Add Users to Active Directory with PowerShell

Good news, everyone! Did you know that it is super easy to add users to Active Directory with PowerShell? Yep, not kidding. It really is super easy.

This reminds me of my college days…

*start reminiscing now*

Once upon a time, I went to college and studied science. Life was good. Scientists are cool. Bowties are cool. I was going to have my own lab someday which is also cool.

One day, however, I realized that I was far better with computers than I’d ever be with tiny molecules and stuff. They’re so tiny!

*end reminiscing with a sigh*

Fast forward to now, and I work with computers for a living, bending them to my will — sans lab.

But, the dream of working in a lab lives on… in our pdq LAB test domain!

To the lab!  *Queue old-school Batman transition theme* (I dare you to click that link and not smile!)

Using Active Directory with PowerShell – Prerequisites

Since we now have our fancy lab test domain, we’re going to need to populate it with users.

Fortunately, adding user accounts to Active Directory with PowerShell is an absolute breeze. Even mad scientist wannabe’s like myself can tackle the problem head on.

First things first, we need to make certain to meet all the requirements in order to use Active Directory with PowerShell.

Make sure you have the following:

  • Active Directory
  • Remote Server Administration Tools (RSAT for Windows 10)
    • Only required if you’re running from a machine that isn’t a domain controller. Alternatively, you could remotely connect to a domain controller.
  • PowerShell (on and warmed up)
  • List of users to import into Active Directory
  • Coffee (or your beverage of choice)

Let’s dive in!

Adding Users to Active Directory with PowerShell

First, let’s check out what commands are available for Active Directory with PowerShell. I’m going to narrow it down to all the Active Directory cmdlets that start with the word New- (since we want to create new users):

Based off the results, I’m thinking that New-ADUser is going to be the star of our blog. Let’s look at what parameters are available.

In newer versions of PowerShell on Windows 10 and later, the module PSReadLine is installed and imported by default, so I can type the following to see the parameters of New-ADUser:

New-ADUser -

(You can then press Ctrl+Space to see the list pop up, as in the screenshot below.)

Looking at the available parameters, we should have more than plenty to work with. (Definitely way too many to cover in this blog!)

Starting small

Starting small seems like the prudent choice. If we can get it working with a simple example, we can start adding more and more options as we see fit.

Let’s just try creating a user with:

New-AdUser -Name Test

No news is good news. The command seems to have completed without error, so let’s go check out our new user object in Active Directory.

Looks like the account was created successfully, but there are a few things to note about the newly created account:

  • No password set by default
  • Not enabled (because there’s no password)
  • No basic information (such as names or user information)
  • No attributes defined
  • Default OU location (typically the default Users OU)

This seems like more work to cleanup than it might be worth. With that, let’s move on.

A more complicated example

Let’s up our game a bit more by defining some extra fields and providing a temporary password for our account.

Since I’m going to provide a lot of parameters, I’m going to utilize a technique known as splatting.

$Attributes = @{

   Enabled = $true
   ChangePasswordAtLogon = $true

   UserPrincipalName = "test.guy@pdqlabs.org"
   Name = "Test.Guy"
   GivenName = "Test"
   Surname = "Guy"
   DisplayName = "Test Guy III"
   Description = "This is the account for the third test guy."
   Office = "No office for test guy."

   Company = "PDQ.com"
   Department = "IT"
   Title = "Some guy"
   City = "Salt Lake City"
   State = "Utah"

   AccountPassword = "TotallyFakePassword123" | ConvertTo-SecureString -AsPlainText -Force

}

New-ADUser @Attributes

Once again, no news is good news. As mentioned above, the @Attributes is using a technique known as splatting, which uses a hash table to pass named parameters. Our $Attributes variable is being defined as a hash table in this example.

We can verify that our user is actually created:

Adding users to Active Directory with a .csv file

Now that we’ve figured out how to do some complicated examples, we want to be able to create multiple accounts at once. No more Mr. Test Guy.

Plus, I’d like to specify the OU that I’d like the accounts to reside in.

We need to match up our fields from our .csv file to the fields in Active Directory.

Here’s what our user list looks like:

Based off the screenshot above, we have less data than we did for our Test Guy account. So, we’re not going to use all the same fields that we used in the last example.

Plus, some of the columns in our .csv file are slightly different from what Active Directory is expecting, so we’ll need to make sure to map them properly in our PowerShell script.

With that, here’s one final example integrating a loop and .csv file. (Please note that if you’re specifying a different OU, you’ll need to use the DistinguishedName attribute.

$UserList = Import-Csv -Path 'C:\temp\user list.csv' 

foreach ($User in $UserList) {

     $Attributes = @{

        Enabled = $true
        ChangePasswordAtLogon = $true
        Path = "OU=Futurama Users,DC=pdqlabs,DC=org"

        Name = "$($User.First) $($User.Last)"
        UserPrincipalName = "$($User.First).$($User.Last)@pdqlabs.org"
        SamAccountName = "$($User.First).$($User.Last)"

        GivenName = $User.First
        Surname = $User.Last

        Company = $User.Company
        Department = $User.Department
        Title = $User.Title
        AccountPassword = "TotallyFakePassword123" | ConvertTo-SecureString -AsPlainText -Force

     }

    New-ADUser @Attributes

}

You can see that I’m using the first and last names in the .csv file to create the Name, UserPrincipalName, and the SamAccountName values. The $() syntax is for subexpressions, check out this blog for more info.

In any case, let’s go verify that our accounts were created.

 

Everything looks good! Our lab is ready to roll with our fancy new users.

Wrapping Up

Today was all about the basic, no frills importing of users into Active Directory. Perhaps we’ll go into a little more complicated example in the near future.

Until then, happy Powershelling!

I don’t know about you, but I’m off to find a lab coat; I need to embrace my inner mad scientist persona.



Follow @admarsenal on Twitter

Your email address will not be published.

Your Name