Windows Server How-To

How To Create an Active Directory Account in PowerShell

Going the PowerShell route will save you time when creating a large batch of new Active Directory users.

Although Active Directory accounts are sometimes manually created using the Active Directory Users and Computers console, it is also possible to create Active Directory accounts through PowerShell. This is more than just a novelty; it can be a real timesaver for those who need to create a large number of accounts.

There are a number of different ways in which user accounts can be created by using PowerShell. One option is to manually create accounts by using the New-ADUser cmdlet. Admittedly, this technique can be a little bit overwhelming because the New-ADUser cmdlet supports a huge number of parameters. The good news however, is that the vast majority of these parameters are optional. Furthermore, the basic New-ADUser cmdlet uses a relatively straightforward syntax.

If you are sticking to the basics, then there are three main tasks that you will need to complete in order to create an Active Directory account using PowerShell. The first of these tasks involves using the New-ADUser cmdlet to create an account. At a minimum, you will need to provide the name of the account that you want to create, and a corresponding User Principal Name. For example, suppose that you wanted to create an account named User10 in a domain named PoseyDemo.com. The command used for doing so is:

New-ADUser -Name "User10" -UserPrincipalName User10@poseydemo.com

You can confirm that the account has been created by entering the following command:

Get-ADUser User10 | Select-Object Name

A second task that you will need to complete is that of adding a password to the user account. Although Windows Server does allow you to have user accounts with no passwords (assuming that the group policy settings allow it), a password is, for all practical purposes, a requirement if you are creating an account through PowerShell. When you use PowerShell to create an Active Directory account, that account is disabled by default. PowerShell will not allow you to enable the account unless the account has been assigned a password.

If you are only creating an account or two, then it is probably going to be easiest to manually assign a password to the newly created user account. For bulk user account creation, however, it is possible to write a password to a text file (in an encrypted format) and then leverage the password file during the account creation process. Doing so allows you to automate the entire process so that you don't have to manually enter passwords for each account.

If you have created a user account using the technique shown above, and need to assign a password to the account, you can do so by using the following command:

Set-ADAccountPassword -Identity User10

Upon entering this command, you will be prompted to enter and then re-enter the password that you want to assign to the user account.

Given the fact that you cannot use PowerShell to enable an Active Directory account unless the account has been assigned a password, it should come as no surprise that the third step in the account creation process is to enable the account. You can accomplish this by using the Enable-ADAccount cmdlet, combined with the name of the user account. For instance, if you wanted to enable the User10 account, the command used for doing so would be:

Enable-ADAccount -Identity User10

After enabling a user account, it is a good idea to confirm that the account is indeed enabled. You can do so by entering this command:

Get-ADUser User10 -Properties Enabled | Format-Table  Name, Enabled

This command will display the account name and will provide a True / False value for the Enabled column. If the Enabled column reflects a value of True, then the account has been successfully enabled.

It is worth noting that all three of the steps that I have been discussed can be performed as a part of a single command. For example, if you wanted to create a user account named User13, you could create and enable the account by using this command:

New-ADUser -Name User13 -AccountPassword(Read-Host  -AsSecureString "AccountPassword") -PassThru | Enable-ADAccount

You can see what this command looks like in Figure 1.

[Click on image for larger view.] Figure 1. You can create and enable an Active Directory account in a single step.

As you can see, the New-ADUser account makes it easy to create user accounts. Keep in mind however, that I have kept things as simple as I can. PowerShell gives you the option of assigning numerous additional attributes to the account (phone number, city, department, etc.).

It is also important to keep in mind that this technique is only one of the ways in which you can use PowerShell to create Active Directory user accounts. Those organizations that need to create large numbers of accounts often use a variation of this technique in which PowerShell reads the account information from a CSV file before using the New-ADUser cmdlet to create the accounts.

About the Author

Brien Posey is a 16-time Microsoft MVP with decades of IT experience. As a freelance writer, Posey has written thousands of articles and contributed to several dozen books on a wide variety of IT topics. Prior to going freelance, Posey was a CIO for a national chain of hospitals and health care facilities. He has also served as a network administrator for some of the country's largest insurance companies and for the Department of Defense at Fort Knox. In addition to his continued work in IT, Posey has spent the last several years actively training as a commercial scientist-astronaut candidate in preparation to fly on a mission to study polar mesospheric clouds from space. You can follow his spaceflight training on his Web site at.

Featured

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

I agree to this site's Privacy Policy.