• 4 hours
  • Easy

Free online content available in this course.

course.header.alt.is_video

course.header.alt.is_certifying

Got it!

Last updated on 10/28/22

Automate Active Directory Configuration Using PowerShell

So, now we’ve reached the nitty-gritty: scripts! In this chapter, we’re going to create an Active Directory user using PowerShell and then we’ll use scripts to automate this task. Let’s get started.

Create and Enable a User Using PowerShell

Take a look at the Users OU in Active Directory Users and Computers:

Members of the Users Organizational Unit in Active Directory
Members of the Users Organizational Unit in Active Directory

The New-ADUser command will create a user in PowerShell. Here’s an example of a user being created with the following attributes: 

  • Login: lombard

  • Name: Joel Lombard

  • Mail: lombard@fashionistix.com

  • Password: Pwd4862

  • Password will never expire

  • Password cannot be changed

New-ADUser -Name "Joel Lombard" -SamAccountName lombard -UserPrincipalName "lombard@fashionistix.com" -AccountPassword (ConvertTo-SecureString -AsPlainText Pwd4862 -Force) -PasswordNeverExpires $true -CannotChangePassword $true

Great, I’ve created my first user with PowerShell and it’s been created in the Users organizational unit:

You should now have an additional user!
You should now have an additional user!

Oh no! He’s not enabled! You can tell from the downward arrow next to his profile icon.

It’s not a problem. We can enable the account by entering the following PowerShell command:

PS C:\Users\Administrator> Enable-ADAccount lombard

My user is now enabled! I can tell because there’s no longer a downward arrow next to his profile.

User enabled in Active Directory
User enabled in Active Directory

Okay, that’s all good, but actually I’d like to create a number of users in my domain as quickly as possible. So, I’ve created the list of users. Here they are:

User

Login

Password

Joel Lombard

lombard

Pwd4862

Luke White

luke

Pwd2910

Vincent Tap

vincent

Pwd8744

Christine Deacon

christine

Pwd9911

Arnie Green

arnie

Pwd2565

Karen Tucker

karen

Pwd9718

Michael Fry 

michael

Pwd0096

Even though the command for creating users is pretty simple, I’m concerned about keying errors, so I’m going to automate the process, which means I need to create my very first script. Let’s go!

Create a PowerShell Script For User Creation

Let’s get started. We’re just going to use what we’ve seen before, nothing new. So, let’s create a short script to perform the following actions:

1. Get the user’s name and surname:

$name = Read-Host "Please enter the first name and surname of the new user"

2. Get the user’s login ID:

$login = Read-Host "Please enter the login name for the new user"

3. Get the user’s password:

$pwd = Read-Host "Please enter the password for the new user"

4. Create the user:

New-ADUser -Name $name -SamAccountName $login -UserPrincipalName $login@fashionistix.com -AccountPassword (ConvertTo-SecureString -AsPlainText $pwd -Force) -PasswordNeverExpires $true -CannotChangePassword $true -Enabled $true

Okay, fine. But how do I actually create the script? 🤔

You can do this in Notepad by saving the file as script_user.ps1. Open Notepad by running the  Notepad.exe command.

# Contents of script_user.ps1

$name = Read-Host "Please enter the first name and surname of the new user"

$login = Read-Host "Please enter the login name for the new user"

$pwd = Read-Host "Please enter the password for the new user"

New-ADUser -Name $name -SamAccountName $login -UserPrincipalName $login@fashionistix.com -AccountPassword (ConvertTo-SecureString -AsPlainText $pwd -Force) -PasswordNeverExpires $true -CannotChangePassword $true -Enabled $true

We can see that our script has been successfully created and we can see its size in bytes:

-a----       06/07/2019     20:53            451 script_user.ps1

Next, we can run the script using the command  powershell .\script_user.ps1 .

