Creating new customers within the Lively Listing is a standard job for system directors. You are able to do this manually within the ADUC, however a greater and sooner manner is to make use of the New-ADUser cmdlet in PowerShell.
This cmdlet permits you to create a brand new consumer with all of the required properties. I choose to make use of an onboarding script to create new customers. This enables you not solely to create the consumer but in addition assign teams and licenses for instance.
On this article, we are going to have a look at easy methods to use the New-ADUser cmdlet and I’ll clarify how one can create your individual PowerShell script to create new customers, together with a free script to start out with.
New-ADUser cmdlet
To create a brand new AD consumer with PowerShell you will want to have the Lively Listing PowerShell module put in. This module is put in by default on the area controllers, however you too can set up it by yourself workstation. Try this text for extra info on easy methods to set up it.
The New-ADUser cmdlet comes with lots of choices. We will mainly set each property of the consumer whereas we create a brand new account. Now you don’t must specify each property, you possibly can even create a brand new consumer account by simply specifying the identify:
New-ADuser -name "Z.Vance"
However this may create the consumer account within the default Customers OU, with none attributes. So this isn’t actually a practical possibility.
The minimal info wanted to create a usable new consumer account is:
- Given identify
- Surname
- Title
- SamAccountName
- UserPrincipalName
- Path (OU)
- Password (AccountPassword)
- Enabled – True
- ChangePasswordAtLogon – True
Within the instance beneath, we’ve hardcoded the knowledge, however we are able to additionally use a Learn-Host cmdlet to make it a bit extra dynamic after all. I like to recommend utilizing a hashtable and splatting to make the code a bit extra readable:
$firstName = "Zoe"
$lastName = "Vance"
$accountName = "zoevance"
$dnsroot="@" + (Get-ADDomain).dnsroot
$OU = "OU=Customers,OU=Amsterdam,OU=Websites,DC=lazyadmin,DC=nl"
$password = "lazyPass123"
$userDetails = @{
GivenName = $firstName
Surname = $lastName
Title = "$firstName $lastName"
SamAccountName = $accountName
UserPrincipalName = $accountName + $dnsroot
Path = $OU
AccountPassword = (ConvertTo-SecureString -AsPlainText $password -Power)
Enabled = $true
ChangePasswordAtLogon = $true
}
New-ADUser @userDetails
Usually if you create a consumer account, you additionally need to enter particulars like contact info, which can be utilized in e mail signatures, for instance, the supervisor of the consumer and doubtless group memberships.
Create Consumer Account with Properties
The New-ADUser cmdlet permits you to specify all of the properties that you simply want when making a consumer account. You’ll be able to for instance enter all of the tackle particulars and telephone numbers of the consumer by including the associated parameters:
$userDetails = @{
GivenName = $firstName
Surname = $lastName
Title = "$firstName $lastName"
SamAccountName = $accountName
UserPrincipalName = $accountName + $dnsroot
Path = $OU
AccountPassword = (ConvertTo-SecureString -AsPlainText $password -Power)
Enabled = $true
ChangePasswordAtLogon = $true
StreetAddress = "Karl Johans gate 1"
PostalCode = "0010"
Metropolis = "Oslo"
OfficePhone = "010 000 458 456"
}
New-ADUser @userDetails
The cmdlet permits you to enter the generally used parameters instantly, however a consumer account within the Lively Listing can also have extension or customized attributes. These can be populated by way of PowerShell, by utilizing the OtherAttributes parameter.
To enter info within the extensionattribute1, for instance, we are able to add the next parameter:
-OtherAttributes @{'extensionattribute1'="Particular"}
Including the Supervisor
Including the supervisor to a consumer account within the Lively Listing permits you, but in addition your customers, to see an individual’s supervisor and the supervisor’s direct studies in group views for instance. So as to add a supervisor to a brand new consumer account we first must get the SamAccountName from the supervisor.
