Create new Active Directory users with a PowerShell script


The PowerShell script discussed here allows you to create new Active Directory (AD) users, one of the most common tasks that IT admins tend to automate when it comes to employee provisioning.

The reason is that this function meets all of the criteria necessary for automation. It’s a task that requires a lot of different, error-prone steps, such as ensuring user accounts meet a particular standard, creating a home folder in a certain way, creating a mailbox, and so on. In addition, it’s a task that admins are going to repeat many times, since an organization continually hires new employees. I thought this was a great task to demonstrate typical steps that you might take when embarking on a new script.

To get started, I’m going to assume a few prerequisites. First, I’m going to presume you have at least PowerShell v4 and also have the Active Directory module installed. The module comes as part of the Remote Server Administration Tools pack. I’m also going to assume that the machine ºyou’ll be working is a part of a domain, that you have the required permission to create an Active Directory user account, and that the user’s home folder resides on a file server somewhere.

Because each organization’s process is going to be a little different, I’m also going to keep this as generic as possible by first demonstrating how to create an Active Directory user account based on a company standard and create their home folder somewhere. This is probably the minimum that you’ll need to do. However, once you get the basics of script building, you’ll see just how easy it is to script other things (adding something to an HR application, creating an Exchange mailbox, etc.).

Planning employee provisioning

Let’s first break down each component of the goal I want to accomplish and how I intend to make it happen. By the end of script execution, I want to end up with a single AD user account and a separate folder created on a file server with appropriate permissions. To do this, I’ll need to define what exactly each of these two tasks looks like.

For example, when creating my AD user account, here are a few questions to ask yourself.

  1. In what organizational unit should it go?
  2. In what (if any) groups should it go?
    1. Is there a standard user group in which all user accounts go?
    2. Are there different groups in which a user account might go, depending on their department?
  3. What attributes need to be set at creation time?
  4. What should the username be? Does it have to follow some company standard?

When creating the home folder, these are some questions you might ask yourself.

  1. Where should the folder be created?
  2. What should the name of the folder be?
  3. What kind of permissions should the folder have?

Breaking down your goals by asking lots of questions beforehand allows you to have a picture of what the script might do before you write a single line of code.

Now that we have some rough intentions outlined, let’s answer each question before coding. Don’t worry. We’ll get to the code in a minute.

  1. In what organizational unit should it go? – Corporate Users
  2. In what (if any) groups should it go?
    1. Is there a standard user group in which all user accounts go? XYZCompany
    2. Are there different groups in which a user account might go, depending on their department? Match group name with the department.
  3. What attributes need to be set at creation time?
    1. First Name
    2. Last Name
    3. Title
    4. Department
    5. Initials
    6. Change Password at Logon
  4. What should the username be? Does it have to follow some company standard? It should be first initial, last name. If that username is already taken, it should be first initial, middle initial, and last name. If that’s taken, error out.
  5. Where should the folder be created? \\MEMBERSRV1\Users
  6. What should the name of the folder be? AD username

Now that we have each of our questions answered, let’s get down to the code.

Creating new AD users with PowerShell

We’ll first create the script and call it New-Employee.ps1. Because a lot of information will change for each employee, we need to create some parameters and dynamically pass them to the script whenever it is run. I’ll create the following variables as parameters:

  • First Name
  • Last Name
  • Middle Initial
  • Location (for the OU)
  • Department
  • Title
  • Default Group
  • Default Password
  • Base Home Folder Path

These will be represented as script parameters.

This part is nice because it will automatically figure out the username to use.

Script output

Script output

Next, we’ll ensure the OU and group that we’ll be using exist.

We can now create the user account per company standards, add it to the group, and create the home folder.

Notice throughout this sample script that I was breaking things down into regions. Using regions is an excellent way to separate out high level tasks in a large script.

Now that you’ve done all the hard work and defined the rules, the rest is easy. You can now create as many users as you’d like that all follow the exact same pattern.

 

 

Adam Bertram

Adam is a Microsoft Cloud and Datacenter Management Most Valuable Profressional (MVP) who specializes in Windows PowerShell. You can reach Adam at adamtheautomator.com or on Twitter at @adbertram.

Categories