The script will ask us to enter each data item for each user that you want to create. Enter them using the list above. It should look something like this:

PS C:\Users\Administrator> powershell .\script_user.ps1 
Please enter the first name and surname of the new user: Luke White 
Please enter the login name for the new user: luke 
Please enter the password for the new user: Pwd2910 

PS C:\Users\Administrator> .\script_user.ps1 
Please enter the first name and surname of the new user: Vincent Tap 
Please enter the login name for the new user: vincent 
Please enter the password for the new user: Pwd8744 

PS C:\Users\Administrator> .\script_user.ps1 
Please enter the first name and surname of the new user: Christine Deacon 
Please enter the login name for the new user: christine 
Please enter the password for the new user: Pwd9911 

PS C:\Users\Administrator> .\script_user.ps1 
Please enter the first name and surname of the new user: Arnie Green 
Please enter the login name for the new user: arnie 
Please enter the password for the new user: Pwd2565 

PS C:\Users\Administrator> .\script_user.ps1 
Please enter the first name and surname of the new user: Karen Tucker 
Please enter the login name for the new user: karen 
Please enter the password for the new user: Pwd9718 

PS C:\Users\Administrator> .\script_user.ps1 
Please enter the first name and surname of the new user: Michael Fry 
Please enter the login name for the new user: michael 
Please enter the password for the new user: Pwd0096

So now your Active Directory should look like this:

Your Active Directory with all the users you’ve created
Your Active Directory with all the users you’ve created

We can use a PowerShell command to display the users we created using either  Get-ADUser -Filter *  or Get-ADUser -Filter * | select samAccountName .

PS C:\Users\Administrator> Get-ADUser -Filter * | select samAccountName 

samAccountName 
-------------- 
Administrator 
Guest 
krbtgt 
lombard 
vincent 
christine 
arnie 
karen 
michael 
luke

We can use other parameters, such as  -Filter  as follows:

PS C:\Users\Administrator> Get-ADUser -Filter * | select Name, samAccountName, UserPrincipalName 

Name             samAccountName UserPrincipalName 
----             -------------- ----------------- 
Administrator    Administrator 
Guest            Guest 
krbtgt           krbtgt 
Joel Lombard     lombard        lombard@fashionistix.com
Luke White       luke           luke@fashionistix.com
Vincent Tap      vincent        vincent@fashionistix.com 
Christine Deacon christine      christine@fashionistix.com 
Arnie Green      arnie          arnie@fashionistix.com 
Karen Tucker     karen          karen@fashionistix.com 
Michael Fry      michael        michael@fashionistix.com 

We can even generate a text file using our various filters, like this:

Get-ADUser -Filter * | Select-Object name, samAccountName, UserPrincipalName | Export-Csv UserAdUTF8.csv -Encoding UTF8 ↵

We can now open the file we created using the command  Notepad.exe UserAdUTF8.csv .

List of users exported to a file
List of users exported to a file

Write a Script to Create and Manage Groups

Right, now we’re going to enhance our company setup by adding groups and putting our users into the groups. Here’s how we want to structure our groups

Group

User

Login

CEO

Joel Lombard

lombard

COMMS

Luke White

Vincent Tap

luke

vincent

ACC

Christine Deacon

Arnie Green

christine

arnie

SEC

Karen Tucker

Michael Fry

karen

michael

So, our script will have to go through the following steps:

1. Ask for the name of the group you want to create and create the group:

We’re going to use the New-ADGroup command to create a group in Active Directory.

$group = Read-Host "Please enter the name of the new group" 
New-ADGroup $group -GroupScope Global

2. Ask for the number of users to be added to the group:

[int] $number = Read-Host "Please enter the number of users to be added to the group"

3. Ask for the usernames to be added to the group:

$name = Read-Host "Please enter the username to be added to the group $group"

4. Add users to the group:

We’re going to use the Add-ADGroupMember command to add users to the group. 

Add-ADGroupMember -identity $group -Members $name

So, that’s great, but we’re missing something. We need a control structure so that we can create a loop based on the number of users we want to add to the group. 

Okay, I’ll help you out. Here’s our script_group.ps1 script and we’re going to use Windows PowerShell ISE to create the script from now on:

# Contents of script_group.ps1

$group = Read-Host "Please enter the name of the new group"

New-ADGroup $group -GroupScope Global

[int] $number = Read-Host "Please enter the number of users to be added to the group"

for ($i=1; $i -le $number; $i++)
{

$nom = Read-Host "Please enter the username to be added to the group $group"
Add-ADGroupMember -identity $group -Members $name
Write-Host "User $name has been successfully added to group $group."

