Good news, everyone! Did you know that it is super easy to add users to Active Directory with PowerShell? Yep, not kidding. It really is super easy.
Prerequisites For Using Active Directory with PowerShell
Since we now have our lab test domain, we’re going to need to populate it with users.
Fortunately, adding user accounts to Active Directory with PowerShell is an absolute breeze. Even mad scientist wannabe’s like myself can tackle the problem head on.
First things first, we need to make certain to meet all the requirements in order to use Active Directory with PowerShell.
Make sure you have the following:
Active Directory
Remote Server Administration Tools (RSAT for Windows 10)
Only required if you’re running from a machine that isn’t a domain controller. Alternatively, you could remotely connect to a domain controller.
PowerShell (on and warmed up)
List of users to import into Active Directory
Coffee (or your beverage of choice)
Let’s dive in!
Adding Users to Active Directory with PowerShell
First, let’s check out what commands are available for Active Directory with PowerShell. I’m going to narrow it down to all the Active Directory cmdlets that start with the word New-
(since we want to create new users):
Based off the results, I’m thinking that New-ADUser
is going to be the star of our blog. Let’s look at what parameters are available.
In newer versions of PowerShell on Windows 10 and later, the module PSReadLine is installed and imported by default, so I can type the following to see the parameters of New-ADUser
:
New-ADUser -
(You can then press Ctrl+Space to see the list pop up, as in the screenshot below.)
Looking at the available parameters, we should have more than plenty to work with. (Definitely way too many to cover in this blog!)
Starting small
Starting small seems like the prudent choice. If we can get it working with a simple example, we can start adding more and more options as we see fit.
Let’s just try creating a user with:
New-AdUser -Name Test
No news is good news. The command seems to have completed without error, so let’s go check out our new user object in Active Directory.
Looks like the account was created successfully, but there are a few things to note about the newly created account:
No password set by default
Not enabled (because there’s no password)
No basic information (such as names or user information)
No attributes defined
Default OU location (typically the default Users OU)
This seems like more work to cleanup than it might be worth. With that, let’s move on.
A more complicated example
Let’s up our game a bit more by defining some extra fields and providing a temporary password for our account with ConvertTo-SecureString.
Since I’m going to provide a lot of parameters, I’m going to utilize a technique known as splatting.
$Attributes = @{
Enabled = $true
ChangePasswordAtLogon = $true
UserPrincipalName = "[email protected]"
Name = "Test.Guy"
GivenName = "Test"
Surname = "Guy"
DisplayName = "Test Guy III"
Description = "This is the account for the third test guy."
Office = "No office for test guy."
Company = "PDQ.com"
Department = "IT"
Title = "Some guy"
City = "Salt Lake City"
State = "Utah"
AccountPassword = "TotallyFakePassword123" | ConvertTo-SecureString -AsPlainText -Force
}
New-ADUser @Attributes
Once again, no news is good news. As mentioned above, the @Attributes
is using a technique known as splatting, which uses a hash table to pass named parameters. Our $Attributes
variable is being defined as a hash table in this example.
We can verify that our user is actually created:
Adding users to Active Directory with a .csv file
Now that we’ve figured out how to do some complicated examples, we want to be able to create multiple accounts at once. No more Mr. Test Guy.
Plus, I’d like to specify the OU that I’d like the accounts to reside in.
We need to match up our fields from our .csv file to the fields in Active Directory.
Here’s what our user list looks like:
Based off the screenshot above, we have less data than we did for our Test Guy account. So, we’re not going to use all the same fields that we used in the last example.
Plus, some of the columns in our .csv file are slightly different from what Active Directory is expecting, so we’ll need to make sure to map them properly in our PowerShell script.
With that, here’s one final example importing the csv (Import-Csv), integrating a loop and .csv file. (Please note that if you’re specifying a different OU, you’ll need to use the DistinguishedName attribute.
$UserList = Import-Csv -Path 'C:\temp\user list.csv'
foreach ($User in $UserList) {
$Attributes = @{
Enabled = $true
ChangePasswordAtLogon = $true
Path = "OU=Futurama Users,DC=pdqlabs,DC=org"
Name = "$($User.First) $($User.Last)"
UserPrincipalName = "$($User.First).$($User.Last)@pdqlabs.org"
SamAccountName = "$($User.First).$($User.Last)"
GivenName = $User.First
Surname = $User.Last
Company = $User.Company
Department = $User.Department
Title = $User.Title
AccountPassword = "TotallyFakePassword123" | ConvertTo-SecureString -AsPlainText -Force
}
New-ADUser @Attributes
You can see that I’m using the first and last names in the .csv file to create the Name
, UserPrincipalName
, and the SamAccountName
values. The $()
syntax is for subexpressions, check out this blog for more info.
In any case, let’s go verify that our accounts were created.
Everything looks good! Our lab is ready to roll with our fancy new users.
Wrapping Up
Today was all about the basic, no frills importing of users into Active Directory. Perhaps we’ll go into a little more complicated example in the near future.
Until then, happy PowerShell-ing!
I don’t know about you, but I’m off to find a lab coat; I need to embrace my inner mad scientist persona.