How to Create New Active Directory Users with PowerShell

The easiest way to create a new user in an Active Directory domain is to use either the Active Directory Users and Computers (ADUC) MMC snap-in or the Active Directory Administrative Center (ADAC). But what if these tools are not available or you need to perform a more complex task, such as creating multiple user accounts in bulk? Enter PowerShell, a powerful and flexible tool for creating Active Directory accounts, and much more.

This blog reviews the process of creating a new Active Directory user with ADUC and ADAC, and then dives into the PowerShell cmdlet New-ADUser. We’ll cover the top use cases for this cmdlet and provides its full syntax so you can explore it further.

Creating an AD User with ADUC

To create a new user in Active Directory using the Active Directory Users and Computers snap-in, take these steps:

1. Open the ADUC console in either of the following ways:
   • Type dsa.msc in the Run dialog box and click OK
     
   • Open Server Manager and click Tools > Active Directory Users and Computers.
     
2. Right-click the OU where you want to create the user and select New > User:
   
3. Specify the details about the user and click Next.
   
4. Provide the password and select the desired password options. Then click Next.
   
5. Review the details you specified and click Finish to create the user in Active Directory.
   

Creating an AD User with ADAC

The Active Directory Administrative Center provides more options during user creation than ADUC. Here are the steps to take to create a user with ADAC:

1. Open the ADAC console in either of the following ways:
   • Type dsac.exe in the Run dialog box.
     
   • Open Server Manager and click Tools > Active Directory Administrative Center.
     
2. The ADAC interface is shown below. As you can see, it provides many more options than ADUC, such as:
   • Search
   • Easy navigation within the domain
   • Quick links for performing common actions (in the right pane)
     To create a new AD user, click New.
     
3. In the Create User window, specify the options you want to configure for the new user. Then click OK.
   

Creating AD Users with PowerShell

Using ADUC and ADAC, it is simple to add a single user, but they both lack the functionality to create users in bulk. PowerShell offers multiple ways to not only create a single user but to create Active Directory user objects in bulk. Let’s start by reviewing the syntax and parameters of the cmdlet we’ll use: New-ADUser.

You can use certain parameters with the New-ADUser command to populate the most common user properties.

• Using the OtherAttributes parameter, you can change property values that are not related to cmdlet parameters. Make sure to enclose the attribute name in single quotes when using this parameter.
• To create a user, you must give the SamAccountName parameter.
• The container or organizational unit (OU) for the new user is specified by the Path parameter. When the Path option is not used, the cmdlet creates a user object in the domain’s default user object container.

The following techniques describe various ways to build an object using this cmdlet:

• With the New-ADUser command, provide the commonly used parameters and values and set any additional values by using the OtherAttributes parameter.
• You can also create a new user from a template. Use the Instance parameter to create a new user or copy an existing one to the new object. The object used in the Instance parameter is used as a template.
• To create Active Directory user objects in bulk, combine the Import-Csv cmdlet with the New-ADUser cmdlet.
  1. Import a CSV file with a list of object properties to construct custom objects using the Import-Csv cmdlet.
  2. The New-ADUser cmdlet can then be used to construct user objects by passing these objects through its pipeline.

Before we get started, we need to enable the Active Directory PowerShell module built into Microsoft Windows Server 2008R2/2012 and above by running this command:

New-ADUser Cmdlet: Syntax

Now let’s review the syntax of the New-ADUser cmdlet:

Get-Command New-ADUser –Syntax

Here is the same information in a format that you can copy and modify according to your needs:

