PowerShell to Create New Users in Active Directory

In This Article

In this post, I’ll show you how to create a new user, modify an existing user and remove an old user in Windows Active Directory using PowerShell.

Create a Single User in Active Directory

The PowerShell New-ADUser CMDlet is used for creating a user in Active Directory.

PowerShell offers multiple ways to not only create a single user but to create Active Directory user objects in bulk. The CMDlet New-ADUser doesn’t have many mandatory parameters but you can use optional parameters while creating a new user.

Using the OtherAttributes parameter, you can change property values that are not related to cmdlet parameters. The attribute name needs to be enclosed in single quotes when using this parameter.
To create a user, you must give the SamAccountName parameter.
The container or organizational unit (OU) for the new user is specified using the Path parameter. When the Path option is not used, the cmdlet creates a user object in the domain’s default user object container.

The following techniques describe various ways to build an object using this cmdlet:

With the New-ADUser command, use the OtherAttributes parameter to specify the parameters and values and to set any additional values.
A new user can be created from a template. Use the Instance parameter to create a new user or copy an existing one to the new object. The object used in the Instance parameter is used as a template.
To create Active Directory user objects in bulk, combine the Import-Csv cmdlet with the New-ADUser cmdlet.
- Import a CSV file with a list of object properties to construct custom objects using the Import-Csv cmdlet.
- The New-ADUser cmdlet can then be used to construct user objects by passing these objects through its pipeline.

The following shows examples of the different parameters that can be used:

New-ADUser –SamAccountName “username” –DisplayName “username” –givenName “Username” –Surname “surname” –AccountPassword (ReadHost –AsSecureString “Message”) –Enabled $true –Path ‘CN=Users,DC=Doc,DC=Com’ –CannotChangePassword $false –ChangePasswordAtLogon $true –PasswordNeverExpires $false -EmailAddress “email” –EmployeeID “ID” –Department “string”
example of the different parameters used

Below are the descriptions of parameters used in the above CMDlet:

Parameter	Description
AccountExpirationDate	Specify the account’s expiration date
AccountPassword	Specify the account’s password
AuthType	Select the authentication type when running the command
CannotChangePassword	Prevent the account owner from changing the password (usually used for service accounts)
ChangePasswordAtLogon	Force the user to change the account password at the next login
City	Specify the city for the user account
Company	Specify the company for the user account
Confirm	Get a confirmation prompt to run the cmdlet
Country	Specify the country for the user account
Credential	Run the command with alternative credentials
Department	Specify the user’s department
Description	Specify a description for the user account
DisplayName	Specify the display name of the account
EmailAddress	Specify the account’s email address
EmployeeID	Specify the user’s employee ID
Enabled	Enable the user account
Instance	Create a user account based on an existing account, such as one with the same department and title properties as the account you are creating
Manager	Specify the manager of the user account
Office	Specify the office attribute of the user account
Organization	Specify the user’s organization
OtherAttributes	Specify the value for an attribute for which there is no corresponding parameter in the cmdlet, such as the extensionAttribute1 to 15 attributes
PasswordNeverExpires	Force the account’s password to never expire
PasswordNotRequired	Specify that the account, such as a service account, does not require a password
Path	Specify the OU path to create the user account in
SamAccountName	Specify the account’s SAMAccountName attribute, a logon name used to support clients and servers running earlier versions of Windows, such as Windows NT 4.0, Windows 95 or LAN Manager
Server	Connect to an alternate DC while running the command
State	Specify the user’s US state
StreetAddress	Specify the user’s address
Title	Specify the user’s title
Type	Specify the user object’s type, such as a normal user or an inetOrgPerson user
UserPrincipalName	Specify the account’s userPrincipalName (UPN), which is typically the name that the user will use to log on/td>
WhatIf	See what the output of the cmdlet would be without actually running it

After executing the command, PowerShell will ask for the password.

Enter the password and the user will be created.

enter password

Creating Bulk Users in Active Directory

Before creating the bulk users through PowerShell using the Import-CSV CMDlet, you will need to create a CSV file. The following is an example of the CSV file required:

CSV with users's details

Now, execute the following command to create bulk users in AD.

Import-CSV d:\Share\testing.csv | New-ADUser
csv upload command

The Import-CSV provides pipeline input to the New-ADUser CMDlet. It processes the values of the CSV file to create the new users. Executing this command will load the Active Directory module first.

After completing the action, you’ll return to the same prompt.

return

Check Active Directory for the newly created users.

check AD for new users

Examples where Users would be Created with PowerShell

Here are some examples of where you may want to use PowerShell to add user accounts:

Create a new user account.
Create a user account in a particular OU.
Create a user and set attributes not covered by the cmdlet’s parameters.
Create an inetOrgPerson user.
Create a new user based on an existing AD user.
Create multiple user accounts using a CSV file.
Create users in bulk using a PowerShell script.
Create users in bulk by importing their attributes from a CSV file.

Create a New User Account

Specify only the account name.

The simplest example is creating a new user account by specifying only its name attribute:

New-ADUser M. Byrde

Running this will create the user but won’t show any output. To check whether the user was added successfully, we can list all Active Directory users using the following:

Get-ADUser -Filter * -Properties samAccountName | select samAccountName
list AD users

However, the user we just created has more attributes than just a name; the following attributes are set by default:

The account is created in the ‘Users’ container.
The account is disabled.
The account is a member of the Domain Users group.
The user must reset the password at the first logon.

Note that many attributes are not populated including the password attribute meaning that no password is set

Specify Additional Attributes

To resolve this, we can a new account that is usable by specifying more attributes:

New-ADUser -Name "Ash Williams" -GivenName "Ash" -Surname "Williams" -SamAccountName "A.Williams" -UserPrincipalName "A.Williams@lpde4.local" -Path "OU=Managers,DC=lpde4,DC=com" -AccountPassword(Read-Host -AsSecureString "Input

The Read-Host parameter will ask you to input a new password. Note that the password should meet the length, complexity and history requirements of your domain security policy.

Let’s now see the results by running the following cmdlet:

Get-ADUser A.Williams -Properties CanonicalName, Enabled, GivenName, Surname, Name, UserPrincipalName, samAccountName, whenCreated, PasswordLastSet

check AD users

To create a user account with even more attributes, use the following command:

New-ADUser -Name "Justin Hammer" -GivenName " Justin " -Surname " Hammer " -SamAccountName " Justin - Hammer " -AccountPassword (ConvertTo-SecureString -AsPlainText “webdir123R” -Force) -ChangePasswordAtLogon $True -Company "ABC Limited" -Title "CEO" -State "California" -City "San Francisco" -Description "Test Account Creation" -EmployeeNumber "45" -Department "Engineering" -DisplayName "Justin Hammer" -Country "US" -PostalCode "94001" -Enabled $True

To see a few of the new user’s attributes, use the following:

Get-ADUser -Identity Justin- Hammer -Properties * | select name,samaccountname,company,title,department,city,state,country,description,employeenumber,postalcode

Modify Users in Active Directory

Use the Set-ADUser CMDlet to modify the user in AD.

Set-ADUser –Identity “CN=TestUser7,CN=Users,DC=www,DC=DOC,DC=com” –SamAccountName “TestUser7” –LogonWorkStations “Test”

Some of the available parameters for this CMDlet are listed below.

Parameter	Description
ChangePasswordAtLogon	Specifies the location of the user in the Active Directory. Its value can be in the following format.-Identity “CN=Username,CN=Users,DC=www,DC=doc,DC=com”
PasswordNeverExpires	Specifies whether the account password will never expire.
PasswordNotRequired	Specifies whether a password is required or not.
SamAccountName	Specifies the SAM Account name of the user.
LogonWorkstations	Specifies the workstations, on which the user can logon. Its values have to be provided in the following format.-LogonWorkstations “workstation1,workstation2.www.domain.com”

Reset Password for AD Users

You can reset the password of a user with Set-ADAccountPassword CMDlet.

Set-ADAccountPassword –Identity “CN=TestUser7,CN=Users,DC=www,DC=DOC,DC=com” –SamAccountName “TestUser7” –LogonWorkStations “Test”

Some of the acceptable parameters for this CMDlet are listed below.

Parameter	Description
Identity	Specifies the location of the user in the Active Directory. Its value can be in the following format.-Identity “CN=Username,CN=Users,DC=www,DC=doc,DC=com”
OldPassword	Specifies the old password.
NewPassword	Specifies the new password.

Both OldPassword and NewPassword have to be provided as the Secure String, therefore, their values should be in the following format.

–NewPassword (ReadHost –AsSecureString “Message”)

–OldPassword (ReadHost –AsSecureString “Message”)

After executing the command, PowerShell will ask for the new password. Enter the new password and hit Enter key to apply the change.

Removing a Active Directory User Account

You can remove a user account using the Remove-ADUser CMDlet.

Remove-ADUser –Identity “CN=Username,CN=Users,DC=doc,DC=com”

Pressing the Enter key will ask for confirmation to delete the user.

Press Y to confirm the action.

Create an inetOrgPerson User

Most user objects in Active Directory have the class of user. But you can also create user objects with the class inetOrgPerson, which has user as a parent class. The inetOrgPerson class facilitates integration with certain applications and simplifies the migration of certain user objects into Active Directory.

To create an inetOrgPerson user account, simply include the -Type parameter and specify inetOrgPerson as its value:

New-ADUser -Name "Neal Gamby" -Path "OU=NBC,DC=LPDE4,DC=local" -GivenName "nEAL" -Surname " Gamby " -SamAccountName "Neal.Gamby " -AccountPassword (ConvertTo-SecureString -AsPlainText “webdir123R” -Force ) -ChangePasswordAtLogon $True -DisplayName "Neal Gamby" -Enabled $True -Type iNetOrgPerson

Conclusion

To ensure security of your Active Directory it is important to keep track of user creation, modification and deletion activities. With native methods, it is very difficult to monitor these activities. Lepide Active Directory Auditor can help you to audit user creation, modification and deletion in real time with other important AD changes.

Related Articles:

Related Solutions:

Check out our Active Directory Auditing solution