}
Your group creation script in PowerShell ISE
Your group creation script in PowerShell ISE

You can run the script from this console by clicking on the green arrow:

Click on the green arrow to run the script
Click on the green arrow to run the script

And here it is, adding two groups with two users:

PS C:\Users\Administrator> C:\Users\Administrator script_group.ps1 
Please enter the name of the new group: COMMS 
Please enter the number of users to be added to the group: 2 
Please enter the username to be added to group COMMS : luke 
User luke has been successfully added to group COMMS. 
Please enter the username to be added to group COMMS: vincent 
User vincent has been successfully added to group COMMS. 

PS C:\Users\Administrator>

The WindowsPowerShell ISE is extremely intuitive as it’s like an IDE (Integrated Development Environment). It can spot errors in the code and the autocomplete function means we can enter commands more quickly and avoid making mistakes. We’re going to use Windows PowerShell ISE for the next part of the course. However, it is good practice to understand how to write PowerShell scripts using Notepad.exe, because some servers are installed without a graphical user interface, whereas Notepad.exe is always present. 

We can display the groups we created in Active Directory Users and Computers:

The users and groups you created in Active Directory
The users and groups you created in Active Directory

We can use this command to display a list of all groups:

PS C:\Users\Administrator> Get-ADGroup -Filter *

We can use this command to display a list of all users in the ACC group:

PS C:\Users\Administrator> Get-ADGroupMember ACC 


distinguishedName: CN=Christine Deacon,CN=Users,DC=Fashionistix,DC=COMMS 
name:              Christine Deacon 
objectClass:       user 
objectGUID:        b4ce7dce-8757-4021-aa5a-0de9d7efcb80 
SamAccountName:    christine 
SID:               S-1-5-21-1794228856-519301800-261500123-1121 

distinguishedName: CN=Arnie Green,CN=Users,DC=Fashionistix,DC=COMMS 
name:              Arnie Green 
objectClass:       user 
objectGUID:        8354055a-7dc4-47c7-9dfa-4bb29c90bae0 
SamAccountName:    arnie 
SID:               S-1-5-21-1794228856-519301800-261500123-1122

We can also generate a file listing information about the SEC group, as follows: 

PS C:\Users\Administrator> Get-ADGroupMember SEC | Export-Csv SEC.csv -Encoding UTF8

We can also generate a file listing the members of the COMMS group, like this: 

PS C:\Users\Administrator> Get-ADGroupMember COMMS | Select-Object name | Export-Csv COMMS.csv -Encoding UTF8
Members of the COMMS group exported to a text file
Members of the COMMS group exported to a text file

We can also generate a file called TUCKER.txt to list the groups that user Karen Tucker belongs to: 

$user = Get-AdUser -Filter * -SearchBase  "CN=Karen Tucker, CN=Users, DC=Fashionistix, DC=COMMS" -Properties MemberOf

foreach($u in $user) {
    
    $name = $u.name

    $member = $u.memberof

    Add-Content -Path "TUCKER.txt" -Value $name

    Add-Content -Path "TUCKER.txt" -Value $member

}

Filtering script to show details for Karen using PowerShell ISE
Filtering script to show details for Karen using PowerShell ISE

Here’s the result:

Well, it’s not particularly fascinating, but if Karen Tucker had belonged to a number of groups, all of them would be shown in the text file.

Right, let’s move on. We’re going to be tackling backup scripts in the next chapter.

Let’s Recap!

In this chapter, we’ve seen:

  • theNew-ADUser command that adds a user to Active Directory.

  • theNew-ADGroup command that adds a group to Active Directory.

  • theAdd-ADGroupMember command that adds a user to a group in Active Directory.

  • theGet-ADUser , Get-ADGroup and Get-ADGroupMember commands, which provide information about users and groups in Active Directory.

  • and most importantly, we’ve created our first PowerShell scripts!

In the next chapter, we’re going to learn how to automate backup tasks using PowerShell scripts.

Example of certificate of achievement
Example of certificate of achievement