Scribd
Upload
90 views8 pages

PowerShell AD User Management Guide

The document discusses how to perform common Active Directory management tasks using PowerShell, including creating user and computer accounts, either individually or in bulk from a CSV file. It also covers getting help for cmdlets and using pipes to filter and format output.

Uploaded by

erster
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
90 views8 pages

PowerShell AD User Management Guide

The document discusses how to perform common Active Directory management tasks using PowerShell, including creating user and computer accounts, either individually or in bulk from a CSV file. It also covers getting help for cmdlets and using pipes to filter and format output.

Uploaded by

erster
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd

For example, the following cmdlet shows all services whose names start with “W”:

Get-Service -Name W*

If you forget a cmdlet’s parameters, just use a script like the following, which will display the parameters for
the Get-Process cmdlet:

Get-Process | Get-Member

If you still don’t find the cmdlet you need, you can make sure the help is current and then get examples for
a cmdlet (such as Get-Process) using a script like this:

Update-Help #to update the help data


Get-Help Get-Process -Examples

9
You can also use aliases, which are shortened cmdlet names. For instance, instead of Get-Help you can use
just Help. Try running the following two commands and see whether you get the same result:

Start-Process notepad

start notepad

Similarly, to stop this process, you can use either of the following commands:

Stop-Process -Name notepad

spps -Name notepad

To see all aliases, execute the Get-Alias cmdlet.

10
1.4 Comments
Leaving comments in a script will help you — and your colleagues — better understand what the script does.
A string comment is a single line that starts with a number sign (#); block comments spread across multiple
lines, starting and ending with number signs and angle brackets:

1.5 Pipes
A pipe passes data from one cmdlet to another. I used a pipe earlier to get all properties of an object.

For example, if you execute the following script, you’ll get all services sorted by their status:

Get-Service | Sort-Object -property Status

You can also use a pipe to output text to a file using a script like the following:

"Hello, World!" | Out-File C:\ps\[Link]

You can use multiple pipes. For instance, the following script lists all services, with the first pipe excluding
stopped services and the second pipe limiting the list to display names only:

Get-Service | WHERE {$_.status -eq "Running"} | SELECT displayname


# “$_.” defines current element in the pipe

11
2. Top 10 Active Directory Management
Tasks with PowerShell
The easiest way to manage objects in an Active Directory domain is using the Active Directory Users and
Computers (ADUC) MMC snap-in. However, what if you need to create multiple user accounts in bulk, or
ADUC is not available for some reason? In this part, we’ll explore how to perform most common AD
management tasks with PowerShell.

Keep in mind that before you can work with Active Directory and its objects, you need to import the Active
Directory module for Windows PowerShell. In Microsoft Windows Server 2008 R2, you need to enable this
module by running the following command:

Import-Module ActiveDirectory

In Microsoft Windows Server 2012 and later, this module is enabled by default.

2.1 Creating New User and Computer Accounts


You can create new user accounts in Active Directory using the cmdlet New-ADUser. You can get its full
syntax by running the following command:

Get-Command New-ADUser –Syntax

When you know the syntax, it’s easy to add users to Active Directory:

New-ADUser [Link]

12
Accounts are created with the following default properties:

Account is created in the “Users” container.

Account is disabled.

Account is a member of Domain Users group.

No password is set.

User must reset the password at the first logon.

Therefore, to make a new account that’s actually usable, you need to enable it using the Enable-ADAccount
cmdlet and give it a password using the Set-ADAccountPassword cmdlet.

Let’s create a new account with the following attributes:

Name — Jack Robinson

Given Name — Jack

Surname — Robinson

Account Name — [Link]

User Principal Name — [Link]@[Link]

Path — “OU=Managers,DC=enterprise,DC=com”

Password Input — Required

Status — Enabled

Here’s the script we’ll use:

New-ADUser -Name "Jack Robinson" -GivenName "Jack" -Surname "Robinson" -SamAccountName


"[Link]" -UserPrincipalName "[Link]@[Link]" -Path
"OU=Managers,DC=enterprise,DC=com" -AccountPassword(Read-Host -AsSecureString "Input
Password") -Enabled $true

The Read-Host parameter will ask you to input new password. Note that the password should meet the
length, complexity and history requirements of your domain security policy.

13
Now, let’s create ten similar Active Directory accounts in bulk and set a default password (P@ssw0rd) for
each of them. To send the default password in a protected state, we must use the ConvertTo-SecureString
parameter. Here’s the script to use:

parameter. Here’s the script to use:


$path="OU=IT,DC=enterprise,DC=com"
$username="ITclassuser"
$count=1..10
foreach ($i in $count)
{ New-AdUser -Name $username$i -Path $path -Enabled $True -ChangePasswordAtLogon $true `
-AccountPassword (ConvertTo-SecureString "P@ssw0rd" -AsPlainText -force) -passThru }

To make the script more flexible, add the Read-Host parameter, which will ask for the number of users to be
added:

$path="OU=IT,DC=enterprise,DC=com"
$username=Read-Host "Enter name"
$n=Read-Host "Enter Number"
$count=1..$n
foreach ($i in $count)
{ New-AdUser -Name $username$i -Path $path -Enabled $True -ChangePasswordAtLogon $true `
-AccountPassword (ConvertTo-SecureString "P@ssw0rd" -AsPlainText -force) -passThru }

14
Another option for creating users in AD is to import them from a CSV file. This option is great when you have
a list of users with predefined personal details such as:

FirstName

LastName

Username

Department

Password

OU

The CSV file must be in UTF8 encoding and contain contact data that looks like this:

The following script will create enabled user objects for any users in the CSV that don’t already have accounts
in AD. The “Reset password at the next logon” option will be enabled for the new accounts, so you can use
your default password:

15
#Enter a path to your import CSV file
$ADUsers = Import-csv C:\scripts\[Link]

foreach ($User in $ADUsers)


{
$Username = $[Link]
$Password = $[Link]
$Firstname = $User.firstname
$Lastname = $[Link]
$Department = $[Link]
$OU = $[Link]

#Check if the user account already exists in AD


if (Get-ADUser -F {SamAccountName -eq $Username})
{
#If user does exist, output a warning message
Write-Warning "A user account $Username has already exist in Active Directory."
}
else
{
#If a user does not exist then create a new user account

#Account will be created in the OU listed in the $OU variable in the CSV file; don’t forget
to change the domain name in the"-UserPrincipalName" variable
New-ADUser `
-SamAccountName $Username `
-UserPrincipalName "$Username@[Link]" `
-Name "$Firstname $Lastname" `
-GivenName $Firstname `
-Surname $Lastname `
-Enabled $True `
-ChangePasswordAtLogon $True `
-DisplayName "$Lastname, $Firstname" `
-Department $Department `
-Path $OU `
-AccountPassword (convertto-securestring $Password -AsPlainText -Force)

}
}

16

You might also like