Visitors

PowerShell: Create new Active Directory users

In my previous “PowerShell: Create new Active Directory groups, change group membership” blog post I published a PowerShell script that automates create Active Directory group creation.  Today I needed to create multiple test user accounts and, and there were 12 account created already, the TestUser account number should start from 13.
All New-ADUser cmdlet parameters can be found <here>.

Let’s look into different ways user account password can be configured. Mode details on -AccountPassword:

AccountPassword

Specifies a new password value for an account. This value is stored as an encrypted string.

The following conditions apply based on the manner in which the password parameter is used:

$null password is specified – No password is set and the account is disabled unless it is requested to be enabled
No password is specified – No password is set and the account is disabled unless it is requested to be enabled
User password is specified – Password is set and the account is disabled unless it is requested to be enabled
Notes:
User accounts, by default, are created without a password. If you provide a password, an attempt will be made to set that password however, this can fail due to password policy restrictions. The user account will still be created and you may use Set-ADAccountPassword to set the password on that account. In order to ensure that accounts remain secure, user accounts will never be enabled unless a valid password is set or PasswordNotRequired is set to true.
The account is created if the password fails for any reason.

The following example shows one method to set this parameter. This command will prompt you to enter the password.
-AccountPassword (Read-Host -AsSecureString "AccountPassword")

I need all test users passwords to be the same. Before a chosen password can be used with -AccountPassword, you need to convert plain text password into Secure String:

$password = "Passw0rd"
$SecurePassword = ConvertTo-SecureString -String $password -AsPlainText -Force

…and, of course, I would like to have them enabled:

-Enabled $true

The script:

# If you need to use another account that has permissions to create AD users
# $LoginPassword = Get-Credential - prompts you for credentials.
# -Credential $LoginPassword - add this to New-ADUser and Add-ADGroupMember

$password = "Passw0rd"
$SecurePassword = ConvertTo-SecureString -String $password -AsPlainText -Force

$prefix = "TestUser"
foreach ($number in (13..23)) {
$user = $prefix+$number
	New-ADUser -SamAccountName $user -Name $user -EmailAddress "$user@test.vStrong.info" -AccountPassword $SecurePassword -Path “OU=TestUsers,DC=test,DC=vStrong,DC=info” -HomeDrive "H:" -HomeDirectory "\file001home$$user" -Enabled $true
 	Add-ADGroupMember TestUsersGroup -Members $user # OPTIONAL - Add user to a group
} 

I hope you will find this useful.

Leave a Reply

You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>