Active Directory, or AD for short, is an obscure little utility developed by a not very well-known mom-and-pop shop called Microsoft. You probably haven't heard of it. If, by some chance, you have heard of Active Directory and my copious amounts of sarcasm didn't fool you, then you'll know that Active Directory is a pretty big deal. So big, in fact, that somewhere around 95% of fortune 500 companies utilize it.
But AD by itself is not much more than a glorified DNS server with some free DFS on the side. It's up to you to make the most of AD by adding objects to it, such as user and computer objects.
So how do we add objects to AD? Well, you could add objects using the Active Directory Users and Computers interface, which is probably how most new sysadmins learned to do it. Or, you could display your dominance by using the CMD prompt like a boss. However, if you really want to take things to the next level and secure your spot as the top sysadmin in your organization, there's only one option good enough for you — PowerShell!
Adding Objects To AD With DSAdd
Before we dive into the PowerShell, let's first look at its command prompt counterpart, DSAdd.
DSAdd is a pretty straightforward command-line utility that allows users to add objects to AD. Keep in mind that DSAdd is traditionally only available on servers with Active Directory Domain Services or Active Directory Lightweight Directory Services installed. However, you can get around this limitation by using PSExec or Remote Server Admin Tools.
Here is a list of the objects that can be added to AD using DSAdd:
In many organizations, DSAdd was primarily used when large quantities of objects needed to be added to AD. If you had a list of a hundred new user accounts that needed to be created, it was much more efficient to complete the task as a batch job with DSAdd versus manually creating each account via the GUI interface.
Here's a simple example command for adding a user to AD with DSAdd.
In this example, we're adding the user Bor Burison to AD. We've designated the OU as Asgard_Users and set the userPrincipleName as email@example.com. We've marked the account as enabled (-disabled no) and set the password as A$gard1ans. Lastly, we've designated that the password has to be changed at the next logon.
While DSAdd is capable enough at what it does, it still has many limitations when compared to its PowerShell alternative.
The PowerShell Equivalent Of DSAdd Is New-AD...
This CMD to PowerShell conversion isn't as simple as other commands we've covered because it's not just one command. Normally, I include the help file associated with the cmdlet we're covering. However, since we're covering multiple commands, I'll just include what is probably the most commonly used command. Remember, you can always display the help file in PowerShell with the Get-Help command.
You'll notice the New-ADUser cmdlet includes loads of optional parameters; that's because of the large number of attributes that can be configured with user accounts in AD.
Let's take a look at some examples of each of the cmdlets.
Example 1: Import Users With New-ADUSer And A CSV File
Here is the PowerShell script and the CSV file information we'll be using for this example. Let's go over the script and see how it works.
First, we're importing the ActiveDirectory module to ensure we have access to the cmdlets we'll be running. Next, we're importing the CSV file and piping it to a ForEach loop. Then we defined the variable we'll be using for the userPrincipalName attribute by combining the samAccountName and the domain name @whiskeytime.club. Next, we're using the New-AdUser cmdlet to create the accounts in Active Directory. Then, we define several account attributes using values and data from the CSV file. Lastly, we're assigning the accounts to the Asgardians group.
Importing users via a CSV file is one of the more common uses for the New-ADUser command. Whether you're importing dozens, hundreds, or even thousands of accounts, New-ADUser is the way to go. Just make sure you do plenty of testing and ensure the data is accurate before you pull the trigger on this one.
Example 2: Create A Computer Object With New-ADComputer
Creating new computer objects in AD with the New-ADComputer cmdlet is pretty straightforward. After calling the New-ADComputer cmdlet, we assign values to multiple parameters. The Name and samAccountName are both AMORA. The -Path parameter is designating the OU where we want the computer to reside. Lastly, we've set to the computer to be enabled and gave it a description. Here's the final result.
Example 3: Using New-ADOrganizational Unit And New-ADGroup To Create New OU's And Groups
We're giving you a three-for-one with this example. This is actually three different commands all rolled into one.
The first command is creating a new OU with the New-ADOrganizationlUnit cmdlet. We've given it a name and the path for its location.
The second command is creating a new group with the New-ADGroup command. We've set it as a global security group, given it a name, and placed it into the new OU we just created.
The last command is the Add-AdGroupMemeber cmdlet which assigns users to groups. We've used it to assign three different users to the group we just created.
Here is the final result.
Creating the occasional user or group using Active Directory Users and Computers is fine. However, if you've got a massive amount of new objects to create in AD, PowerShell is the way to go. It will save you hours of monotonous work, leaving you plenty of time for other things, like arguing with people online about why Hawaiian pizza is obviously the superior pizza.
Born in the '80s and raised by his NES, Brock quickly fell in love with everything tech. With over 15 years of IT experience, Brock now enjoys the life of luxury as a renowned tech blogger and receiver of many Dundie Awards. In his free time, Brock enjoys adventuring with his wife, kids, and dogs, while dreaming of retirement.