If you are sticking to the basics, then there are three main tasks that you will need to complete in order to create an Active Directory account using PowerShell. The first of these tasks involves using the New-ADUser cmdlet to create an account. It works great the only problem is when a user is created the way the name displays in 'Active Directory Users and Computers' is incorrect. Not sure if this is by design when creating users through power-shell but when creating a user by right clicking on the OU it appears just fine. The topic ‘Creating AD user, my first script ever. Install Active Directory CmdletsSummary: Learn how to transcribe between ADSI, Quest, and Windows PowerShell cmdlets for creating users. Hey, Scripting Guy! I used to use the Quest cmdlets to create new users, but I need to rewrite some of my scripts to work with a legacy environment that can't use the.NET Framework. Can you help me? —SH Hello SH, Honorary Scripting Guy, Sean Kearney, is here again. We're going to go into a bit more about translating between the various ways of working with Active Directory and Windows PowerShell. This is the second post in a series. Active Directory Powershell Create UserYou might also enjoy reading. Yesterday, I was discussing with my old coworker how to unlock accounts with Windows PowerShell by using the [ADSI] accelerator, the Quest cmdlets, and the modern Windows PowerShell cmdlets for Active Directory. Add Active Directory To PowershellLet's review when Kevin had to modify one of my scripts. I had a very simple script to create users by using the Quest cmdlets that looked like this: $First=READ-HOST 'First Name' $Last=READ-HOST 'Last name' $Name=$Lastname+', '+$Firstname $Prefix=$Firstname+'.' +$LastName $Sam=$Prefix.padright(20).substring(0,20).trim() $UPN=$Prefix+'@Contoso.local' $Parent='OU=Grok,DC=Contoso,DC=Local' $Password='B@dP@ssw0rd!' NEW-QADUser –firstname $First –lastname $Last –name $Name –parentcontainer $Parent –samaccountname $Sam –upn $UPN –userpassword $Password When we ran this script, it would simply prompt for the First and Last names and create a disabled user account in Active Directory. The challenge Kevin had was that he needed to work with a vendor appliance, and he could not add the.NET runtime. If he did, it would break its status as a validated environment. So he needed to easily create multiple users in this environment after they were processed and authorized by the system owner. So in many respects, most of the script would remain unchanged. We simply needed to modify it to leverage the [ADSI] accelerator instead. First, we built the targeting link for the binding and specified the type of object we were creating in Active Directory: $Connection=[ADSI}'LDAP://$Parent' $Class='user' Then we add a DisplayName value and add the CN= to the user name because this is required for the older [ADSI] accelerator: $DisplayName= $Name='CN=+'$Lastname+', '+$Firstname With this in place, we can pull out the New-QADUser cmdlet—so the script looks like this: $First=READ-HOST 'First Name' $Last=READ-HOST 'Last name' $DisplayName=$First+' '+$Last $Name='CN='+$DisplayName $Prefix=$First+'.' +$Last $Sam=$Prefix.padright(20).substring(0,20).trim() $UPN=$Prefix+'@Contoso.local' $Parent='OU=Grok,DC=Contoso,DC=Local' $Password='B@dP@ssw0rd!' # In the following script, we are creating the user with the older [ADSI] accelerator. $Class='user' $Connection=[ADSI]'LDAP://$Parent' $NewUser=$Connection.create($Class, $Name) $NewUser.put('sAMAccountName',$Sam) $NewUser.put('userprincipalname',$UPN) $NewUser.put('Sn',$Last) $NewUser.put('Givenname',$First) $NewUser.put('DisplayName',$DisplayName) $NewUser.setinfo() $AccountControl=$NewUser.useraccountcontrol $AccountControl –bxor 2 $NewUser.useraccountcontrol=$AccountControl $NewUser.setpassword($Password) $NewUser.setinfo() Kevin tested the script in the lab to make sure it worked properly. Here is the result: He then popped in to Active Directory to verify that the user and attributes were created: 'OK, so if I have most of the variables defined, I simply need to find the block of script that has the cmdlet and swap it with the older method,' he noted. 'So what would it take to make this with the cmdlets in the Active Directory module?' 'Pretty much the same thing,' I answered, 'except we need to convert the plain text password to a secure string for the Windows PowerShell cmdlets to use. We can use this one line to convert our older variable, $Password: $SecurePassword=ConvertTo-SecureString $Password -AsPlainText –force 'When we use the Windows PowerShell cmdlets instead of the Quest cmdlets, the script looks like the following example. We simply remove all the code after the command and replace it with this: New-ADUser -Name $DisplayName -DisplayName $DisplayName -GivenName $First -SamAccountName $Sam -UserPrincipalName $UPN -path $Parent Get-ADUser -Identity $Sam| Set-ADAccountPassword $SecurePassword GET-ADAccount -identity $sam| Enable-ADAccount 'This creates the account, sets the password, and then flips the account to active.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |