PowerShell New-ADUser

Many Systems Administrators can attest that creating user objects can be fun…the first time. Then you begin to realize how daunting navigating through the ‘New User’ dialogs can be. Plus, once you are finished creating a user, you still have to add that user to the appropriate security groups. Sure, there are tricks and shortcuts like creating a disabled user template, but what if your organization has an abundance of security groups? Is it really worth all the effort to create a disabled user template for each potential group? Absolutely not!

PowerShell to the rescue, of course! Create a generic function that takes the common information needed anyways and use it to create the user object, then add that user object to the general security group. This can happen in seconds and will create user objects in the OU that will be in the same format all the way through. It will save on typing and decrease the chance of spelling errors as well because you are only typing the user’s actual first and last names once.

Below is an example of a script dedicated for Department of Defense (DoD) use but can easily be adapted for industry. The bones of the function are reusable no matter the organization.

# Set these accordingly
$exerciseUsersOU = 'OU=USERS,OU=TEMPORARY,DC=aaronrombaut,DC=com'
$exerciseGroupsOU = 'OU=GROUPS,OU=TEMPORARY,DC=aaronrombaut,DC=com'
$exerciseDescription = 'Exercise Description'
$exerciseDomain = 'aaronrombaut.com'
$exerciseDefaultPassword = ConvertTo-SecureString -String '1$Pass%0' -AsPlainText -Force
$exerciseDefaultUsersGroup = 'GLS_DEFAULT_USERS_GROUP'

# Function to make standard user objects
function New-ExerciseADUser
{
    $firstName = Read-Host -Prompt 'First name'
    $lastName = Read-Host -Prompt 'Last name'
    $objectName = "$firstName.$lastName"
    $displayName = "$lastName, $firstName"
    $eDIPI = (Read-Host -Prompt 'EDIPI').ToUpper()
    $cellName = Read-Host -Prompt 'Cell name'
    # $password = Read-Host -Prompt 'Password' -AsSecureString

    # Create a new user object and place it in the correct OU
    New-ADUser -Name $objectName `
        -AccountPassword $exerciseDefaultPassword `
        -CannotChangePassword $false `
        -ChangePasswordAtLogon $true `
        -Description $exerciseDescription `
        -DisplayName $displayName `
        -EmployeeID $eDIPI `
        -Enabled $true `
        -GivenName $firstName `
        -PasswordNeverExpires $false `
        -PasswordNotRequired $false `
        -Path $exerciseUsersOU `
        -SamAccountName $objectName.ToLower() `
        -SmartcardLogonRequired $true `
        -Surname $lastName `
        -UserPrincipalName "$eDIPI@$exerciseDomain"

    # Add exercise user to the default users group for the exercise
    Add-ADGroupMember -Identity $exerciseDefaultUsersGroup -Members $objectName

    # Add exercise user to the cell group they belong to for the exercise
    $exerciseGroups = Get-ADGroup -Filter * -SearchBase $exerciseGroupsOU
    foreach ($exerciseGroup in $exerciseGroups)
    {
        $exerciseGroupName = $exerciseGroup.Name
        if($exerciseGroupName -match $cellName)
        {
            Add-ADGroupMember -Identity $exerciseGroupName -Members $objectName
        }
    }
}

New-ExerciseADUser

As you can see above, the administrator had to navigate through three dialog boxes to create a single user. If you look at the ADUC screenshot, you will see the user was created but is in ‘First name Last name‘ format where as the rest of the users are in ‘Last name, First name‘ format. This could be the resolved either at creation time or fixed after the user object is created. Either way, it is time consuming, error prone, and may not be consistent in environments with more than a single administrator. On top of that, the administrator still needs to apply the user to a security group.

Now look at the above screenshot of running the PowerShell script. It asks six questions and then creates the user and adds that user to a generic security group. A few things to note, the script can be tweaked so that the display name is in any format you would like at creation time. The script right now is set to ‘first name last name‘ as you can see in the image for the user, Arthur Dent. Also, the user does not have to be added to a security group, it’s just a common practice to add a user to a generic security group during on-boarding. See the link below for another PowerShell script that can be run on Active Directory to change all the users in an OU to a common format if desired after user creation.

https://www.aaronrombaut.com/change-the-canonical-name-cn-of-an-active-directory-user/

If your organization requires more or less information, just add or remove as needed. All of the Account options are programmable, such as forcing the user to change the password at next logon, password expiration, account expiration, or smart card usage. It’s just a matter of how much information you need or want from a user at account creation time and your organization’s policies.