Skip to main content

Active Directory User Management using Windows PowerShell

Creating a Single User - Following is the New-ADUser CMDlet for creating a user through PowerShell.
New-ADUser –SamAccountName “username” –DisplayName “username” –givenName “Username” –Surname “surname” –AccountPassword (ReadHost –AsSecureString “Message”) –Enabled $true –Path ‘CN=Users,DC=Doc,DC=Com’ –CannotChangePassword $false –ChangePasswordAtLogon $true –PasswordNeverExpires $false -EmailAddress “email” –EmployeeID “ID” –Department “string”
Figure: CMDlet to create a User
Following is a description of some of the parameters provided in the above CMDlet.


    • SamAccountName – specifies the SAM Account name of the user. ”New-ADUser” command should have this parameter for creating a user. You can pass a string value in it.
      DisplayName – specifies the name to be displayed.
      Surname – specifies the surname of the user.
      AccountPassword – specifies the account password for the user. However, the password has to be provided after executing the command as a secured string. The default value for this parameter would be as follows.
      –AccountPassword (ReadHost –AsSecureString “Message”)
      Enabled – specifies whether the new user will be enabled or disabled. If you’re not providing the password, then the user will be disabled by default. You can provide $true for true and $false for false.
      Path – specifies the path of Active Directory where the new user will be created. Its value should be passed between single quotes, such as
      –Path ‘CN=Users,DC=Domain,DC=Com’
      CannotChangePassword – specifies whether the user can change the password or not. The two acceptable values will be $true and $false.
      ChangePasswordAtLogon – specifies whether the new user has to change the password on first logon or not. The two acceptable values will be $true and $false.
      PasswordNeverExpires – specifies whether the password will never expire. The two acceptable values will be $true and $false.
      EmailAddress – specifies the email address of the new user.
      Department – specifies the department of the new user.
      EmployeeID – specifies the employee ID of the new user.

    • After executing the command, the PowerShell will ask for the password.
    Figure: Providing Password
    Press Enter and the user will be created
    Creating Bulk Users – It’s required to create a CSV file before going to create the bulk users through PowerShell using the Import-CSV CMDlet. Following is a screenshot of the required CSV file.
    Figure: CSV file
    Now, execute the following command.
    Import-CSV d:\Share\testing.csv | New-ADUser
    Figure: Importing CSV file to Create User
    In fact, the Import-CSV provides pipeline input to the New-ADUser CMDlet. The latter, in turn, process the values of the CSV file to create the new users. Executing this command will load the Active Directory module first.
    Figure: Loading Active Directory Modules
    After completing the action, you’ll return to the same prompt.
    Figure: Command executed successfully
    Check the Active Directory for the newly created users.
    Figure: Active Directory Users and Computers showing new Users
    Modifying Users – Use the following Set-ADUser CMDlet to modify the user.
    Set-ADUser –Identity “CN=TestUser7,CN=Users,DC=www,DC=DOC,DC=com” –SamAccountName “TestUser7” –LogonWorkStations “Test”
    Figure: Executing the Set-ADUser CMDlet
    Some of the available parameters for this CMDlet are listed herein below.


    • ChangePasswordAtLogon – specifies whether the user has to change the password at the next logon or not.
      Identity – specifies the location of the user in the Active Directory. Its value can be in the following format.
      -Identity “CN=Username,CN=Users,DC=www,DC=doc,DC=com”
      PasswordNeverExpires – specifies whether the account password will never expire.
      PasswordNotRequired – specifies whether a password is required or not.
      SamAccountName – specifies the SAM Account name of the user.
      LogonWorkstations – specifies the workstations, on which the user can logon. Its values have to be provided in the following format.
      -LogonWorkstations “workstation1,workstation2.www.domain.com”

    • Reset Password – You can reset the password of a user with Set-ADAccountPassword CMDlet.
    Figure: Executing the Set-ADAccountPassword CMDlet
    Some of the acceptable parameters for this CMDlet are listed herein below.


    • Identity – specifies the location of the user in the Active Directory. Its value can be in the following format.
      -Identity “CN=Username,CN=Users,DC=www,DC=doc,DC=com”
      OldPassword – specifies the old password.
      NewPassword – specifies the new password.

