For the longest time, part of our user onboarding process was to manually create user accounts in the Active Directory Users and Computers (ADUC) widget. It doesn’t take very long, but whenever you onboard users manually, there’s a higher margin for error. For example, our ticketing system uses LDAP to pull the email field from AD. If we forget to add their email to AD when creating their account, the user can’t submit a ticket to us on their first day if they need help.
That’s where automation comes in. Rather than manually trying to enter the email address, add to specific groups or distribution lists, or update the AD description you can just automate the process.
Although this script isn’t the cleanest things in the world (I need to rewrite it using splotting), it works very well. Once ran, this script will prompt for things like First Name, Last Name, Username, Email and store them as variables to reference in other parts of the script. This eliminates you needing to add things like username to multiple fields.
In this post, you will learn how to create a Powershell script to create a new Active Directory user account.
Prerequisities
This script is made up of two parts:
- Creating the user account
- Adding the user to specific Active Directory groups by “copying” the groups of an existing user.
Whenever we create AD user accounts manually, we would always compare group membership of an employee in the new hire’s department, and then manually add the groups to the new hire. Adding this “CopyADGroup” section saves us a bunch of time and eliminates any chances of missing a required group.
Powershell Script to Create new AD User and Copy Group Membership of Existing User
# Active Directory
Import-Module ActiveDirectory
# Arrays for the script
$FirstName = Read-Host "Enter First Name"
$Surname = Read-Host "Enter Last Name"
$Username = Read-Host "Enter Username (i.e - FirstinitialLastName)"
$ADgroups = Read-Host "Copy AD group membership from which user?"
$Password = Read-Host "Enter a Password" | ConvertTo-SecureString -AsPlainText -Force
# Creating Displayname, First name, surname, samaccountname, UPN, etc and entering and a password for the user.
New-ADUser `
-Name "$FirstName $Surname" `
-GivenName $FirstName `
-Surname $Surname `
-SamAccountName $Username `
-UserPrincipalName $Username@domain.com `
-Displayname "$FirstName $Surname" `
-Path "CN=Users,DC=domain,DC=com" `
-AccountPassword $Password
# Set required details
Set-ADUser $Username -Enabled $True
Set-ADUser $Username -ChangePasswordAtLogon $False
Set-ADUser $Username -EmailAddress "$Username@domain.com"
# Finds all the AD-groups that the "$ADGroups" user you entered is a part of and adds it to the new user automatically.
Get-ADPrincipalGroupMembership -Identity $ADgroups | select SamAccountName | ForEach-Object {Add-ADGroupMember -Identity $_.SamAccountName -Members $Username }
Write-Host -BackgroundColor DarkGreen "Active Directory user account setup complete!"
This could just be an error in my environment, but whenever I run the script, I see an error that “User has already been added to the group”, even though he wasn’t a part of the group initially. It does successfully copy Group Membership from the user I enter, but it’s still annoying to see red error text when the scripts run successfully.
As a workaround, add this to the very top of your script. Keep in mind that adding this will prevent the script from showing ANY error messages, so you may not want to add this until after you verify the script runs successfully for you.
#Remove error message that says can't add to group, even though it does add it successfully.
$ErrorActionPreference = 'SilentlyContinue'
Write-Host -BackgroundColor DarkGreen "Creating Active Directory user account..."
How to Find OU of User Account
If you’re looking at the script above and thinking, “I don’t know how to find what OU my users are a part of!”, then you are in luck.
Just open Command Prompt and type this:
whoami /fqdn
It will then show you exactly what you need to use in the script.
If your users go into different OU’s, then I would recommend moving them to the correct OU after the account is created.
How to Copy Additional AD Attributes
My script above only includes things that I personally would need to copy from one user to another. However, I know a lot of companies utilize many different fields such as Office, Telephone Number, Location, etc.
So, I threw together this short script you can add to my script above if you’d like. This copies individual attributes from the source user $ADgroups and copies them to the destination new hire user $Username.
This could probably be cleaned up with splotting, but it gets the job done.
$Office = (Get-aduser $ADgroups -properties Office | Select -exp Office)
$Des = (Get-aduser $ADgroups -properties Description | Select -exp Description)
$Tele = (Get-aduser $ADgroups -properties OfficePhone | Select -exp OfficePhone)
Set-Aduser $Username -Office "$Office"
Set-Aduser $Username -Description "$Des"
Set-Aduser $Username -OfficePhone "$Tele"
Wrapping Up
Hopefully this tutorial guide helps you automate the process of creating new hires!
This post is a part of my Automating New Hires With Powershell series, where I create a bunch of helpful Powershell scripts and eventually add them to a GUI menu like what you see below.
- How To Create AD Users and Copy Group Permissions with Powershell
- How to Generate PasswordPush Links for Sharing Email Passwords Securely via Email
- Use Powershell to Open Multiple URL’s in Chrome
- Move Computer Object to Different OU in Powershell
- How to Attach Welcome Email PDF via Powershell
My Homelab Equipment
Here is some of the gear I use in my Homelab. I highly recommend each of them.
- Server 2019 w/ Hyper-V
- Case: Fractal Design Node 804
- Graphics Card: NVIDEA Quadro K600
- CPU: AMD Ryzen 7 2700
The full list of server components I use can be found on my Equipment List page.
Thanks Danny! Quicky question, during the copying process I would normally copy certain fields from the same user $ADGroups, like Office, OfficeNumber, so on and so forth.
How would you go about adding that to this script? I’ve tried just setting variables for each property but it causes the script to stop
Thanks!
Hey Stu – something like this should work! Just tested this out.
Thanks for the suggestion, I’m going to add this to the guide.
$Office = (Get-aduser $ADgroups -properties Office | Select -exp Office)
$Des = (Get-aduser $ADgroups -properties Description | Select -exp Description)
$Tele = (Get-aduser $ADgroups -properties OfficePhone | Select -exp OfficePhone)
Set-Aduser $Username -Office “$Office”
Set-Aduser $Username -Description “$Des”
Set-Aduser $Username -OfficePhone “$Tele”
I hate you.
You Wonderful, Magnificent, Team-playing Bastard. You literally have saved me hours of work by consolidating mundane scripts together that I have on my Company Honey-Do List. I hate you because I now have to live with the knowledge that i’m about to shamelessly “Forever Borrow” these to help my team get these tasks done without the ugly-ness of human error.
I was going to develop something like these myself over time. Now, all I have to do is break these down and tweak them for my environment. I hate you (LOVE YOU). The world is a better place with Admins like you in it. I swear, the entire sysadmin section is a goldmine to me. I never leave comments or offer to support other script makers. But you sir (pronouns assumed) are a true hero.
Thank you kind fellow human. Your work on these is truly appreciated.
Danny, thank you, and I echo DrewD’s comments.
Both things of beauty 🙂
and integrating stuff like creating an exchange mailbox or o365 mailbox ?
I have been beating my head against a wall for hours trying to figure out how to get the password to work correctly using powershell with Read-Hosts for prompts. It never occurred to me to pipe a Read-Host to a ConvertTo-SecureString but that was the solution.
Yep, it works pretty well! I’m glad my script helped you out!
I believe the red error you are getting when attempting to copy groups is caused by the Domain Users group, which is automatically created when you create a new AD user. You get the error because it’s trying to copy that group, but the new user is already a member of that group.
Ahh, that’s very interesting about the Domain Users group. I hadnt thought of that, but you are probably right. Thanks for the tip!
Came here to say this!
Can please you guide me to a script to add a new user and set password, “Password123,” and then add them to a new global security group