Active Directory Administration using Powershell: Add New User Account Script


I've been managing our company's Active Directory for quite some time now, and therefore I can attest that managing an Active Directory wasn't easy-peasy at all specially for Admins like me who has little to no knowledge or no formal education/training with regards to Domain Administration.

At first, maintaining manually using Active Directory Users and Computers Management Console, and Active Directory Administrative Center (ADAC) takes so much clicking and navigation. What more if you need to administer bulk AD objects (e.g. changing expiration date of users)? Such a pain, right? So I decided to study and give Windows Powershell a shot.

With Windows Powershell, I am able to administer our Active Directory seamlessly. Today, I will share a simple script on how to create a user account given some default or constant attributes/parameters.

Remember to save the script as *.ps1 extension.

When run, it will prompt for admin to provide First Name, Last Name and Employee Number of the user. This script will also get present date and add 180 days to it to set as account expiration date. You can modify the script for whatever is necessary to match your company's requirement.

I leave comments on important lines to further explain what are they for.
 #This script will add new user for Department1
$FN= read-host 'First Name'
$LN= read-host 'Last Name'
$CN= Write-Host "$($FN) $($LN)"

#In this example, I used Employee ID/Number as SamAccountName
$ID= read-host "Employee Number"

#This will get current date and add 180 days for account expiration
$XD= (Get-Date).AddDays(180).ToString("MM-dd-yy HH:mm:ss")

#This will convert the result of above computation to Date&Time format
$CXD = [DateTime]$XD

#Default password for new account, just replace quoted text
$Pass= "defaultpassword*098"

#This will convert default password set to Secure String
$SecureString = ConvertTo-SecureString $Pass -AsPlainText -Force

#This creates the new user account based on the inputs above
New-ADUser `
           -Name "$FN $($LN)" `
           -AccountPassword $SecureString `
           -SamAccountName "$ID" `
           -DisplayName "$FN $LN/Domain/Domain" `
           #This will enable the new created account
           -Enabled $true `
           -GivenName $FN `
           -PassThru `
           #This will disable password never expire attribute for security purposes
           -PasswordNeverExpires $false `
           #This will set the converted result of account expiration computation from above
           -AccountExpiration $CXD `
           -Surname "$LN" `
           -UserPrincipalName "$ID@Company.com" `
           #This will enable change password attribute upon user first login
           -ChangePasswordAtLogon $true `
           -Office "Branch Location" `
           -Description "Employee Account, Department1" `
           #replace this with your AD Organizational Unit Path
           -Path "OU=Department1,OU=User_Object,DC=Domain,DC=Company" 

#This will get new created user based on SamAccountName for additional parameter changes
Get-ADUser "$ID" | 

#This will enable account protection from accidental deletion
Set-ADObject -ProtectedFromAccidentalDeletion:$true

#This will add the new created user to Department1 AD Group
#Note that you can add additional default groupings
Add-ADGroupMember "Department1" -Members "$ID"

exit  

Sample output:


Hoping somehow, I am able to help somebody with this simple script.

I will post more sample powershell script I am using in administering Active Directory.

For questions, concerns, requests, or something that's bothering you and is related to this script, I will gladly help for as far as a I can.

Post a Comment

0 Comments