Saturday, July 4, 2009

Creating Active Directory Users with Windows PowerShell

While it may seem easy to create Active Directory users using the management console, I still prefer doing it using scripts so as to make sure that they are done in a uniform, standard fashion (not to mention as fast as one can possibly do especially if you will be doing it for many users). I've referenced the scripts provided at the CodePlex site for ADSI and Active Directory for Windows PowerShell (full credit goes to them) to create users in Active Directory for Windows Server 2008. This also works for Windows Server 2003. While I may be a big fan of automation, it is important to highlight that processes are what makes automation really work. The reason I am saying this is that the CSV file can come from different sources, say, an intranet site where you ask employees to log in and key in their details. Having a process in place to make sure that users who would be entering their details in a standard way would eliminate the need to cleanse the data (I'm still thinking as a DBA here) in the long run. Plus, having a standard in place as an organization is starting out will make it flexible enough to scale as growth happens.


# define constants
$domainstr
= ",dc=domainName,dc=local"
$domainnb = "domainName" # domain netbios name
$domain
= "domainName.local"

$ADs_UF_NORMAL_ACCOUNT = 512 # Disables account and sets password required.

# Remember to enable the account before logging
in


# Prompt user to enter the default passsword for the users
$defaultPassword
= Read-Host "Please enter default Password:" -asSecureString

# Read the list of users from the CSV file
#
Include other user properties in the CSV file as necessary

Import
-csv users.txt | foreach
{
# Create user name based on FirstName and LastName column
in the CSV file
$strUser
= $_.firstName + " " + $_.lastName


#Form the LDAP
string based on the OU column from the CSV file
$strLDAP
= "LDAP://OU=" + $_.OU + ",OU=domainName Domain Users" + $domainstr

$target
= [ADSI] $strLDAP
$newUser
= $target.create("User", "cn=" + $strUser)
$newUser.SetInfo()

#Define a naming convention for the login based on your corporate policy
#This one uses the first letter of the firstname and the lastname
$userID
= $_.firstName[0]+$_.lastName

#Define the other user attributes based on the columns defined
in the CSV file
$newUser.sAMAccountName
= $userID.ToString()
$newUser.givenName = $_.firstName
$newUser.sn
= $_.lastName
$newUser.displayName
= $_.firstName + " " + $_.lastName
$newUser.userPrincipalName
= $_.firstName[0]+$_.lastName + "@" + $domain
$newUser.mail
= $_.Email
$newUser.physicalDeliveryOfficeName
= $_.Location
$newUser.title
= $_.Designation
$newUser.description
= $_.Designation
$newUser.SetInfo
()

$newUser.SetPassword($defaultPassword.ToString())

#Normal user that requires password & is disabled
$newUser.userAccountControl
= $ADs_UF_NORMAL_ACCOUNT

Write
-Host "Created Account for: " $newUser.Displayname

}

Google