The easiest way to create a new user object in the Active Directory domain is to use MMC graphical snap-in ADUC (Active Directory Users and Computers). But if you need to create multiple user accounts in the domain, doing it manually can be a tiresome task for an administrator. In this article, we’ll consider an example automating the creation of user accounts in AD using the New-ADUser PowerShell cmdlet.
Using New-ADUser Cmdlet to Create New Active Directory User Account
New-ADUser cmdlet is a part of Active Directory for PowerShell module. To use this module, you must install RSAT version corresponding to your OS version and enable Active Directory Module for Windows PowerShell component.
To import the module to your PowerShell session, run this command:
Import-Module activedirectory
You can get the full syntax of New-ADUser cmdlet using the command:
Get-Command New-ADUser –Syntax
In the minimum version, to create a new account it’s enough to specify just the name of the AD user:
New-ADUser testuser1
As you can see, a new user account has been created in the default Users container and is disabled. To use this account, you must enable it (Enable-ADAccount cmdlet), set its password (Set-ADAccountPassword cmdlet) and/or other attributes (if necessary).
To create a full-featured user account in the specific AD container of the domain (OU) with the password and immediately enable the user’s object, use this command:
New-ADUser -Name "Albert Schmidt" -GivenName "Albert" -Surname "Schmidt" -SamAccountName "a.schmidt" -UserPrincipalName "a.schmidt@woshub.com" -Path "OU=Users,OU=Accounts,OU=Berlin,OU=DE,DC=woshub,DC=com" -AccountPassword(Read-Host -AsSecureString "Input Password") -Enabled $true
The command will prompt you to set a password (protected) for a new user at once.
You can get the information about the created domain user object with Get-ADUser cmdlet:
Get-ADUser a.schmidt
Bulk Create AD Users from a CVS File Using PowerShell Script
If you have to create multiple Active Directory users at once, it’s easier to save the list of users in the format of CSV (Excel) file and then run a special PowerShell script. In this file, you must fill in all significant user attributes.
For example, my Excel file of users consists of 8 columns and has the following header format:
FirstName;LastName;SamAccountName;Phone;Department;JobTitle;Password;OU
Fill in the user data and save the Excel file into the CSV format with commas as separating character. The encoding must be set to UTF-8 (it’s important!). The values of the OU column contain commas, so you must use double quotes.
Now you can import this CSV file (create_new_ad_users.csv) and create new users in the AD domain. The code of the ready PowerShell script is shown below:
Import-Module activedirectory
Import-Csv "C:\ps\create_new_ad_users.csv" | ForEach-Object {
$upn = $_.SamAccountName + “@woshub.com”
$uname = $_.LastName + " " + $_.FirstName
New-ADUser -Name $uname `
-DisplayName $uname `
-GivenName $_.FirstName `
-Surname $_.LastName `
-OfficePhone $_.Phone `
-Department $_.Department `
-Title $_.JobTitle `
-UserPrincipalName $upn `
-SamAccountName $_.samAccountName `
-Path $_.OU `
-AccountPassword (ConvertTo-SecureString $_.Password -AsPlainText -force) -Enabled $true
}
After you have run the script, open the ADUC console, expand the specified AD container and make sure that new user accounts have appeared in the AD. (You can track user account creation in the AD accounts as follows: Get Active Directory Accounts Created in the Last X Hours / Days.)
You can add the created accounts to the specific AD group using Add-AdGroupMember cmdlet. To do it, modify the script by adding this line to the For-Each loop:
Add-AdGroupMember -Identity AllowInternetAccess-Members $_.samAccountName
Or you can set user photo in AD to display it in Outlook and Lync:
Set-ADUser $_.samAccountName -Replace @{thumbnailPhoto=([byte[]](Get-Content "C:\ps\l.wolf.jpg" -Encoding byte))}