Windows 域 - 命令和常见问题
本页面记录了用于维护 Active Directory 中域用户帐户的常用 PowerShell 命令。
Get user info
User quick look
net user "jdoe" /domainUse this to check the current account state before making changes.
powershell
// get all properties of user "username"
Get-ADUser -Identity username -Properties *
Get-ADUser -Identity username -Properties DisplayName, Enabled, LockedOut, PasswordLastSet, LastLogonDate, PasswordNeverExpires |
Select-Object SamAccountName, DisplayName, Enabled, LockedOut, PasswordLastSet, LastLogonDate, PasswordNeverExpiresIf you need to search by partial name:
powershell
Get-ADUser -Filter "Name -like '*john*'" -Properties Enabled |
Select-Object Name, SamAccountName, EnabledUnlock user
Check whether the account is locked:
powershell
Get-ADUser -Identity username -Properties LockedOut |
Select-Object SamAccountName, LockedOutUnlock the account:
powershell
Unlock-ADAccount -Identity usernameReset user password
Reset the password and prompt for the new password securely:
powershell
Set-ADAccountPassword -Identity username -Reset -NewPassword (Read-Host "Enter new password" -AsSecureString)Force password change at first login
powershell
Set-ADUser -Identity username -ChangePasswordAtLogon $trueTypical helpdesk flow
This sequence covers the most common locked-account support case.
powershell
Unlock-ADAccount -Identity username
Set-ADAccountPassword -Identity username -Reset -NewPassword (Read-Host "Enter new password" -AsSecureString)
Set-ADUser -Identity username -ChangePasswordAtLogon $trueVerify the result
powershell
Get-ADUser -Identity username -Properties LockedOut, PasswordLastSet |
Select-Object SamAccountName, LockedOut, PasswordLastSetSafety notes
- Verify the account first before changing anything.
- Use
-WhatIfwhere supported before bulk changes. - Do not hardcode passwords in scripts.
- Use
-Server dc01.contoso.comif you need to target a specific domain controller.
Example with a specific domain controller
powershell
Get-ADUser -Identity username -Server dc01.contoso.com
Unlock-ADAccount -Identity username -Server dc01.contoso.com
Set-ADAccountPassword -Identity username -Server dc01.contoso.com -Reset -NewPassword (Read-Host "Enter new password" -AsSecureString)
Set-ADUser -Identity username -Server dc01.contoso.com -ChangePasswordAtLogon $true