New-ADUser   [-WhatIf]   [-Confirm]   [-AccountExpirationDate <DateTime>]   [-AccountNotDelegated <Boolean>]   [-AccountPassword <SecureString>]   [-AllowReversiblePasswordEncryption <Boolean>]   [-AuthenticationPolicy <ADAuthenticationPolicy>]   [-AuthenticationPolicySilo <ADAuthenticationPolicySilo>]   [-AuthType <ADAuthType>]   [-CannotChangePassword <Boolean>]
   [-Certificates <X509Certificate[]>]   [-ChangePasswordAtLogon <Boolean>]   [-City <String>]
   [-Company <String>]   [-CompoundIdentitySupported <Boolean>]   [-Country <String>]
   [-Credential <PSCredential>]   [-Department <String>]   [-Description <String>]   [-DisplayName <String>]   [-Division <String>]   [-EmailAddress <String>]   [-EmployeeID <String>]   [-EmployeeNumber <String>]   [-Enabled <Boolean>]   [-Fax <String>]   [-GivenName <String>]
   [-HomeDirectory <String>]   [-HomeDrive <String>]   [-HomePage <String>]   [-HomePhone <String>]
   [-Initials <String>]   [-Instance <ADUser>]   [-KerberosEncryptionType <ADKerberosEncryptionType>]   [-LogonWorkstations <String>]   [-Manager <ADUser>]   [-MobilePhone <String>]   [-Name] <String>   [-Office <String>]   [-OfficePhone <String>]
   [-Organization <String>]   [-OtherAttributes <Hashtable>]   [-OtherName <String>]   [-PassThru]
   [-PasswordNeverExpires <Boolean>]   [-PasswordNotRequired <Boolean>]   [-Path <String>]
   [-POBox <String>]   [-PostalCode <String>]   [-PrincipalsAllowedToDelegateToAccount <ADPrincipal[]>]   [-ProfilePath <String>]   [-SamAccountName <String>]   [-ScriptPath <String>]
   [-Server <String>]   [-ServicePrincipalNames <String[]>]   [-SmartcardLogonRequired <Boolean>]
   [-State <String>]   [-StreetAddress <String>]   [-Surname <String>]   [-Title <String>]   [-TrustedForDelegation <Boolean>]   [-Type <String>]   [-UserPrincipalName <String>]

New-ADUser: Parameters

The New-ADUser cmdlet offers more than 60 parameters, but you don’t need to know them all right away. Here are the ones most commonly used to create AD user accounts:

Parameter	Used to
AccountExpirationDate	Specify the account’s expiration date
AccountPassword	Specify the account’s password
AuthType	Select the authentication type when running the command
CannotChangePassword	Prevent the account owner from changing the password (usually used for service accounts)
ChangePasswordAtLogon	Force the user to change the account password at the next login
City	Specify the city for the user account
Company	Specify the company for the user account
Confirm	Get a confirmation prompt to run the cmdlet
Country	Specify the country for the user account
Credential	Run the command with alternative credentials
Department	Specify the user’s department
Description	Specify a description for the user account
DisplayName	Specify the display name of the account
EmailAddress	Specify the account’s email address
EmployeeID	Specify the user’s employee ID
Enabled	Enable the user account
Instance	Create a user account based on an existing account, such as one with the same department and title properties as the account you are creating
Manager	Specify the manager of the user account
Office	Specify the office attribute of the user account
Organization	Specify the user’s organization
OtherAttributes	Specify the value for an attribute for which there is no corresponding parameter in the cmdlet, such as the extensionAttribute1 to 15 attributes
PasswordNeverExpires	Force the account’s password to never expire
PasswordNotRequired	Specify that the account, such as a service account, does not require a password
Path	Specify the OU path to create the user account in
SamAccountName	Specify the account’s SAMAccountName attribute, a logon name used to support clients and servers running earlier versions of Windows, such as Windows NT 4.0, Windows 95 or LAN Manager
Server	Connect to an alternate DC while running the command
State	Specify the user’s US state
StreetAddress	Specify the user’s address
Title	Specify the user’s title
Type	Specify the user object’s type, such as a normal user or an inetOrgPerson user
UserPrincipalName	Specify the account’s userPrincipalName (UPN), which is typically the name that the user will use to log on
WhatIf	See what the output of the cmdlet would be without actually running it

Common Scenarios for Creating Users with PowerShell

Now let’s walk through some of the primary ways you might use PowerShell to provision user accounts:

• Create a new user account.
• Create a user account in a specific OU.
• Create a user and set attributes not covered by the cmdlet’s parameters.
• Create an inetOrgPerson user.
• Create a new user based on an existing AD user.
• Create users in bulk using a PowerShell script.
• Create users in bulk by importing their attributes from a CSV file.
• Create multiple user accounts using a CSV file.

