PowerShell Logo Small


This is the built-in help made by Microsoft for the command 'Set-ADAccountControl', in PowerShell version 5 - as retrieved from Windows version 'Microsoft Windows Server 2012 R2 Standard' PowerShell help files on 2016-06-23.

For PowerShell version 3 and up, where you have Update-Help, this command was run just before creating the web pages from the help files.


Modifies user account control (UAC) values for an Active Directory account.


Set-ADAccountControl [-Identity] <ADAccount> [-AccountNotDelegated <Boolean>] [-AllowReversiblePasswordEncryption <Boolean>] [-AuthType {Negotiate | Basic}]
[-CannotChangePassword <Boolean>] [-Credential <PSCredential>] [-DoesNotRequirePreAuth <Boolean>] [-Enabled <Boolean>] [-HomedirRequired <Boolean>] [-MNSLogonAccount
<Boolean>] [-Partition <String>] [-PassThru] [-PasswordNeverExpires <Boolean>] [-PasswordNotRequired <Boolean>] [-Server <String>] [-TrustedForDelegation <Boolean>]
[-TrustedToAuthForDelegation <Boolean>] [-UseDESKeyOnly <Boolean>] [-Confirm] [-WhatIf] [<CommonParameters>]

Search powershellhelp.space


The Set-ADAccountControl cmdlet modifies the user account control (UAC) values for an Active Directory user or computer account. UAC values are represented by cmdlet
parameters. For example, set the PasswordExpired parameter to change whether an account is expired and to modify the ADS_UF_PASSWORD_EXPIRED UAC value.

The Identity parameter specifies the Active Directory account to modify.

You can identify an account by its distinguished name (DN), GUID, security identifier (SID) or security accounts manager (SAM) account name. You can also set the Identity
parameter to an object variable such as $<localADAccountObject>, or you can pass an account object through the pipeline to the Identity parameter. For example, you can use
the Search-ADAccount cmdlet to retrieve an account object and then pass the object through the pipeline to the Set-ADAccountControl cmdlet. Similarly, you can use
Get-ADUser, Get-ADComputer or Get-ADServiceAccount cmdlets to retrieve account objects that you can pass through the pipeline to this cmdlet.

For AD LDS environments, the Partition parameter must be specified except in the following two conditions:

-- The cmdlet is run from an Active Directory provider drive.
-- A default naming context or partition is defined for the AD LDS environment. To specify a default naming context for an AD LDS environment, set the
msDS-defaultNamingContext property of the Active Directory directory service agent (DSA) object (nTDSDSA) for the AD LDS instance.



Online Version: http://go.microsoft.com/fwlink/p/?linkid=291106




-------------------------- EXAMPLE 1 --------------------------

PS C:\>Set-ADAccountControl -Identity JimmyBi -PasswordNotRequired $False

This command sets the flag on userAccountControl to make sure that a password is required for logon.

-------------------------- EXAMPLE 2 --------------------------

PS C:\>Set-ADAccountControl -Identity 'CN=Jimmy Bischoff,OU=HumanResources,OU=UserAccounts,DC=FABRIKAM,DC=COM' -CannotChangePassword $True

This command sets the security descriptor of the user to make sure they cannot change their own password.

-------------------------- EXAMPLE 3 --------------------------

PS C:\>Set-ADAccountControl -Identity SQLAdmin1 -AccountNotDelegated $True

This command sets the flag on userAccountControl to make sure that the account cannot be delegated.

-------------------------- EXAMPLE 4 --------------------------

PS C:\>Set-ADAccountControl -Identity 'CN=IIS01 SvcAccount,OU=ServiceAccounts,OU=Managed,DC=FABRIKAM,DC=COM' -TrustedToAuthForDelegation $True

This command sets the flag on userAccountControl to make sure that the account is now trusted to authenticate for delegation.

-------------------------- EXAMPLE 5 --------------------------

PS C:\>Set-ADAccountControl -Identity "FABRIKAM-SRV1" -TrustedForDelegation $True

This command sets specified computer to be trusted for delegation.

-------------------------- EXAMPLE 6 --------------------------

PS C:\>Set-ADAccountControl -Identity DickBe -PasswordNeverExpires $True

This command sets the password of the user to never expire.

-------------------------- EXAMPLE 7 --------------------------

PS C:\>Set-ADAccountControl -Identity 'CN=Dick Beekman,OU=HumanResources,OU=UserAccounts,DC=FABRIKAM,DC=COM' -HomedirRequired $True

This command sets the user account to require a Home Directory.