Create Active Directory users with Powershell

In my test lab I always have to create a couple of users to be able to do performance or functionality tests. PowerShell really helps me with this task and I just want to archive this for later.

In the next few paragraphs I show you my method to create hundreds of test users on Windows Server 2012 with PowerShell.

Prerequisites

If you don’t do this on the actual domain controller you need a couple of things first.

First of all you need permissions to be able to create users.

Your machine needs the PowerShell module from the Remote Server Administration Tools, check it here: Features/Remote Server Administration Tools/Role Administration Tools/AD DS and AD LDS Tools/Active Directory module for Windows PowerShell.

Start a PowerShell window and check your module is available for use:

Get-Module -Listavailable

To retrieve the available cmdlets from this set, use this:

Get-Command -module ActiveDirectory

You can do a lot of things with these, but the only command we are interested at this point is the New-ADUser.

Introducing New-ADUser

Using Get-Help with the full switch is always a good idea, but this command is a monster, use this method instead:

Get-Help New-ADUser -ShowWindow
Show-Command New-ADUser

The first command shows you the command’s help in a separate window where you browse or search. The second command opens a graphical window to specify the parameters for the command.

Put these side by side using Windows Key+Right arrow and Windows key+Left arrow for the first and second window respectively and you can easily explore and try any command.

Fill in with some values and try to run it using the Run command or put the generated command to the clipboard (see example below)

Create a user

To be able to generate and create hundreds of users first always try to create only one, to see you have the necessary permissions, network connectivity, etc.

There are lots of AD properties available from this command so let’s check a couple.

AccountPassword: Have to provide a SecureString here, simple plaintext won’t be enough. Use the ConvertTo-SecureString command to store submit your password or convert it on the fly:

ConvertTo-SecureString "P@ssw0rd" -AsPlainText -Force

ChangePasswordAtLogon: For test users I always use $false so I can log on with them without any hassle.

Enabled: I always use $true, so I can use them immediately.

Path: This defines the OU where the user will be created. I you omit this, Windows uses the default user container. Submit a distinguished name here. Check the OU with the attribute editor in AD Administrative Center:

Company, Title and MobilePhone, etc are pretty straightforward, but I always struggle with names so here is a rough overview.

New-ADUser property name AD property on the GUI (ADAC) LDAP attribute
DisplayName Display name displayName
GivenName First name givenName
Initials Middle initials initials
Name Full name name
OtherName middleName
SamAccountName User SamAccountName logon sAMAccountName
Surname Last name sn

With this in hand an example user creation goes like this:

New-ADUser `
-AccountPassword (ConvertTo-SecureString "P@ssw0rd" -AsPlainText -Force) `
-ChangePasswordAtLogon $false `
-City Utrecht `
-company "H&R Automatisering" `
-DisplayName "Lex van der Horst" `
-Enabled $true `
-MobilePhone "+31(0)30 11 555 5555" `
-Name "Lex van der Horst" `
-SamAccountName lexh `
-Title Support Engineer `
-Path "OU=Users,OU=Company,DC=home,DC=local" `
-givenname Lex `
-surname van der Horst `
-userprincipalname ("lexh" + "@testlab.local") `
-department "IT" `
-description "Domain User" `
-office "H&R Automatisering" `

Create multiple users

If the command above works and you have all the required parameters its ready for the next step, multiple user creation. Create a CSV file of your users or generate one here or here. Don’t forget to add a header to them!

$csvcontent = Import-CSV -Path c:\users.csv

foreach ($user in $csvcontent)

{

New-ADUser `
-AccountPassword (ConvertTo-SecureString "P@ssw0rd" -AsPlainText -Force) `
-ChangePasswordAtLogon $false `
-Company "H&R Automatisering" `
-DisplayName ($user.Firstname+" "+$user.Lastname) `
-Enabled $true `
-MobilePhone ($user.Phone) `
-Name ($user.Firstname+" "+$user.Lastname) `
-SamAccountName ($user.Lastname+$user.Firstname.Substring(0,1)) `
-Title "Support Engineer" `
-Path "OU=Users,OU=Company,DC=home,DC=local" `
-state $user.County `
-givenname $user.Firstname `
-surname $user.Lastname `
-userprincipalname ($user.Lastname+$user.Firstname.Substring(0,1) + "@testlab.local") `
-department "IT" `
-description "Domain User" `
-office "H&R Automatisering" `

}

First I grab the content of the CSV file so I can reference the fields with NoteProperties. Then I iterate through all items and generate a user with the data. I set the password to the same for everyone and set that nobody should bother with the password change at the next logon. I generate the various names with string concatenation using the firstname and lastname values. There are a couple of fixed values for all users but you can also submit these in the CSV file.

Run this snippet on an input like this:

Firstname,Lastname,Phone,County
Lex,van der Horst,+31(0)30 635 5254,Utrecht

Generates a user like this:

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s