AD User Modification

Modifying an Active Directory user is really no different than modifying any other LDAP object, but there are a few things to note. For example, using a few simple statements you can modify many of the user's properties typically seen in the "Account" tab in the "AD Users and Computers" tool:

use LdapTools\Object\LdapObjectType;


// First get the user object via a repository.
$repository = $ldapManager->getRepository(LdapObjectType::USER);
$user = $repository->findOneByUsername('chad');

// Make sure the user account is set to enabled.
// Set their password to never expire.

try {
} catch (\Exception $e) {
    echo "Error modifying user! ".$e->getMessage();

With the above statement you have just the user account to be enabled and set the password to never expire.

User Account Properties

This table contains many useful AD attributes you can toggle with a simple true or false value like above.

Property Name Description
disabled Whether or not the account is disabled.
enabled Whether or not the account is enabled.
passwordIsReversible Legacy AD setting. Should NOT be used.
passwordMustChange Set that the user's password must change on the next login.
passwordNeverExpires Set the user's password to never expire.
smartCardRequired Set that a smart card is required for interactive login.
trustedForAllDelegation Trust the user for delegation to any service (Kerberos).
trustedForAnyAuthDelegation Delegate using any authentication protocol (When selected for delegation to specific services only).

Group Membership

Group membership can be modified directly using the groups attribute on a user. You can reference a group using its name, SID, GUID, DN, or a LdapObject.

// First get the user object via a query.
$user = $ldapManager->buildLdapQuery()
    ->where(['username' => 'Chad'])

// Add a few groups by name, with the last one being by GUID
$user->addGroups('Employees', 'VPN Users', '270db4d0-249d-46a7-9cc5-eb695d9af9ac');

// Remove a group by a SID

// Reset the current groups. This will remove any groups they are currently a member of

// Add a group from the result of a separate LDAP query...
$group = $ldapManager->buildLdapQuery()
    ->where(['name' => 'IT Stuff'])

// Save the changes back to LDAP...
try {
} catch (\Exception $e) {
    echo "Error modifying groups: ".$e->getMessage();

User Log On To Workstations List

To easily modify the workstations that an account can log into, you can use the logonWorkstations attribute. This attribute functions like an array and maps to to the "Log on To..." section of an account.

// A LdapObject as the result of a search. Set the workstations allowed...
$user->setLogonWorkstations(['PC01', 'PC02', 'PC03']);

// Add only one workstation...

// Remove one of the workstations...

Account Expiration Date

To modify the date at which an account will expire, which will prevent the user from logging in past that time, you can use the accountExpirationDate attribute. This attribute accepts either a bool false (the account never expires) or a PHP \DateTime object specifying the date at which the account should expire.

// A LdapObject as the result of a search. Set the account to never expire.

// Instead, set the account to expire sometime in the future.
$user->setAccountExpirationDate(new \DateTime('2228-3-22'));

Manager Modification

You can set the manager attribute by using several values: A string GUID, string SID, a distinguished name, username, or a LdapObject:

// First get the user object via a query.
$user = $ldapManager->buildLdapQuery()
    ->where(['username' => 'Chad'])

// Set the manager via username
// Set the manager via a SID
// Set the manager via a GUID
// Set the manager via a DN

// Set the manager as a result of an LDAP object for a different query
$manager = $ldapManager->buildLdapQuery()
    ->where(['lastName' => 'Smith', 'office' => 'Head Office'])

// All of the above will ultimately produce the same result.
try {
} catch (\Exception $e) {
    echo "Error changing the manager: ".$e->getMessage();