The best possibility is to search out the supervisor based mostly on the total identify. This fashion we are able to merely add the SamAccountName to the supervisor parameter when creating a brand new account:
$supervisor = Get-AdUser -Filter {identify -like "Adel Bowen"}
New-ADUser "<Add different properties>" -Supervisor $supervisor.SamAccountName
Utilizing a Template
As a substitute of supplying all of the properties when creating a brand new consumer account, we are able to additionally use an current consumer account as a template. This fashion we solely want to provide the properties which might be altering and don’t must reenter the tackle info or group membership for instance.
Step one is to get the consumer account that you simply need to use as a template. You will want to specify which properties you need to copy by utilizing the -Properties parameter.
$templateUser = Get-ADUser -Id a.bowen -Properties Citry,StreetAddres,PostalCode
Subsequent, we’re going to create a brand new consumer account. We might want to provide the minimal info that I discussed earlier than within the article, together with the OU (Path). You’ll be able to then use the -Occasion parameter to specify the template consumer the place you need to copy the knowledge from:
New-ADUser -Occasion $templateUser -SamAccountName $accountName -Title $fullName -otherproperties
Regardless that this methodology does sound good, I don’t actually prefer it. You continue to want to provide the principle info and choose each subject you need to copy. It’s higher to spend a while creating a correct script that can do probably the most give you the results you want.
Making a New Consumer PowerShell Script
When you should create new consumer accounts very often, it’s greatest to spend a while and create an excellent PowerShell script. The benefit of utilizing a script is you could automate each step that must be taken to totally onboard a brand new consumer.
Each group is completely different, so I don’t assume my script will give you the results you want out of the field. This implies that you’ll want to switch the script to your wants. That’s why I’ll first clarify what the script precisely does, and clarify a few of the vital steps. You’ll be able to then obtain the script and modify it.
So when creating a brand new consumer account, we want the next to be carried out:
- Get the private particulars of the brand new consumer. We solely want the identify, telephone quantity, job title, firm (in case of a number of workplaces) and supervisor
- Get tackle info and so on from a config file
- Create the consumer account
- Copy the group membership from an current consumer that has the identical job title, and works for a similar firm
- Power the Microsoft Entra Sync (you probably have a hybrid atmosphere)
- Ship an e mail to the supervisor that the account has been created
As you possibly can see within the steps above, we’re utilizing a config file. That is nothing greater than a JSON file with all of the static info. It permits us to outline a number of department workplaces, every with its personal tackle info. We additionally use it to outline a few of the settings, like passwords.
{
"SMTP": {
"tackle": "lazydev-onmicrosoft-com.mail.safety.outlook.com",
"from": "Lazy IT Desk <it@lazyadmin.nl>",
"serviceDesk": "it@lazyadmin.nl",
"topic": "Consumer Account particulars for {{consumer.fullname}}",
"attachment": "\la-srv-dc01scriptspropertynew consumer handbook.pdf"
},
"Settings": {
"mailTemplateManager": "MailTemplateUserCreated.html",
"mailTemplateServiceDesk": "MailTemplateServiceDesk.html",
"password": "lazyPass123",
"AccountSkuId": "lazydev:DEVELOPERPACK_E5"
},
"Corporations": {
"lazyadmin": {
"Metropolis": "Amsterdam",
"Title": "LazyAdmin",
"OU": "OU=Customers,OU=Amsterdam,OU=Websites,DC=Lazyadmin,DC=nl",
"Telephone": "088 11 33 33 77",
"PostalCode": "1337 AB",
"WebSite": "lazyadmin.nl",
"StreetAddress": "Handelsplein 1"
}
}
}
As you possibly can see within the JSON, we’re additionally defining two mail templates and an attachment. The attachments are directions on easy methods to get began, what they should know, and so on.
Getting the Private Info
Step one is to get the private info of the brand new consumer. The script is meant to create a single consumer at a time, however you possibly can additionally modify it for bulk creating, utilizing the Import-CSV cmdlet.
