A lot of people I am sure have written about PowerShell scripts to add new users and then automate the whole process. Many of these I have found revolve around the very nice Quest Software cmdlets, but I wanted to understand the inner workings plus generate a full script that will load users and group from a file.
This is part 1 of 4 in how to automate user creation. The steps for all four parts should work if you are directly on the server with the AD role or using Remote Server Administration Tools (RSAT) via Windows 7.
Step 1 – AD PowerShell Modules:
Before we can begin the script we need to confirm that the Active Directory modules have been loaded. At the PowerShell prompt enter: Get-Command –Module active* | Measure-Object
This command will query all loaded modules for the server which begin with ‘active’ and provide a count of what is found (| Measure-Object). Your result will look like the following if the module has not been loaded.
Your are looking for a count of 76. If you got a count of 76 or more skip on to Step 2. For the rest of us, we now need to load the AD Modules so we can write get to the fun part and write a script. At the PowerShell prompt enter: Import-Module active*
The wildcard is used again to get all those modules that are related, saves time and energy retyping each modules name. Depending on the speed of the machine you may see a green bar appear quickly at the top of the PowerShell window which shows the progress.
Perform another Get-Command –Module active* | Measure-Object to confirm that the AD Modules have loaded.
Now we are ready to begin the script.
Step 2 – Learn the Command:
The cmdlet used to add new users is New-ADUser. By using the Get-Help cmdlet you can learn the details or review the details on MSDN at http://technet.microsoft.com/en-us/library/ee617253.aspx.
Here are some of the highlights to the New-ADUser cmdlet I found most important for our script. Most of the common AD properties that you normally would set are available as parameters, any additional properties to be set can be included as part of the –OtherAttributes parameter.
As I just want some basic type users for development purposes we will not be concerned with this parameter. Parameters that we will be using are:
- This parameter is the Security Account Manager (SAM) value for the user created.
- This is a required value
- String name to identify the new user by.
- This is a required value.
- Provides the password for the new user.
- Password setting can fail if the password does not meet the password policy restriction. The user account will still be created though.
- This parameter requires a secure string value, this can be generated via the a separate object or entered via a prompt.
- Example – via prompt: –AccountPassword (Read-Host –AsSecureString “password”)
- Example – as object: $thePassword = ConvertTo-SecureString "password" -AsPlainText -Force;
- Use $false or $true
- Use $false or $true
- Cannot be set true if ChangePasswordAtLogon is true
- Defines the description of the new user.
- Defines the name displayed for the user.
- Use $false or $true
- This defaults to false, so be sure to set it accordingly.
- The user’s email address.
- The domain server which should be connected to.
- This will be defaulted when not supplied by the following: from the Server value from objects passed through the pipeline, server information with the AD PowerShell provider, domain of the computer running PowerShell
- This parameter is used to set the Organizational Unit (OU) or container the new user is to be added to.
- If this parameter is not defined then the cmdlet will create the new user in the default user container for the domain.
- With this parameter the user object created is returned.
Step 3 – Tryout the Command:
Before I begin a script I like to write the single command once to make sure it behaves as I expect. So at the command prompt enter:
$thePassword = ConvertTo-SecureString "password" -AsPlainText -Force;
Then enter at command prompt:
New-ADUser -SamAccountName "myTest2SAM" -Name "myTest2Name" -AccountPassword $thePassword -CannotChangePassword $true -PasswordNeverExpires $true -Description "Test description" -DisplayName "myTest2DisplayName" -Enabled $true -EmailAddress "myTest2@rainfly.com" -Server "rainfly.com";