Active Directory User (Create, Manage, Delete, Query)

Use the Active Directory User Tasks to create an Active Directory user; or to change, delete or query all users:

  • in a specific Active Directory folder (optionally including subfolders).
  • with a user logon name that matches a specific wildcard pattern.
  • with specific values for a specific property.
  • with a specific number of days since last login.

With Create Active Directory User, you can create an Active Directory User in a specific Active Directory folder, and provide basic properties: logon name, password and password settings, and names.

With Manage Active Directory User, you can

  • set and change all User properties of Active Directory users.
  • set primary and other group memberships.
  • set primary and other SMTP e-mail addresses.

For example: you can target a group of Active Directory users and change their e-mail addresses.

With Delete Active Directory User, you can delete Active Directory users, filtered by Organizational Unit, logon name, User property value and number of days since last login. This makes it possible, for example, to clean up unused Active Directory user accounts.

With Query Active Directory User, you can obtain overviews of all Active Directory Users, filtered by Organizational Unit, logon name, User property value and number of days since last login. Per Agent, the detailed Job history show all the queried User Properties.


  • If you are going to run the Task on a Domain controller, you can leave the Domain controller field on the Settings tab empty and select Local Agent (domain controller) instead.
  • On the Settings tab, user logon name refers to the pre-Windows 2000 name.
  • In the Filter by property field, use wildcards only in combination with the operators LIKE and NOT LIKE.
  • For Active Directory users, you can define telephone numbers in different categories: home phone, mobile phone, etc. In Active Directory, a user can have several phone numbers in each category. However, with the Task Manage Active Directory User you can set only one phone number per category - so, one one home phone number, one mobile phone, etc.
  • The functionality on the E-mail addresses tab is not supported for Microsoft Exchange Server 2010. To use this functionality for Microsoft Exchange Server 2010, use the Task Manage Exchange Mailbox instead.
  • If you want to remove a primary group or primary e-mail address, set another as primary first.
  • You can only add e-mail addresses for Active Directory Users with existing Exchange e-mailboxes.
  • You can use and combine Windows variables when specifying e-mail addresses. The options are provided when you right-click the E-mail addresses field, but you can also type them in as required.
  • By default, group memberships and e-mail addresses defined on the Member of and E-mail addresses tabs are added to any existing group memberships and e-mail addresses. To replace existing lists with the list defined in the Task, select Replace all existing group memberships or Replace all existing e-mail addresses.
  • In a Task Query Active Directory User, when filtering on the property value Member of, you can specify multiple groups (by using a semi-colon separated list). Please note that the user has to be a member of ALL specified groups.

When you configure a Task to change or delete Active Directory Users that match a set of criteria, there is a risk that more Active Directory Users are targeted than expected. By selecting the option Fail this Task if the number of items affected exceeds [x], you can create a safety net that prevents undesired results.

  • When you browse for a specific OU, this information is automatically pasted in the relevant field and takes the following format: OU=IT,OU=Amsterdam,OU=Netherlands,DC=d-energy,DC=local. However, if you set a parameter in this field, the data will have to be provided at the moment of input - in the correct format. To provide an example of the format, copy a sample path and paste it as the default value for the relevant parameter. With the Input setting Show previous value, the example will be shown whenever input is required for the parameter.
  • In Tasks to set Active Directory properties for Active Directory objects, the variable %username% will be resolved as the name of the user under which the Ivanti Automation Agent runs. If you want to refer to the actual user name of the target Active Directory object instead, for example when you are setting a user's home drive using the Task Manage Active Directory User, use the variable %accountname%. This will be resolved as the pre-Windows 2000 user name of the Active Directory User, Computer, Group or Object that is being managed. This option is not available for Organizational Units.
  • When using environment variables, they sometimes should not be translated to their value on a specific Agent, but should remain as variables. If you place double percentage signs (%) around a variable, the variable is not translated to a value, but remains a variable. For example, with double percentage signs, %%WINDIR%% is translated to %WINDIR% and not to C:\windows.
  • The execution speed of Active Directory Queries may depend on the number of additional Active Directory properties that are to be reported in the query. On the Computer Properties tab, you can select a maximum number of 90 Active Directory properties.
  • When browsing for an Organizational Unit, the list of Organizational Units that is shown depends on the Security context and the Domain controller. If the Domain controller field is empty, the list of Organizational Units depends on the Domain.
  • In a Task Manage Active Directory User, when setting the Active Directory property Home folder to create a home folder for a user on a share, the user as specified in the Security Context field requires permissions to access the share and create a folder.
  • In a Task Manage Active Directory User, when setting the Active Directory property Home folder, use the following format:
    1. Home folder = Local path:
      • Local path = <drive letter:\folder> (When left empty, the 'homeDirectory' and 'homeDrive' Active Directory properties are cleared.)
    2. Home folder = Connect drive:
      • Connect drive = <drive letter>
      • Connect drive to = <\\server\share\folder> (When left empty, the 'homeDrive' Active Directory property is set to this drive letter and the 'homeDirectory' Active Directory property does not change.)
  • In a Task Manage Active Directory User you can add the Active Directory User account options User must change password at next logon and User cannot change password. However, if you add both options, this results in a conflicting combination: it will lead to a situation in which the user will be prompted to change the password at each log on, after which it will not be possible to log on. To prevent this situation, only one of the options will be selected after adding both Active Directory User account options. Although it is still possible to select both options at that point, this makes it clearer that the selection is a conflicting combination. We therefore recommend not to use this combination.
  • In a Task Query Active Directory User, when selecting the option Filter number of days since last login (for example, greater than 90 days), it can take a while to run this Task. When this option is selected, first all Domain Controllers of the specified domain will be queried and then the Last-Logon attribute of each user on each Domain Controller will be queried. The reason because is that Microsoft does not replicate the Last-Logon user attribute for all Domain Controllers. For more information go to
  • It is possible to abort long running Active Directory Query Tasks. It may take around 10 seconds for the abort to be detected by the Agent, after which the Job will fail with status Aborted. Long running Active Directory Tasks that update, move or delete Active Directory objects cannot be aborted - the Task will always run until it is completed.