Create a New User Account

Example 1: Specify only the account name.

Let’s start with the simplest case: creating a new user account by specifying only its name attribute. For example:

New-ADUser B.Johnson

Running this will create the user but won’t show any output. To check whether the user was added successfully, we can list all Active Directory users using the following script:

Get-ADUser -Filter * -Properties samAccountName | select samAccountName

There it is, the last one in the list!

However, note that the user we just created has more attributes than just a name; the following attributes are set by default:

• The account is created in the “Users” container.
• The account is disabled.
• The account is a member of the Domain Users group.
• The user must reset the password at the first logon.

Many desired attributes are not populated. In particular, no password is set.

Example 2: Specify additional attributes.

Accordingly, let’s make a new account that’s actually usable by specifying more attributes:

New-ADUser -Name "Jack Robinson" -GivenName "Jack" -Surname "Robinson" -SamAccountName "J.Robinson" -UserPrincipalName "J.Robinson@enterprise.com" -Path "OU=Managers,DC=enterprise,DC=com" -AccountPassword(Read-Host -AsSecureString "Input Password") -Enabled $true

The Read-Host parameter will ask you to input a new password. Note that the password should meet the length, complexity and history requirements of your domain security policy.

Now let’s take a look at the results by running the following cmdlet:

Get-ADUser J.Robinson -Properties CanonicalName, Enabled, GivenName, Surname, Name, UserPrincipalName, samAccountName, whenCreated, PasswordLastSet  | Select CanonicalName, Enabled, GivenName, Surname, Name, UserPrincipalName, samAccountName, whenCreated, PasswordLastSet

Example 3: Specify even more attributes.

To create a full-fledged user account with even more attributes, use the following command.

New-ADUser -Name "Jason Bourne" -GivenName "Jason" -Surname "Bourne" -SamAccountName "Jason-Bourne" -AccountPassword (ConvertTo-SecureString -AsPlainText “webdir123R” -Force) -ChangePasswordAtLogon $True -Company "Versacorp" -Title "CEO" -State "California" -City "San Francisco" -Description "Test Account Creation" -EmployeeNumber "45" -Department "Engineering" -DisplayName "Jason Bourne" -Country "US" -PostalCode "94001" -Enabled $True

Let’s look at just a few of the new user’s attributes:

Get-ADUser -Identity Jason-bourne -Properties * | select name,samaccountname,company,title,department,city,state,country,description,employeenumber,postalcode

Create a User Account in a Specific OU

As noted above, by default, the New-ADUser cmdlet creates the new user in the “Users” container in the domain. To create the user in a different OU, use the -Path parameter with the distinguished name of the desired OU:

New-ADUser -Name "Jason Bourne" -Path "OU=NBC,DC=milkyway,DC=local" -GivenName "Jason" -Surname "Bourne" -SamAccountName "Jason-Bourne" -AccountPassword (ConvertTo-SecureString -AsPlainText “webdir123R” -Force ) -ChangePasswordAtLogon $True -DisplayName "Jason Bourne" -Enabled $True

Create User and Set Attributes Beyond New-ADUser Parameters

The New-ADUser cmdlet’s 60+ parameters cover the common attributes of a new user, but there are still plenty of less commonly used attributes. You can populate them using the -OtherAttributes parameter. In this example, we populate extensionattribute1 and the custom attribute carlicense:

New-ADUser -Name "Jason Bourne" -Path "OU=NBC,DC=milkyway,DC=local" -GivenName "Jason" -Surname "Bourne" -SamAccountName "Jason-Bourne" -AccountPassword (ConvertTo-SecureString -AsPlainText “webdir123R” -Force ) -ChangePasswordAtLogon $True -DisplayName "Jason Bourne" -Enabled $True -OtherAttributes @{'extensionattribute1'="director";'carlicense'="LWG3852"}

Let’s verify the results using the Get-ADUser command, as shown below.

