In this article, we’ll look at how to create new users in an Active Directory domain. You can create new user accounts in your domain using the graphical MMC snap-ins ( Active Directory Users and Computers dsa.msc
and AD Administrative Center dsac.msc
) or with PowerShell scripts.
How to Create a New Active Directory User with ADUC?
The easiest way to create a new domain user in Active Directory is to use the graphical ADUC mmc console.
- Open the Active Directory Users and Computers console by running the
dsa.msc
command; - Select the Active Directory container (Organizational Unit) in which you want to create a new user account. Right-click on it and select New -> User; To create new users in the domain, your account must be a member of the Domain Admins or Account Operators groups. Or you can manually delegate user creation permissions to other domain users and groups.
- Specify the user’s first name, last name, full name, and set userPrincipalName (user login name) and sAMAccountName. Click Next;
- Then set the user password. On this form, you can additionally set the following options for the UserAccountControl attribute:
User must change password at next logon;
User cannot change password – only the administrator/account operator can change/reset the user password;
Password never expires – user password will never expire (if this option is not enabled, then user password expiration is determined by the Active Directory domain password policy);
Account is disabled – the user account in the domain is disabled and cannot be used to log in. - Find the user in the ADUC console and open its properties. Here you can set additional user attributes: phone number, address, description, position, company (etc.), add them to AD groups and set other attributes on the Attribute Editor tab.
You can create new AD users with similar settings by copying them. This way of creating new users is suitable for creating another user from the same department, with the same set of permissions, address, and description.
Click on the user and select Copy. When copying an AD user, the group membership, address (except street), useraccountcontrol attribute settings, organization settings, and several other attributes will be copied to the new user account.
New-ADUser: Creating Active Directory Users with PowerShell
Above, we showed you how to manually create a user in an Active Directory domain using the ADUC graphical snap-in. If you’re constantly adding new users to your domain, it’s much more convenient to automate this process using PowerShell.
You can use the New-ADUser cmdlet from the Active Directory for Windows PowerShell module to create user accounts in AD.
You can get the full syntax of New-ADUser cmdlet using the command:
Get-Command New-ADUser –Syntax
In the simplest case, to create a new user account in AD, it is enough to specify only its name:
New-ADUser testuser1
As you can see, a new user account has been created in the default Users container. This user is disabled by default. To use this account, you must enable it (Enable-ADAccount cmdlet), set its password (Set-ADAccountPassword cmdlet) configure other attributes (if necessary).
To create a new account in a specific Active Directory container of the domain (OU) with a password and enable it immediately, use the following command:
New-ADUser -Name "Albert Schmidt" -GivenName "Albert" -Surname "Schmidt" -SamAccountName "a.schmidt" -UserPrincipalName "[email protected]" -Path "OU=Users,OU=Accounts,OU=Berlin,OU=DE,DC=woshub,DC=com" -AccountPassword(Read-Host -AsSecureString "Input Password") -Enabled $true
The command prompts you to securely specify the password for the new user.
You can get the information about the created domain user using the Get-ADUser cmdlet:
Get-ADUser a.schmidt
Bulk Create Active Directory Users from CSV with PowerShell
You can use PowerShell scripts to bulk-create multiple users in an Active Directory domain. Consider a simple script to create user accounts from a list in a CSV file.
Fill in the required user attributes in the CSV (Excel) file format. For example, my Excel file with users has 8 columns and has the following header format:
FirstName;LastName;SamAccountName;Phone;Department;JobTitle;Password;OU
Save the Excel file as a CSV format with commas as delimiter. The encoding must be set to UTF-8 (it’s important!).
Now you can import this CSV file (create_ad_users.csv) and create new users in the AD domain. See the following example of a PowerShell script that can be used to create users in Active Directory.
- Specify the name of the OU in which you want to create a new user account in the distinguishedName format (
"OU=Users,OU=Munich,OU=DE,DC=woshub,DC=com"
). The value must be enclosed in double quotes (because the string contains commas); - If “;” is used as the delimiter character for the CSV file, add the
-delimiter ";"
as an argument of your Import-Csv command; - The script checks if the user exists in the domain. If such an account already exists in the domain, a warning appears and prompts you to enter a unique sAMAccountName.
Import-Module activedirectory
$domain=“@woshub.com”
Import-Csv "C:\ps\create_ad_users.csv" | ForEach-Object {
$userSAM=$_.SamAccountName
if (@(Get-ADUser -Filter "SamAccountName -eq '$($_.SamAccountName)'").Count -ne 0) {
Add-Type -AssemblyName Microsoft.VisualBasic
$userSAM = [Microsoft.VisualBasic.Interaction]::InputBox("User $_.SamAccountName exists", 'Specify a new user SamAccountName', $_.SamAccountName)
}
$upn = $userSAM + $domain
$uname = $_.LastName + " " + $_.FirstName
New-ADUser -Name $uname `
-DisplayName $uname `
-GivenName $_.FirstName `
-Surname $_.LastName `
-OfficePhone $_.Phone `
-Department $_.Department `
-Title $_.JobTitle `
-UserPrincipalName $upn `
-SamAccountName $userSAM `
-Path $_.OU `
-AccountPassword (ConvertTo-SecureString $_.Password -AsPlainText -force) -Enabled $true
}
After running the script, open the ADUC console, expand the specified Active Directory OU, and make sure that new user accounts have appeared in the AD. You can track new user account creation events as follows: Get a list of Active Director use accounts created in the last X hours/days.
You can immediately add new user accounts to the specific AD groups using the Add-AdGroupMember
cmdlet. To do this, you need to slightly modify the script by adding this line to the For-Each loop:
Add-AdGroupMember -Identity AllowInternetAccess-Members $userSAM
Or you can set the user’s photo in AD to display it in Outlook and Lync using the Set-ADUser cmdlet:
Set-ADUser $userSAM -Replace @{thumbnailPhoto=([byte[]](Get-Content "C:\ps\l.wolf.jpg" -Encoding byte))}
6 comments
script doesnt work
New-ADUser : Cannot validate argument on parameter ‘Path’. The argument is null or empty. Provide an argument that is not null or empty, and
then try the command again.
At line:14 char:7
+ -Path $_.OU `
+ ~~~~~
+ CategoryInfo : InvalidData: (:) [New-ADUser], ParameterBindingValidationException
+ FullyQualifiedErrorId : ParameterArgumentValidationError,Microsoft.ActiveDirectory.Management.Commands.NewADUser
Show me your whole New-ADUser command
Import-Csv “C:\Users\cammy\Desktop\BULKCREATE.xlsx” | ForEach-Object $upn = $_.SamAccountName + “@mydomain.com” $uname = $_.LastName + ” ” + $_.FirstName New-ADUser -Name $uname ` -DisplayName $uname ` -GivenName $_.FirstName ` -Surname $_.LastName ` -UserPrincipalName $upn ` -SamAccountName $_.samAccountName ` -Path $_.OU ` -AccountPassword (ConvertTo-SecureString $_.Password -AsPlainText -force) -Enabled $true
New-ADUser : Cannot bind parameter ‘AccountPassword’. Cannot convert the
“User@cbps123!” value of type “System.String” to type
“System.Security.SecureString”.
At line:19 char:18
+ -AccountPassword $_.Password `
+ ~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (:) [New-ADUser], ParameterBindi
ngException
+ FullyQualifiedErrorId : CannotConvertArgumentNoMessage,Microsoft.ActiveDi
rectory.Management.Commands.NewADUser
don’t use
@
character as a part of user password in your powershell scripts. This is a special character. Or change it to`@
Do you need Excel running if you run this on the DC?