Creating Active Directory Users with PowerShell

In my last post, we covered building an active directory lab using VMWare; this will be sort of a continuation. We will discuss PowerShell a little and use some scripts to execute tasks.

Content

  • What is PowerShell
  • How to Create an AD User in PowerShell
  • How to Create Multiple Users
  • How to Create Multiple Users From a CSV FIle
  • Conclusion

What is PowerShell?

PowerShell is a cross-platform task automation solution consisting of a command-line shell, a scripting language, and a configuration management framework. PowerShell started out on Windows. It was meant to help with task automation for administration tasks but has now grown to be cross-platform and can be used for various tasks. PowerShell runs on Windows, Linux, and macOS.
It is designed to allow IT professionals, system admins, and help desk to improve their management capabilities, automate redundant tasks, and manage their enterprise environment at scale.

The goal of this lab will be is to add new users to a domain using PowerShell instead of the more common method, which involves manually going to the Server Manager console and navigating to Active Directory (AD) Users and Computers (ADUC) to create these users.

Let’s get started. Note that your machine should be joined to the same domain as the user accounts you’d like to create. You need to be connected to Active Directory for this lab and have permission to create new user accounts. You can either be on a Domain Controller or have RSAT(Remote Server Administration Tools) installed. RSAT is a tool used by IT admins to connect and control Windows servers from within a Windows machine. It lets them remotely manage roles and features in Windows Server. To install RSAT, follow the steps here

For this lab, I used RSAT to connect and use the features in my Domain Controller.

How to Create an AD User in PowerShell

First, we will look at adding a new user to the Domain with a PowerShell Script. To write the PowerShell script, we will use the PowerShell ISE (Integrated Scripting Environment); this is the default editor for Windows PowerShell. It allows users to run commands and debug scripts in a Windows GUI environment. To use the PowerShell ISE, follow the steps:

  • Go to Search
  • Type in PowerShell
  • Choose Windows PowerShell ISE

We have the PowerShell ISE open. It lets users write and debug scripts in the script interface and run commands in the PowerShell console pane below.

Let’s break down the script above. The cmdlet (these are lightweight commands used in PowerShell) New-ADUser will be required. To use the New-ADUser cmdlet, we will need the Active Directory Module for this task. A module is a package that contains stuff like cmdlets, functions, etc. To import the module to your PowerShell session, run this command:
Import-Module ActiveDirectory

Next, we create variables to contain the user’s basic information. The variables firstname and lastname will be used to store the user’s first and last names, respectively. Some businesses use standardized passwords when creating users and allow the users to change them when they first sign in; for this lab, we will use a standardized password, PassWord1! stored in the variable password. The Read-Host cmdlet will be used to ask you to input the user’s name, and it will read what you type. We will use the echo command to display the user’s full name on the screen.

Next, we will need the path to which organizational unit (OU) the user will be created in. To get the OU path, follow the steps.

  • Go to Server Manager
  • Select Tools >> Active Directory Users and Computers

I created an organizational unit named PowerShellUsers to contain our new users. To get the OU path, follow the steps:

  • Select the View Tab
  • Select Advanced view

You should get something similar on your screen

  • Select your OU
  • Right-click and select Properties >> Attribute Editor >> distinguishedName

I have the OU path as OU=PowerShellUsers,DC=HOMELAB,DC=local

To send the default password in a protected state, we must use the ConvertTo-SecureString command. So we have the variable securePassword. The command will be

securePassword = ConvertTo-SecureString $password -AsPlainText -Force

Now it’s time to include the cmdlet New-ADUser; you find the full syntax by writing the command ‘Get-Command New-ADUser -Syntax’ or checking out this link.
Here’s the script we will use:
New-ADUser -Name “$firstname $lastname” -GivenName $firstname -Surname $lastname -UserPrincipalName “$firstname.$lastname” -Path $OUpath -AccountPassword $securePassword -ChangePasswordAtLogon $True -Enabled $True
I am going to assume the parameters (these can be called options or arguments, they help to give more detail to the cmdlet you want to execute) are pretty self-explanatory. Let’s see the result when the script is executed (you press f5 to run a script)

As we can see, The user Tony Stark was successfully created.

How to Create Multiple Users

Next up is to create multiple users; if we use our first script, we will have to go back and run the script repeatedly for each user we create. We can streamline this process a little bit.

Now, we will use a similar script. But, this will include a while loop statement. This is used to run a command in a command-block as long as a conditional test evaluates to true, or in simpler terms, it will run if the condition specified is true. You can run Get-Help while to understand the command better.
First, we declared the variable exit as nothing and gave a condition for the while loop; if the variable exit is not equal to the character q, the rest of the command in the command block should be executed. If it is otherwise where exit equals q, quit.
When we run this script, it will proceed like our previous script. The only difference is after the user is created, you will be prompted to input ‘q’ to quit, but if you press anything else besides ‘q’, it will loop back to ask for your user’s information. This allows us to create multiple users without the script stopping. Note the New-ADUser line remains the same. It is not different from the one we had in the previous script.

As we can see, the users Steve Rogers, Brue Banner, and Thor Odinson were successfully created.

How to Create Multiple Users from a CSV file

So let’s go a step further. Suppose you were given an excel file with a bunch of users’ information, and you’re tasked with adding them to AD; doing it manually can be tiresome for anyone. A great option is to create users in AD by importing them from a CSV file. This option is convenient when you have a list of users with predefined personal details such as FirstName, LastName, Department, Phone Number, Email Address, Job Title, Job Description, etc.

For example, my Excel file of users consists of 6 columns with three users (you can include more in yours if you want). The first step will be to save your excel file in CSV format.

Next, we import this CSV file. We create the variable filepath to hold the path of the CSV file. Use the cmdlet Import-CSV to retrieve the CSV file with your users, which will be contained in the users variable.
Next, we use the ForEach command to capture each row as a single object. It will run the commands in the command-block for each row/user. We will use the user variable to represent the iterator or the value of each row in the CSV file as it iterates over each of those rows passing the appropriate fields in the CSV file to the expected parameters of New-ADUser. Simply, it will read each row and run the action. E.g.
For the first line, $fname = $user.Firstname. ForEach will capture each object (row) and run the command .Firstname, which tells PowerShell to capture the entry under the Firstname field i.e., the Firstname of the user. It will do this for $lname, jtitle, etc. ForEach will run this for each row and ends with the last row.
I know this may seem complicated at first, but go through it a couple of times to take it in. Also, you can check here for more information on ForEach.

Here is the new script for the New-ADUser cmdlet. It’s not so different from the previous ones; The following script will create enabled user objects for any users in the CSV that don’t already have accounts in AD. The Reset password at the next logon option will be enabled for the new accounts.

New-ADUser -Name “$fname $lname” -GivenName $fname -Surname $lname -UserPrincipalName “$fname.$lname” -Title $jtitle -OfficePhone $phone -EmailAddress $email -Path $OUpath -AccountPassword $securePassword -ChangePasswordAtLogon $True -Enabled $True

As we can see, the users were successfully created.

Conclusion

Now you know how to create a single or a large number of user accounts in bulk if needed in Active Directory using PowerShell scripts. PowerShell is a powerful scripting language that many system admins and other IT professionals rely on to automate a wide range of tasks. I hope you found this PowerShell for beginners useful!

Leave a Comment

Your email address will not be published. Required fields are marked *