What is the PowerShell equivalent of DSAdd?

Brock Bingham candid headshot
Brock Bingham|September 7, 2021
dsadd
dsadd

Active Directory, or AD for short, is an obscure little utility developed by a not very well-known mom-and-pop shop called Microsoft. You probably haven't heard of it. If, by some chance, you have heard of Active Directory and my copious amounts of sarcasm didn't fool you, then you'll know that Active Directory is a pretty big deal. So big, in fact, that somewhere around 95% of fortune 500 companies utilize it.

But AD by itself is not much more than a glorified DNS server with some free DFS on the side. It's up to you to make the most of AD by adding objects to it, such as user and computer objects.

So how do we add objects to AD? Well, you could add objects using the Active Directory Users and Computers interface, which is probably how most new sysadmins learned to do it. Or, you could display your dominance by using the CMD prompt like a boss. However, if you really want to take things to the next level and secure your spot as the top sysadmin in your organization, there's only one option good enough for you — PowerShell!

Adding Objects To AD With DSAdd

Before we dive into the PowerShell, let's first look at its command prompt counterpart, DSAdd. 

DSAdd is a pretty straightforward command-line utility that allows users to add objects to AD. Keep in mind that DSAdd is traditionally only available on servers with Active Directory Domain Services or Active Directory Lightweight Directory Services installed. However, you can get around this limitation by using PSExec or Remote Server Admin Tools.

Here is a list of the objects that can be added to AD using DSAdd:

  • DSAdd Computer

  • DSAdd Contact

  • DSAdd Group

  • DSAdd OU

  • DSAdd User

  • DSAdd Quota

In many organizations, DSAdd was primarily used when large quantities of objects needed to be added to AD. If you had a list of a hundred new user accounts that needed to be created, it was much more efficient to complete the task as a batch job with DSAdd versus manually creating each account via the GUI interface.

Here's a simple example command for adding a user to AD with DSAdd.

dsadd user "cn=Bor Burison,ou=Asgard_Users,dc=whiskeytime,dc=club" -upn [email protected] -disabled no -pwd A$gard1ans -mustchpwd yes

In this example, we're adding the user Bor Burison to AD. We've designated the OU as Asgard_Users and set the userPrincipleName as [email protected]. We've marked the account as enabled (-disabled no) and set the password as A$gard1ans. Lastly, we've designated that the password has to be changed at the next logon.

While DSAdd is capable enough at what it does, it still has many limitations when compared to its PowerShell alternative.

The PowerShell Equivalent Of DSAdd Is New-AD...

This CMD to PowerShell conversion isn't as simple as other commands we've covered because it's not just one command. Normally, I include the help file associated with the cmdlet we're covering. However, since we're covering multiple commands, I'll just include what is probably the most commonly used command. Remember, you can always display the help file in PowerShell with the Get-Help command.

NAME New-ADUser SYNOPSIS Creates a new Active Directory user. SYNTAX New-ADUser [-Name] <String> [-AccountExpirationDate <DateTime>] [-AccountNotDelegated <Boolean>] [-AccountPassword <SecureString>] [-AllowReversiblePasswordEncryption <Boolean>] [-AuthenticationPolicy <ADAuthenticationPolicy>] [-AuthenticationPolicySilo <ADAuthenticationPolicySilo>] [-AuthType {Negotiate | Basic}] [-CannotChangePassword <Boolean>] [-Certificates <X509Certificate[]>] [-ChangePasswordAtLogon <Boolean>] [-City <String>] [-Company <String>] [-CompoundIdentitySupported <Boolean>] [-Country <String>] [-Credential <PSCredential>] [-Department <String>] [-Description <String>] [-DisplayName <String>] [-Division <String>] [-EmailAddress <String>] [-EmployeeID <String>] [-EmployeeNumber <String>] [-Enabled <Boolean>] [-Fax <String>] [-GivenName <String>] [-HomeDirectory <String>] [-HomeDrive <String>] [-HomePage <String>] [-HomePhone <String>] [-Initials <String>] [-Instance <ADUser>] [-KerberosEncryptionType {None | DES | RC4 | AES128 | AES256}] [-LogonWorkstations <String>] [-Manager <ADUser>] [-MobilePhone <String>] [-Office <String>] [-OfficePhone <String>] [-Organization <String>] [-OtherAttributes <Hashtable>] [-OtherName <String>] [-PassThru] [-PasswordNeverExpires <Boolean>] [-PasswordNotRequired <Boolean>] [-Path <String>] [-POBox <String>] [-PostalCode <String>] [-PrincipalsAllowedToDelegateToAccount <ADPrincipal[]>] [-ProfilePath <String>] [-SamAccountName <String>] [-ScriptPath <String>] [-Server <String>] [-ServicePrincipalNames <String[]>] [-SmartcardLogonRequired <Boolean>] [-State <String>] [-StreetAddress <String>] [-Surname <String>] [-Title <String>] [-TrustedForDelegation <Boolean>] [-Type <String>] [-UserPrincipalName <String>] [-Confirm] [-WhatIf] [<CommonParameters>] DESCRIPTION The New-ADUser cmdlet creates a new Active Directory user. You can set commonly used user property values by using the cmdlet parameters. Property values that are not associated with cmdlet parameters can be set by using the OtherAttributes parameter. When using this parameter be sure to place single quotes around the attribute name as in the following example. New-ADUser -SamAccountName "glenjohn" -GivenName "Glen" -Surname "John" -DisplayName "Glen John" -Path 'CN=Users,DC=fabrikam,DC=local' -OtherAttributes @{'msDS-PhoneticDisplayName'="GlenJohn"} You must specify the SAMAccountName parameter to create a user. You can use the New-ADUser cmdlet to create different types of user accounts such as iNetOrgPerson accounts. To do this in AD DS, set the Type parameter to the LDAP display name for the type of account you want to create. This type can be any class in the Active Directory schema that is a subclass of user and that has an object category of person. The Path parameter specifies the container or organizational unit (OU) for the new user. When you do not specify the Path parameter, the cmdlet creates a user object in the default container for user objects in the domain. The following methods explain different ways to create an object by using this cmdlet. Method 1: Use the New-ADUser cmdlet, specify the required parameters, and set any additional property values by using the cmdlet parameters. Method 2: Use a template to create the new object. To do this, create a new user object or retrieve a copy of an existing user object and set the Instance parameter to this object. The object provided to the Instance parameter is used as a template for the new object. You can override property values from the template by setting cmdlet parameters. For examples and more information, see the Instance parameter description for this cmdlet. Method 3: Use the Import-CSV cmdlet with the New-ADUser cmdlet to create multiple Active Directory user objects. To do this, use the Import-CSV cmdlet to create the custom objects from a comma-separated value (CSV) file that contains a list of object properties. Then pass these objects through the pipeline to the New-ADUser cmdlet to create the user objects. RELATED LINKS Online Version: http://go.microsoft.com/fwlink/p/?linkid=291077 Get-ADUser Remove-ADUser Set-ADUser REMARKS To see the examples, type: "get-help New-ADUser -examples". For more information, type: "get-help New-ADUser -detailed". For technical information, type: "get-help New-ADUser -full". For online help, type: "get-help New-ADUser -online"

