Monday, February 11, 2013

Use PowerShell to Create New AD Users using a Template

To use and existing account as a template to create new users one would use the good old "Active Directory Users and Computers" , right? by right-clicking on the User to be used as template and selecting "Copy" which will prompt something like below:



But this blog is  meant for doing things using PowerShell.

To quickly get me started I was tempted to use "Active Directory Administrative Center" on Server 2012, so that I could see the PowerShell history for the my actions( Yeah! you can do that now !!) but there was no method to do that in AD Admin Center :O , See below

 

The User "Dexter POSH" is the member of the group "RemotePOSHAdmins" under the OU "POSHAdmins" in my domain. I want to add a new User here using the dexterposh user account as the template.

At first I thought of simply getting the User information using Get-ADUser and piping it into New-ADUser cmdlet (because it accepts pipeline input of type "None or Microsoft.ActiveDirectory.Management.ADUser" and Get-ADUser spits out object of the specified type) , but see below it fails :


See that I used -whatif parameter here to be cautious :)

Now what to do let's go and ask updated Get-Help. After going through help carefully I came to know that the correct parameter to use here is -Instance . So quick info on that is below:




Voila now I know how it will work :)

So I tried



But it failed probably because the "dexterposh" account is enabled and while creating a new user I didn't specify the password. So what I will do is disable it by default while creating it:


So everything worked , I noticed that you need to specify the -path to the desired OU otherwise by default the account is created in "Users" in the domain.

Now this can be used to automate creation of Users by using different templates. What we can do is create a CSV with required information for Account Creation like first name, last name etc and then a field specifying if it needs to copied from an existing account say "tocopy" which will be set to the SamAccountName of the account to be used as template and create the new users using above method.


10 comments:

  1. Thanks for the post... One problem I found with using -Instance is that the logon script and home drive connect path isn't copied/created with this command.
    When I user the AD copy command, these are populated with the template user (with the home drive changed to the users username).

    Any ideas on how that can be acheved too? It's the last thing stoping me implimenting the script.

    ReplyDelete
  2. Ohh...Sorry for the late reply.

    But I think you can achieve that by just storing the User properties for Logon script and Home drive in a variable and then dot reference the property to later use in the Script.

    Actually, I started to use -instance to avoid that but if is required that can be done.

    ReplyDelete
  3. This doesn't copy group membership either.

    ReplyDelete
  4. Greetings Dexter, thanks for the script, it works and all I have to do is alittle work, wow it will kill me? Of course not, thanks again, be blessed and why not?

    ReplyDelete
    Replies
    1. Thanks :) There are some limitations with this method (already mentioned in previous comments)

      Delete
  5. instance does not copy group membership (major) and home directory (major) and logon script (for me, minor).
    So.... why am I using it?
    Why is it so limited?

    ReplyDelete
    Replies
    1. Josh,

      It is the way the dev team for AD module implemented it. But it shouldn't be hard to write a similar function using PS + ADSI or PS + AD Module. I will push it to my to-do list and push out a post on it soon. I think many people want that.

      Thanks for taking time to comment.

      Delete
  6. This comment has been removed by a blog administrator.

    ReplyDelete
  7. I am new to powershell, I apologize but, where in the script are you sepcifying the *template user*?
    Can you give your full script here, its really hard to tell from the screen shots.
    Thank you so much.

    ReplyDelete
    Replies
    1. Which script ?
      It is a PowerShell one liner, you can look for something similar in the New-ADUser help examples too.

      Delete