    • Both OldPassword and NewPassword have to be provided as the Secure String, therefore, their values should be in the following format.
    –NewPassword (ReadHost –AsSecureString “Message”)
    –OldPassword (ReadHost –AsSecureString “Message”)
    After executing the command, PowerShell will ask for the new password. Enter the new password and hit Enter key to apply the change.
    Figure: Entering New Password for a User
    Removing a User Account – You can remove a user account using the Remove-ADUser CMDlet.
    Remove-ADUser –Identity “CN=Username,CN=Users,DC=doc,DC=com”
    Figure: Remove-ADUser CMDlet
    Pressing the Enter key will ask for confirmation to delete the user.
    Figure: : Confirming User Deletion
    Press Y to confirm the action.
    Drawbacks – We’ve discussed only a few commands herein above to manage the users in an Active Directory environment. However, remembering the complete path or identity of a user is very complex in a large organization. In addition, the complete management of users, groups, and computers requires other CMDlets along with some complex scripts.
    What’s the solution then? – Lepide Active Directory Manager (LADM) appears as a one-stop solution for managing the Active Directory. You can easily manage users, groups, and computers either individually or in bulk with a friendly GUI. Moreover, you can manage multiple domains’ Active Directory environments from its centralized platform and generate the different kinds of audit report to satisfy the compliances. One more added advantage is that the trial version of Lepide Active Directory Manager is available free for complete one year for one domain.
    Conclusion – Windows PowerShell offers more control than other Windows inbuilt methods to manage the Active Directory environment. Here, we’ve discussed just a few CMDlets for user management. One can also use the free trial version of Lepide Active Directory Manager to have granular control over Active Directory to manage the objects individually or in bulk.

    Source:  http://www.lepide.com/blog/ad-user-management-with-powershell/

    Labels:

    Comments

    Post a Comment

    Popular posts from this blog

    There are currently no logon servers available to service the logon request

    When bringing a new server on line, you may see an error that says: The Security System detected an authenticaton error for the server ldap/xxxxxxxt. The failure code from the authentication protocal Kerberos was "There are currently no logon servers available to service the logon request. Event id: 40960 category: SPENGO (Negotiator) (0xc000005e) This issue is the result of missing or the inability to contact the DNS SRV (SeRVice) records. You just brought a new server on line. To complete the process, the server has to register its own host A record and SVR record in DNS. To do this, Type the following at the command prompt: IPconfig /flushdns IPconfig /registerdns net stop netlogon net start netlogon flushing DNS will remove all old or improper DNS records registering dns records registers your Host A record restarting the netlogon will register your SRV records. __________________________________________________________________________________ Speaking of ...
    Post a Comment
    Read more

    test vpn bandwidth and speed with iperf

    This article explains how to use a free utility called iPerf to test the speed of a VPN connection. In this example I am running iPerf on windows but there are other versions available (i.e. Linux). Download iPerf from  http://linhost.info/2010/02/iperf-on-windows/ Put a copy on 2 computers with 1 either side of the VPN. In this example I have put in the c:\triangle folder On the “server” PC open a cmd prompt and navigate to the folder containing iperf. Note on computers running Win7 or Win2008 I recommend running the cmd prompt in elevated mode. Run the command  iperf –s On the “client” PC open a cmd prompt and again navigate to the folder containing iperf. Run the command  iperf –c After a short while the estimated bandwidth is displayed.
    1 comment
    Read more

    How fix Virtual Memory Too low in Windows XP,Vista,Windows 7,Windows Server 2003

    Some times i got the icon on below right side of my system in Windows XP,Vista,Windows 7,Windows Server 2000,2003.How can Fix this solution.Here the solution. This solution work for all types of Windows i.e windows 95 to Windows 7. Virtual Memory is the space your computer uses when it's short of RAM(Random Access Memory),which is the memory used when running programs like Microsoft word,Power Point and other application  in our system . Solution 1:   Try to increase Your RAM size. Solution 2:   Change the Paging Size of drive as shown below steps                    1.Go to MyComputer--> Right Click--> Click Properties.                    2.Click Advanced tab from  System Properties tab.                    3.Click Sett...
    Post a Comment
    Read more