We’re utilizing a few Learn-Host cmdlets, and utilizing the Write-Host cmdlets to provide some guides:
Write-Host "Enter the identify of the consumer."
$consumer.givenName = Learn-Host "Firstname"
$consumer.surName = Learn-Host "LastName"
Write-Host "Enter the phonenumber of the consumer when identified"
$consumer.telephoneNumber = Learn-Host "Telephone quantity"
$consumer.mobilePhone = Learn-Host "Cell phone quantity"
$consumer.fullName = ($consumer.givenName + ' ' + $consumer.surName)
Deciding on the Firm
If you’re working in a big atmosphere you usually must take care of completely different department workplaces or departments. Within the JSON file, we are able to outline a number of corporations, every with their very own tackle particulars, and so on.
We need to choose a kind of corporations. To do that, we’re constructing a selection menu that permits the consumer (you), to pick out one of many choices.
If ($companyList.Depend -gt 1) {
$title = "Choose the corporate"
$message = "Which firm does $usersName work for?"
# Construct the alternatives menu
$decisions = @()
For ($index = 0; $index -lt $companyList.Depend; $index++) {
$decisions += New-Object System.Administration.Automation.Host.ChoiceDescription ($companyList[$index]), ($companyList[$index])
}
$choices = [System.Management.Automation.Host.ChoiceDescription[]]$decisions
$consequence = $host.ui.PromptForChoice($title, $message, $choices, 1)
$firm = $corporations.($companyList[$result])
}
Getting the Supervisor
The final piece of data that we want is the supervisor of the consumer. We choose the supervisor by merely trying to find the supervisor’s identify. This may be the primary identify, final identify, or full identify. Now there’s at all times an opportunity that we discover a number of customers with the identical identify.
$managerName = Learn-Host "Who's the supervisor of the consumer. Search on first, final or fullname" $supervisor = Get-Supervisor -name $managerName
We take care of this drawback within the operate Get-Supervisor. I’m not going to indicate the total code of the operate right here, you possibly can test that right here on Github, but when we discover a number of customers, then the script will create one other selection menu, so you possibly can choose the proper supervisor.
Creating the SamAccountName and UserPrincipalName
With the knowledge that we now have, we are able to create the SamAccountName and the UserPrincipalName. The SamAccountName has some necessities that we want to remember. It might’t be longer than 20 characters for instance, and also you need to outline your format.
I choose to maintain the logon identify (SamAccountName) the identical format as within the e mail addresses. The present principal for the identify is firstname + lastname. So for instance:
- John Doe > johndoe
- Klaas de Vries > klaasdevries
The SamAccountName additionally must be distinctive inside the Lively Listing. If the identify already exists, it is going to create the next various:
- John Doe > jdoe
- Klaas de Vries > kdevries
Now you possibly can change this after all to match your atmosphere.
If the SamAccountName is created, we are able to use the identify to create the UserPrincipalName. That is SamAccountName + the corporate area identify.
Job title
The job title may appear to be a easy property, however we have to ensure that the job title exists inside the OU that we’re going to create the consumer. The rationale for that is, that we’re going to copy the group memberships afterward based mostly on the job title and OU of the consumer.
write-host "What's the job title of the brand new consumer." $title = Learn-Host "Title" write-host "`n" write-host "Checking if job title exists...." -ForegroundColor Cyan $consumer.title = Get-JobTitle -title $title -company $firm
So we ask for the job title within the script and test if it exists within the operate Get-JobTitle. This additionally prevents a number of variations (and typos) of the identical title. If the script can’t discover a matching job title, then it is going to return all job titles from the customers inside the similar OU and can help you choose one.
Making a New Consumer Account
With all the knowledge collected, we are able to create the brand new consumer account. The script helps a take a look at mode (WhatIf), so you possibly can attempt it out with out creating an precise consumer.
