Active Directory Insights (Part 9) - Automating user account provisioning

If you would like to read the other parts in this article series please go to:

In this series of articles we’ve been examining various issued involved in the planning, deployment and maintenance of Active Directory environments. While it’s clearly important that you plan everything carefully before rolling out or expanding your Active Directory infrastructure, it’s also important as an administrator of Active Directory that your daily operations be streamlined.

When Microsoft first introduced Active Directory as part of Windows 2000 Server, the goal was primarily to make implementing and managing network directory services as simple as possible in order to encourage users of Novell NetWare, the most popular and widely-deployed network directory product at the time, to consider migrating from NetWare to Active Directory.

What mainly distinguished Active Directory when it was introduced from NetWare was the easy-to-use graphical user interface of Active Directory’s administration tools. Of course what’s easy to use for performing an administrative task quickly becomes tiresome and prone to error when that task needs to be repeatedly performed. A common example in this regard is the task of provisioning, configuring and managing user accounts. While GUI-based administration tools make provisioning a handful of new user accounts so simple that almost anyone could do it, large enterprises that have thousands of users with frequent employee turnover render such an approach to user administration very tedious indeed.

Microsoft initially tried to address some of these concerns by providing a supplementary set of command-line utilities called the Windows 2000 Resource Kit Tools which were later re-issued in expanded form as the Windows Server 2003 Resource Kit Tools. Many administrators still use some of these tools for certain administrative tasks although the tools are not supported by Microsoft and some of them don’t work properly on the latest version of the Windows Server platform.

Microsoft only seriously addressed this deficiency of not being able to perform many Active Directory administration tasks from the command-line with the introduction of Windows PowerShell, Microsoft’s task-based command-line shell and scripting language designed for system administration, and in particular with version 2.0 of Windows PowerShell and its new Active Directory module which was included in Windows Server 2008 R2. By enabling full command-line management of Active Directory features and functionality, Windows PowerShell allows administrators to automate common administrative tasks that would take too many steps to perform otherwise.

To gain more insight into how you can approach the task of automating Active Directory account management using Windows PowerShell, I’ve asked Adam Bertram, a well-known expert in PowerShell automation, to provide us with an example demonstrating how you can use PowerShell to provision new user accounts in Active Directory. Adam is an independent consultant, technical writer, trainer and presenter who specializes in consulting and evangelizing all things IT automation mainly focused around Windows PowerShell. Adam is also a Microsoft Windows PowerShell MVP, a 2015 powershell.org “PowerShell Hero” and holds several Microsoft IT pro certifications. He is also a writer, trainer and presenter and authors IT pro course content for Pluralsight and is a regular contributor to numerous print and online publications and presents at various user groups and conferences. You can find Adam’s blog at http://adamtheautomator.com and you can follow him on Twitter at @adbertram.

Creating new Active Directory accounts using PowerShell

One common tasks many sys admins have to do is to provision new AD accounts for employees. What does this process look like now? Here’s an example of a typical workflow without automation.

Manually open up Active Directory Users and Computers (ADUC) or Active Directory Administrative Center (ADAC).
Start the new user creation wizard.
Fill in the first name, last name, department, ensure and set whatever other attributes are standard.
Email HR or someone else to notify them that the account has been prepared.

This takes too long and has a lot of opportunity for you to make an error. You’ve got to go through this process every, single time a new employee is brought on and it’s getting old. Let’s go over an example of how you can do this in PowerShell.

Before we get too far into the details I’m going to assume that you have all the prerequisites. I’m using PowerShell v4 with a Windows Server 2012 R2 Active Directory and Exchange 2013. However, these steps may work for other downlevel versions as well. I’ve also downloaded the Remote Server Administration Tools (RSAT) pack that includes the Active Directory PowerShell module. I’m also assuming you have all rights to create new users in AD.

So, where do we start? After you’ve got RSAT installed you should now have the Active Directory module. This gives you lots of useful cmdlets to interact with AD. The one we’ll be covering here is New-AdUser. As with most PowerShell cmdlets, it’s self-explanatory in what it does; it creates a new AD user!

New-AdUser has many different parameters you can use to create a new user account. Nearly every attribute that you see in each of the tabs on a user account is available to you at creation time. Right now, you probably can’t set all of the stuff you need right off the bat. You’re having to create it, then go back to modify it. With PowerShell, that’s not necessary anymore.

When writing any script in PowerShell it’s a good idea to have all of the inputs you need ahead of time. To use New-ADUser you’ll need to know a few attributes of the user account you’ll be creating. These are the ones that I always used:

Username
Title
GivenName (First Name)
SurName (Last Name)
Password

Let’s assign each of these to a variable. Note that the password is in clear-text. This isn’t good practice security-wise but is outside the scope of this article.

$Username = ‘jdoe’
$Title = ‘Accounting Manager’
$FirstName = ‘John’
$LastName = ‘Doe’
$Password = ‘p@$$w0rd’

Due to the number of parameters here I’ll be using a concept called splatting. It’s just a funny sounding way to pass parameters to a function or command in PowerShell.

$Parameters = @{
                ‘Name’ = $Username
                ‘Title’ = $Title
                ‘GivenName’ = $FirstName
                ‘SurName’ = $LastName
                ‘Password’ = (ConvertTo-SecureString $Password -AsPlainText -Force)
}
New-AdUser @Parameters

Done! Account created! It’s really as easy as that. However, it’s not real useful because for every account you’re going to have to change those variables every time. This is when you can create parameters to your script.

Go ahead and create a PowerShell script called Create-NewUser.ps1. Make it look something like this:

param($Username, $Title, $FirstName, $LastName, $Password)
$Parameters = @{
                ‘Name’ = $Username
                ‘Title’ = $Title
                ‘GivenName’ = $FirstName
                ‘SurName’ = $LastName
                ‘Password’ = (ConvertTo-SecureString $Password -AsPlainText -Force)
}
New-AdUser @Parameters
Send-MailMessage -To “John Doe <[email protected]>” -From “IT Department <[email protected]>” -Subject ‘Your AD account has been setup’

By moving those variables up as parameters you can now make different user accounts and not have to change the script in any way. You’d simply call the script like this:

PS> Create-NewUser.ps1 -Name jdoe -Title ‘Accounting Manager’ -FirstName ‘John’ -LastName ‘Doe’ -Password ‘p@$$w0rd12’

When this script is ran it would create the user account and then immediately send an email to the user being set up. Pretty cool, right! The sky’s the limit here. Tinker around and see what else you can do with this.

Note:
If you find this tip useful feel free to head on over to one of my Pluralsight courses entitled PowerShell Toolmaking Fundamentals. One of the “tools” I create in that course is called Active Directory Account Automator where I show how to essentially sync user accounts from a CSV file to easily create AD accounts. It goes into much more detail than what I’m doing here.

Still got questions about Active Directory?

If you have any questions about domain controller hardware planning, the best place to ask them is the Active Directory Domain Services forum on TechNet. If you don’t get help that you need there, you can try sending your question to [email protected] so we can publish it in the Ask Our Readers section of our newsletter and see whether any of the almost 100,000 IT pro subscribers of our newsletter have any suggestions concerning your problem.

If you would like to read the other parts in this article series please go to: