
   $ADCN = $Person.ADCN
   $Name = $Person.Name
   $SurName = $Person.Name.Substring(0,1)
   $GivenName = $Person.Name.Substring(1)
   $DisplayName = $Person.Name
   $Department = $Person.DepartmentNo+"-"+$Person.Department
   $Company = $Person.Company
   $Description = $Person.Role
   $Title = $Person.Title
   Get-ADUser -Identity $ADCN | Set-ADUser -GivenName $GivenName -SurName $SurName -DisplayName $DisplayName -Department $Department -Company $Company -Description $Description -Title $Title -EmployeeID $ADCN -EmployeeNumber $ADCN
}

批量添加用户到组

$UserList=IMPORT-CSV C:\Users\ricky\Desktop\user.csv
FOREACH ($Person in $UserList) {
   $ACNO = $Person.ACNO
   $UPN = $Person.ACNO+"@domain.com"
   $Name = $Person.ACNO
   $surName = $Person.Name.Substring(0,1)
   $givenName = $Person.Name.Substring(1)
   $Department = $Person.DepartmentNo+"-"+$Person.Department
   $Email = $Person.Email
   $Tel = $Person.Tel
   $Mobile = $Person.Mobile
   $Path = "OU=ou,DC=domain,DC=com"
   New-ADUser -Name $Name -givenname $givenName -surname $surName -userprincipalname $UPN -Department $Department -DisplayName $Name -EmailAddress $Email -EmployeeID $ACNO -EmployeeNumber $ACNO -Enabled $true -AccountPassword (ConvertTo-SecureString "zaq12wsX" -AsPlainText -Force) -MobilePhone $Mobile -OfficePhone $Tel -Path $Path -SamAccountName $ACNO
}

删除：

Remove-ADUser -Identity id -Confirm:$false

获取上次登录时间：

Import-Module ActiveDirectory
$adusers = Get-ADUser -filter * -SearchBase "OU=BeforeADProject,OU=ACA Users,DC=***,DC=*****,DC=***" -Properties SamAccountName | select -expand SamAccountName
 
function Get-ADUserLastLogon([string]$userName)
{
  $dcs = Get-ADDomainController -Filter {Name -like "*"}
  $time = 0
  foreach($dc in $dcs)
  { 
    $hostname = $dc.HostName
    $user = Get-ADUser $userName | Get-ADObject -Properties lastLogon 
    if($user.LastLogon -gt $time) 
    {
      $time = $user.LastLogon
    }
  }
  $dt = [DateTime]::FromFileTime($time)
  Write-host $username "last logged on at:" $dt }
 
 
$output = foreach ($aduser in $adusers){
    Get-ADUserLastLogon -UserName $aduser
}
 
$UserList=IMPORT-CSV C:\Users\ricky\Desktop\user.csv
FOREACH ($Person in $UserList) {
   $ADCN = $Person.ADCN
   $IsEmployee = $Person.IsEmployee
   if ($IsEmployee -eq "FE")
   {
       Add-ADGroupMember -Identity GroupName -Members $ADCN
   }
}

移动：

Move-ADObject -Identity "OU=ManagedGroups,DC=Fabrikam,DC=Com" -TargetPath "OU=Managed,DC=Fabrikam,DC=Com"