How-to Guides

PowerShell to Create New Users in Active Directory

In this post, I’ll show you how to create a new user, modify an existing user and remove an old user in Windows Active Directory using PowerShell.

Create a Single User in Active Directory

The PowerShell New-ADUser CMDlet is used for creating a user in Active Directory.

PowerShell offers multiple ways to not only create a single user but to create Active Directory user objects in bulk. The CMDlet New-ADUser doesn’t have many mandatory parameters but you can use optional parameters while creating a new user.

  • Using the OtherAttributes parameter, you can change property values that are not related to cmdlet parameters. The attribute name needs to be enclosed in single quotes when using this parameter.
  • To create a user, you must give the SamAccountName parameter.
  • The container or organizational unit (OU) for the new user is specified using the Path parameter. When the Path option is not used, the cmdlet creates a user object in the domain’s default user object container.

The following techniques describe various ways to build an object using this cmdlet:

  • With the New-ADUser command, use the OtherAttributes parameter to specify the parameters and values and to set any additional values.
  • A new user can be created from a template. Use the Instance parameter to create a new user or copy an existing one to the new object. The object used in the Instance parameter is used as a template.
  • To create Active Directory user objects in bulk, combine the Import-Csv cmdlet with the New-ADUser cmdlet.
    • Import a CSV file with a list of object properties to construct custom objects using the Import-Csv cmdlet.
    • The New-ADUser cmdlet can then be used to construct user objects by passing these objects through its pipeline.

The following shows examples of the different parameters that can be used:

New-ADUser –SamAccountName “username” –DisplayName “username” –givenName “Username” –Surname “surname” –AccountPassword (ReadHost –AsSecureString “Message”) –Enabled $true –Path ‘CN=Users,DC=Doc,DC=Com’ –CannotChangePassword $false –ChangePasswordAtLogon $true –PasswordNeverExpires $false -EmailAddress “email” –EmployeeID “ID” –Department “string”

Below are the descriptions of parameters used in the above CMDlet:

Parameter Description
AccountExpirationDate Specify the account’s expiration date
AccountPassword Specify the account’s password
AuthType Select the authentication type when running the command
CannotChangePassword Prevent the account owner from changing the password (usually used for service accounts)
ChangePasswordAtLogon Force the user to change the account password at the next login
City Specify the city for the user account
Company Specify the company for the user account
Confirm Get a confirmation prompt to run the cmdlet
Country Specify the country for the user account
Credential Run the command with alternative credentials
Department Specify the user’s department
Description Specify a description for the user account
DisplayName Specify the display name of the account
EmailAddress Specify the account’s email address
EmployeeID Specify the user’s employee ID
Enabled Enable the user account
Instance Create a user account based on an existing account, such as one with the same department and title properties as the account you are creating
Manager Specify the manager of the user account
Office Specify the office attribute of the user account
Organization Specify the user’s organization
OtherAttributes Specify the value for an attribute for which there is no corresponding parameter in the cmdlet, such as the extensionAttribute1 to 15 attributes
PasswordNeverExpires Force the account’s password to never expire
PasswordNotRequired Specify that the account, such as a service account, does not require a password
Path Specify the OU path to create the user account in
SamAccountName Specify the account’s SAMAccountName attribute, a logon name used to support clients and servers running earlier versions of Windows, such as Windows NT 4.0, Windows 95 or LAN Manager
Server Connect to an alternate DC while running the command
State Specify the user’s US state
StreetAddress Specify the user’s address
Title Specify the user’s title
Type Specify the user object’s type, such as a normal user or an inetOrgPerson user
UserPrincipalName Specify the account’s userPrincipalName (UPN), which is typically the name that the user will use to log on/td>
WhatIf See what the output of the cmdlet would be without actually running it

After executing the command, PowerShell will ask for the password.

Enter the password and the user will be created.

Creating Bulk Users in Active Directory

Before creating the bulk users through PowerShell using the Import-CSV CMDlet, you will need to create a CSV file. The following is an example of the CSV file required:

Now, execute the following command to create bulk users in AD.

Import-CSV d:\Share\testing.csv | New-ADUser

The Import-CSV provides pipeline input to the New-ADUser CMDlet. It processes the values of the CSV file to create the new users. Executing this command will load the Active Directory module first.

After completing the action, you’ll return to the same prompt.

Check Active Directory for the newly created users.

Examples where Users would be Created with PowerShell

Here are some examples of where you may want to use PowerShell to add user accounts:

  • Create a new user account.
  • Create a user account in a particular OU.
  • Create a user and set attributes not covered by the cmdlet’s parameters.
  • Create an inetOrgPerson user.
  • Create a new user based on an existing AD user.
  • Create multiple user accounts using a CSV file.
  • Create users in bulk using a PowerShell script.
  • Create users in bulk by importing their attributes from a CSV file.

Create a New User Account

Specify only the account name.

