Creating AD users in bulk with PowerShell

The other day I was lurking on the PowerShell forum and found a question about importing an Excel spreadsheet to use for AD user account creation. It looked like a quick fix so I decided to give it a go. I am new to PowerShell so real world ideas like this one provide a great way for me to learn while also helping out in the community. Needless to say, I found out that it wasn’t the quick fix that I thought it would be.

I decided to use a CSV file as the source rather than Excel since I was working on a server that did not have Excel installed and pretty quickly got the script to work using the ActiveDirectory module provided by Microsoft. When I went to verify the results, however, all of the programmatically created users were disabled. What good is a ‘working’ script if the output doesn’t provide the required functionality. All of the accounts were created, but, I was unable to even manually enable the account due to an error that the password did not meet my domains complexity requirements. I verified that the password used in the script, was actually a valid password. I could reset the user’s password to the one in the csv file and enable the AD account without any errors. This pointed to an issue with the way I was setting the password in the script. I googled the issue and low and behold there was a blog written about this exact issue.

After integrating the code snippet from the above blog post, I was able to successfully create enabled and functional AD users. Here is the script and a sample CSV file that can be used as a starting point. Since there are so many fields that can be set for an AD user, I created a very small sample but this can be expanded to include any attributes that are required by your organization.

   1: # CreateADUsers.ps1

   2: Set-ExecutionPolicy Unrestricted

   3: Import-Module ActiveDirectory

   4: $csvpath = "c:scriptsNewusers.csv"

   5: $date = Get-Date

   6: $logfile = "c:scriptscreate_AD_users.log"

   7: $i=0


   9: # Specify parent container for all new users.

  10: $OU =  "OU=UsersOU,DC=domain,DC=com"


  12: Import-Csv $csvpath |  ForEach-Object {

  13: $sam = $_.Username

  14:     Try   { $exists = Get-ADUser -LDAPFilter "(sAMAccountName=$sam)" }

  15:     Catch { }

  16:     If(!$exists)

  17:     {

  18:     $Password = $_.Password

  19: New-ADUser $sam -GivenName $_.GivenName -Initials $_.Initials -Surname $_.SN -DisplayName $_.DisplayName -EmailAddress $_.EmailAddress  -passthru |

  20: ForEach-Object {

  21: $_ | Set-ADAccountPassword -Reset -NewPassword (ConvertTo-SecureString -AsPlainText $Password -Force)

  22: $_ | Enable-ADAccount }


  24: # Set an ExtensionAttribute

  25:       $dn  = (Get-ADUser $sam).DistinguishedName

  26:       $ext = [ADSI]"LDAP://$dn"

  27:       $ext.SetInfo()

  28:       Move-ADObject -Identity $dn -TargetPath $OU


  30:       $newdn = (Get-ADUser $sam).DistinguishedName

  31:       Rename-ADObject -Identity $newdn -NewName $_.DisplayName


  33:       $output  = $i.ToString() + ") Name: " + $_.UserName + "  sAMAccountName: "

  34:       $output += $sam + "  Pass: " + $_.Password

  35:       $output | Out-File $logfile -append

  36:      }

  37:      Else

  38:      {

  39:      "SKIPPED - ALREADY EXISTS OR ERROR: " + $_.CN | Out-File $logfile -append

  40: }

  41: "----------------------------------------" + "`n" | Out-File $logfile -append

  42: }

This is the sample CSV (newusers.csv) data that I used in testing the script.

“Susan”,”SU”,”User”,”Susan User”,””,”susan”,”~RP:hoV.ZmE4tS6Z”
“James”,”JU”,”User”,”James User”,””,”james”,”~RP:hoV.ZmE4tS6Z”
“Ronnie”,”RU”,”User”,”Ronnie User”,””,”ronnie”,”~RP:hoV.ZmE4tS6Z”

I hope you find this script useful and it saves you time when needing to create bulk AD users in your production or test environments.

Terri is a Support Specialist at OrcsWeb, a hosted server company providing managed hosting solutions.