You'll notice the New-ADUser cmdlet includes loads of optional parameters; that's because of the large number of attributes that can be configured with user accounts in AD.

Let's take a look at some examples of each of the cmdlets.

Example 1: Import Users With New-ADUSer And A CSV File

Import-Module ActiveDirectory Import-Csv "C:\Scripts\Import Users\users.csv" | ForEach-Object { $userPrincinpal = $_."samAccountName" + "@whiskeytime.club" New-ADUser -Name $_.Name ` -Path $_."ParentOU" ` -SamAccountName $_."samAccountName" ` -UserPrincipalName $userPrincinpal ` -AccountPassword (ConvertTo-SecureString "Password1" -AsPlainText -Force) ` -ChangePasswordAtLogon $true ` -Enabled $true ` -EmailAddress $userPrincinpal Add-ADGroupMember "Asgardians" $_."samAccountName"; }
new-aduser csv

Here is the PowerShell script and the CSV file information we'll be using for this example. Let's go over the script and see how it works.

First, we're importing the ActiveDirectory module to ensure we have access to the cmdlets we'll be running. Next, we're importing the CSV file and piping it to a ForEach loop. Then we defined the variable we'll be using for the userPrincipalName attribute by combining the samAccountName and the domain name @whiskeytime.club. Next, we're using the New-AdUser cmdlet to create the accounts in Active Directory. Then, we define several account attributes using values and data from the CSV file. Lastly, we're assigning the accounts to the Asgardians group.

Importing users via a CSV file is one of the more common uses for the New-ADUser command. Whether you're importing dozens, hundreds, or even thousands of accounts, New-ADUser is the way to go. Just make sure you do plenty of testing and ensure the data is accurate before you pull the trigger on this one.

Example 2: Create A Computer Object With New-ADComputer

New-ADComputer -Name "AMORA" -samAccountName "AMORA" -Path "OU=Asgard_Computers,DC=whiskeytime,DC=club" -Enabled $true -Description "Amora The Enchantress"

Creating new computer objects in AD with the New-ADComputer cmdlet is pretty straightforward. After calling the New-ADComputer cmdlet, we assign values to multiple parameters. The Name and samAccountName are both AMORA. The -Path parameter is designating the OU where we want the computer to reside. Lastly, we've set to the computer to be enabled and gave it a description. Here's the final result.

new-adcomputer

Example 3: Using New-ADOrganizational Unit And New-ADGroup To Create New OU's And Groups

New-ADOrganizationalUnit -Name "Asgard_Groups" -Path "DC=whiskeytime,DC=club" New-ADGroup -Name "Asgardians_of_the_Galaxy" -SamAccountName Asgardians_of_the_Galaxy -GroupCategory Security -GroupScope Global -DisplayName "Asgardians of the Galaxy" -Path "OU=Asgard_Groups,DC=whiskeytime,DC=club" -Description "Members of this group are Asgardians" Add-ADGroupMember -Identity Asgardians_of_the_Galaxy -Members asgardian.one, asgardian.two, asgardian.three

We're giving you a three-for-one with this example. This is actually three different commands all rolled into one.

The first command is creating a new OU with the New-ADOrganizationlUnit cmdlet. We've given it a name and the path for its location.

The second command is creating a new group with the New-ADGroup command. We've set it as a global security group, given it a name, and placed it into the new OU we just created.

The last command is the Add-AdGroupMemeber cmdlet which assigns users to groups. We've used it to assign three different users to the group we just created.

Here is the final result.

new-adou new-adgroup

Wrapping Up

Creating the occasional user or group using Active Directory Users and Computers is fine. However, if you've got a massive amount of new objects to create in AD, PowerShell is the way to go. It will save you hours of monotonous work, leaving you plenty of time for other things, like arguing with people online about why Hawaiian pizza is obviously the superior pizza.

Brock Bingham candid headshot
Brock Bingham

Born in the '80s and raised by his NES, Brock quickly fell in love with everything tech. With over 15 years of IT experience, Brock now enjoys the life of luxury as a renowned tech blogger and receiver of many Dundie Awards. In his free time, Brock enjoys adventuring with his wife, kids, and dogs, while dreaming of retirement.

Related articles