The simplest example is creating a new user account by specifying only its name attribute:

New-ADUser M. Byrde

Running this will create the user but won’t show any output. To check whether the user was added successfully, we can list all Active Directory users using the following:

Get-ADUser -Filter * -Properties samAccountName | select samAccountName

However, the user we just created has more attributes than just a name; the following attributes are set by default:

  • The account is created in the ‘Users’ container.
  • The account is disabled.
  • The account is a member of the Domain Users group.
  • The user must reset the password at the first logon.

Note that many attributes are not populated including the password attribute meaning that no password is set

Specify Additional Attributes

To resolve this, we can a new account that is usable by specifying more attributes:

New-ADUser -Name "Ash Williams" -GivenName "Ash" -Surname "Williams" -SamAccountName "A.Williams" -UserPrincipalName "A.Williams@lpde4.local" -Path "OU=Managers,DC=lpde4,DC=com" -AccountPassword(Read-Host -AsSecureString "Input

The Read-Host parameter will ask you to input a new password. Note that the password should meet the length, complexity and history requirements of your domain security policy.

Let’s now see the results by running the following cmdlet:

Get-ADUser A.Williams -Properties CanonicalName, Enabled, GivenName, Surname, Name, UserPrincipalName, samAccountName, whenCreated, PasswordLastSet

To create a user account with even more attributes, use the following command:

New-ADUser -Name "Justin Hammer" -GivenName " Justin " -Surname " Hammer " -SamAccountName " Justin - Hammer " -AccountPassword (ConvertTo-SecureString -AsPlainText “webdir123R” -Force) -ChangePasswordAtLogon $True -Company "ABC Limited" -Title "CEO" -State "California" -City "San Francisco" -Description "Test Account Creation" -EmployeeNumber "45" -Department "Engineering" -DisplayName "Justin Hammer" -Country "US" -PostalCode "94001" -Enabled $True

To see a few of the new user’s attributes, use the following:

Get-ADUser -Identity Justin- Hammer -Properties * | select name,samaccountname,company,title,department,city,state,country,description,employeenumber,postalcode

Modify Users in Active Directory

Use the Set-ADUser CMDlet to modify the user in AD.

Set-ADUser –Identity “CN=TestUser7,CN=Users,DC=www,DC=DOC,DC=com” –SamAccountName “TestUser7” –LogonWorkStations “Test”

Some of the available parameters for this CMDlet are listed below.

Parameter Description
ChangePasswordAtLogon Specifies the location of the user in the Active Directory. Its value can be in the following format.-Identity “CN=Username,CN=Users,DC=www,DC=doc,DC=com”
PasswordNeverExpires Specifies whether the account password will never expire.
PasswordNotRequired Specifies whether a password is required or not.
SamAccountName Specifies the SAM Account name of the user.
LogonWorkstations Specifies the workstations, on which the user can logon. Its values have to be provided in the following format.-LogonWorkstations “workstation1,workstation2.www.domain.com”

Reset Password for AD Users

You can reset the password of a user with Set-ADAccountPassword CMDlet.

Set-ADAccountPassword –Identity “CN=TestUser7,CN=Users,DC=www,DC=DOC,DC=com” –SamAccountName “TestUser7” –LogonWorkStations “Test”

Some of the acceptable parameters for this CMDlet are listed below.

Parameter Description
Identity Specifies the location of the user in the Active Directory. Its value can be in the following format.-Identity “CN=Username,CN=Users,DC=www,DC=doc,DC=com”
OldPassword Specifies the old password.
NewPassword Specifies the new password.

Both OldPassword and NewPassword have to be provided as the Secure String, therefore, their values should be in the following format.

–NewPassword (ReadHost –AsSecureString “Message”)
–OldPassword (ReadHost –AsSecureString “Message”)

After executing the command, PowerShell will ask for the new password. Enter the new password and hit Enter key to apply the change.

Removing a Active Directory User Account

You can remove a user account using the Remove-ADUser CMDlet.

Remove-ADUser –Identity “CN=Username,CN=Users,DC=doc,DC=com”

Pressing the Enter key will ask for confirmation to delete the user.

Press Y to confirm the action.

Create an inetOrgPerson User

Most user objects in Active Directory have the class of user. But you can also create user objects with the class inetOrgPerson, which has user as a parent class. The inetOrgPerson class facilitates integration with certain applications and simplifies the migration of certain user objects into Active Directory.

To create an inetOrgPerson user account, simply include the -Type parameter and specify inetOrgPerson as its value:

New-ADUser -Name "Neal Gamby" -Path "OU=NBC,DC=LPDE4,DC=local" -GivenName "nEAL" -Surname " Gamby " -SamAccountName "Neal.Gamby " -AccountPassword (ConvertTo-SecureString -AsPlainText “webdir123R” -Force ) -ChangePasswordAtLogon $True -DisplayName "Neal Gamby" -Enabled $True -Type iNetOrgPerson

Conclusion

To ensure security of your Active Directory it is important to keep track of user creation, modification and deletion activities. With native methods, it is very difficult to monitor these activities. Lepide Active Directory Auditor can help you to audit user creation, modification and deletion in real time with other important AD changes.

Exit mobile version