Write-Host 'Creating Consumer account in AD....' -ForegroundColor Cyan
if ($whatIf) {
Write-Host "Operating in take a look at mode, consumer will not be created" -ForegroundColor Yellow
}
$userCreated = New-DomainUserAccount -user $consumer -manager $supervisor -company $firm -whatIf:$whatIf
# Solely proceed when account is created or when operating in whatif (take a look at) mode
If ($userCreated -or $whatIf -eq $true) {
Write-Host 'Consumer succesfully created' -ForegroundColor Inexperienced
The operate New-DomainUserAccount is a customized operate, however it does nothing particular. It makes use of a splatted hashtable, as I’ve proven you originally of the article, and the New-ADUser cmdlet to create the consumer.
Copying Group membership
With the consumer account created, we have to set the group membership of the brand new consumer. The easiest way to do that is to repeat it from an current consumer which has the identical job title and works for a similar firm (division/department workplace).
Step one is to get the newly created consumer account and the consumer to repeat from. The operate Get-UserToCopyGroupsFrom will search the Lively Listing for all customers based mostly on the job title and in the identical OU. It should after all exclude the newly created consumer.
# Copy Group Membership $createdUser = Get-AdUser -Id $consumer.SamAccountName -Properties * # Discover consumer to repeat group membership from $userToCopyFrom = Get-UserToCopyGroupsFrom -user $createdUser -company $firm
It solely returns one consumer, deciding on the final created account and asking for affirmation earlier than it copies the group membership.
If ($userToCopyFrom) {
# Copy group membership from consumer?
$title = "Copy group membership?"
$message = "Do you need to copy the group membership from " + $userToCopyFrom.identify + " ?"
$sure = New-Object System.Administration.Automation.Host.ChoiceDescription "&Sure", "Sure"
$no = New-Object System.Administration.Automation.Host.ChoiceDescription "&No", "No"
$choices = [System.Management.Automation.Host.ChoiceDescription[]]($sure, $no)
$copyMembership = $host.ui.PromptForChoice($title, $message, $choices, 0)
if ($copyMembership -eq 0 -and $whatIf -eq $false) {
Set-GroupMemberShip -user $consumer.SamAccountName -copyFrom $userToCopyFrom.SamAccountName -whatIf $whatIf
}
if ($whatIf) {
Write-Host "Copy group memberships from $userToCopyFrom.SamAccountName"
}
}
Sending Emails
Part of the method of making a brand new consumer account can also be to tell the supervisor that the account is created. You’ll be able to broaden this to even the HR division and helpdesk if wanted.
To ship the emails, we’re utilizing an e mail template, which is a HTML file with placeholders in it. We will get the contents of the HTML file and by utilizing the string substitute operate in PowerShell, we are able to modify the content material with the main points of the brand new consumer account.
$emailBody = Get-EmailTemplate -user $consumer -Supervisor $supervisor Ship-MailtoManager -user $consumer -manager $supervisor -EmailBody $emailBody -whatIf $whatIf
Power Entra Join Sync
The final step is to power the Entra Join Sync in order that the brand new consumer account is straight away synced to Microsoft 365. Relying on the place you might be operating the script, we are able to use the Begin-AdSynSyncCyle cmdlet or use the Invoke-Command to run the command on the area controller.
Write-Host "Syncing Azure AD Join...." -ForegroundColor Cyan
# Run command on native area controller
Begin-ADSyncSyncCycle -PolicyType Delta
# Run sync command on distant area controller
# Invoke-Command -ComputerName lazy-srv-dc02 -ScriptBlock {Begin-ADSyncSyncCycle -PolicyType Delta}
Wrapping Up
Creating a brand new consumer account with the New ADUser cmdlet is fairly simple, however it does require coming into lots of info. Due to this fact the true energy of this cmdlet comes when utilizing it in an onboarding script.
You should utilize my script as a place to begin to your personal atmosphere. Just be sure you run it in take a look at mode the primary couple of occasions. The script will output what it does, so you possibly can test each step.
Hope you appreciated this text, you probably have any questions, simply drop a remark beneath.
