Finally – forgive me everybody, it has been to long since my last post.
Every System Administrator has to deal with Active Directory (most Windows Administrators at least), so automating repeating processes can be very useful.
I recommend using functions with parameters to generalize the function and can be shared among administrators, even though AD structure is can be different.
Wandering off – talking about function, best practices is to use a Verb-Noun (like Get-ADUser) and never in plural, always single.
Getting on point here again.
First of all, creating users from csv, very useful when dealing with multiple user creation.
Create a CSV file including all the AD attributes you want to include in the user creation, I’m going with simple ones and save it in a location like C:\Temp
"FirstName","LastName","UserName","EmailAddress"
"Hallgrimur","Test","hallgrimur.test","hallgrimur@test.com"
"Finn","AnotherTest","finn.test","finn@test.com"
Lets create the function and run it with our CSV file.
Function Create-ADUser {
param(
$CSVFile,
$OULocation
)
# Import the AD Module
if(!(Get-Module -Name ActiveDirectory)) {
Import-Module -Name ActiveDirectory
}
# Create a function to create a random password
Function Create-RandomPassword ($Length) {
$Chars = "abcdefghiklmnoprstuvwxyzABCDEFGHKLMNOPRSTUVWXYZ1234567890!`"ยง$%&/()=?}][{@#*+"
$Randomize = 1..$Length | % { Get-Random -Maximum $Chars.Length }
$private:ofs=""
return [String]$Chars[$Randomize]
}
# Import the users from the CSV file into an array
$Users = Import-Csv -Path $CSVFile -Delimiter ","
# Let's run through the Users in the file
Foreach ($User in $Users) {
# Check if the user SamAccountName already exists
if(!((Get-ADUser -Filter {sAMAccountName -eq '$User.UserName'}) -eq $null)) {
Write-Host "$User.UserName already exists"
} else {
# Create Password and making varibles simpler for Full Name and UPN
$RandomPwd = Create-RandomPassword -Length 24
$UserPwd = ($RandomPwd | ConvertTo-SecureString -AsPlainText -Force)
$FullName = $User.FirstName + " " + $User.LastName
$UPN = $User.UserName + "@" + $env:USERDNSDOMAIN
# Create the user
New-ADUser -Name $FullName -GivenName $User.FirstName -Surname $User.LastName -SamAccountName $User.UserName -UserPrincipalName $UPN -AccountPassword $UserPwd -EmailAddress $User.EmailAddress -Path $OULocation -Enabled $true
# Write output and display the password given
Write-Host "User" $User.UserName "was created with the password $RandomPwd"
}
}
}
Lets run the function
Create-ADUser -CSVFile "C:\Temp\TestUsers.csv" -OULocation "OU=ADTest,OU=TEST,DC=test,DC=com"
There you have it, creating multiple users with the attributes you like, you can always add to the CSV file and edit the command “New-ADUser” to include more attributes.
My next step would be creating a group and making sure the users in the OU are in the group.
Lets start by creating the Group
New-ADGroup "Test-Group" -Path "OU=ADTest,OU=TEST,DC=test,DC=com" -GroupScope Global -GroupCategory Security
Lets create a function which we can use in a scheduled task to run frequently to make sure the users are in the group.
Function Add-UsersToGroup {
param(
[parameter(Mandatory=$true)]$Group,
[parameter(Mandatory=$true)]$SearchBase
)
# Import the AD Module
if(!(Get-Module -Name ActiveDirectory)) {
Import-Module -Name ActiveDirectory
}
# Collect the users depending on OU
$Users = Get-ADUser -Filter * -SearchBase $SearchBase
# Loop through the users and add to group if needed
Foreach ($User in $Users) {
if((Get-ADUser $User.SamAccountName -Properties MemberOf | select -ExpandProperty MemberOf) -match "CN=$Group") {
Write-Host $User.SamAccountName "is already a member of $Group"
} else {
Add-ADGroupMember $Group -Members $User.SamAccountName
Write-Host "Adding" $User.SamAccountName "to Test-Group"
}
}
}
Lets run the function
Add-UsersToGroup -Group "Test-Group" -SearchBase "OU=ADTest,OU=Test,DC=test,DC=com"
Hallgrimur #TheMachine