Get-ADUser -Identity Jason-bourne -Properties * | select name,extensionattribute1,carlicense

Create an inetOrgPerson User

Most user objects in Active Directory have the class user. But you can also create user objects with the class inetOrgPerson, which has user as a parent class. The inetOrgPerson class facilitates integration with certain applications and simplifies the migration of certain user objects into Active Directory.

To create an inetOrgPerson user account, simply include the -Type parameter and specify inetOrgPerson as its value:

New-ADUser -Name "Benedict Cumberbatch" -Path "OU=NBC,DC=milkyway,DC=local" -GivenName "Benedict" -Surname "Cumberbatch" -SamAccountName "Benedict.Cumberbatch" -AccountPassword (ConvertTo-SecureString -AsPlainText “webdir123R” -Force ) -ChangePasswordAtLogon $True -DisplayName "Benedict Cumberbatch" -Enabled $True -Type iNetOrgPerson

In the following screenshot, notice the type of the new user Benedict Cumberbatch and the type of the user Jason Bourne that we created earlier:

Create a New Active Directory User Account with Password

Accounts are created with the following default properties:

• Account is created in the “Users” container.
• Account is disabled.
• Account is a member of Domain Users group.
• No password is set.
• User must reset the password at the first logon.

Therefore, to make a new account that’s actually usable, we need to enable it using the Enable-ADAccount cmdlet and give it a password using the Set-ADAccountPassword cmdlet.

So let’s create a new account with the following attributes:

Name – Jack Robinson

Given Name – Jack

Surname – Robinson

Account Name – J.Robinson

User Principal Name – J.Robinson@enterprise.com

Path address – “OU=Managers,DC=enterprise,DC=com”

Password Input

Status – Enabled

Here’s the script we’ll use:

New-ADUser -Name "Jack Robinson" -GivenName "Jack" -Surname "Robinson" -SamAccountName "J.Robinson" -UserPrincipalName "J.Robinson@enterprise.com" -Path "OU=Managers,DC=enterprise,DC=com" -AccountPassword(Read-Host -AsSecureString "Input Password") -Enabled $true

The Read-Host parameter will ask you to input new password. Note that the password should meet the length, complexity and history requirements of your domain security policy.

Now let’s take a look at the results by running the following cmdlet:

Get-ADUser J.Robinson -Properties CanonicalName, Enabled, GivenName, Surname, Name, UserPrincipalName, samAccountName, whenCreated, PasswordLastSet  | Select CanonicalName, Enabled, GivenName, Surname, Name, UserPrincipalName, samAccountName, whenCreated, PasswordLastSet

Create a New User Based on an Existing User

Sometimes, you want to create a new user that has nearly all the same properties of an existing user. First, we need to create a template based on the existing user. Here, we create a template with 5 properties of the user Benedict Cumberbatch. The second line sets the value for userPrincipalName to null because that attribute is unique forest-wide. The template is stored in the $temp_UserAccount variable.

$temp_UserAccount = Get-ADUser -Identity Benedict.Cumberbatch -Properties State,Department,Country,City,title
$temp_UserAccount.UserPrincipalName = $null

Now we can create a new user that will have the 5 attributes from our template (by specifying the Instance parameter with the value $temp_UserAccount), plus several other attributes we specify:

New-ADUser -Instance $temp_UserAccount -Name 'Nelson Mendela' -SamAccountName 'Nelson.Mendela' -AccountPassword (Read-Host -AsSecureString "Input User Password") -Enabled $True

We can use the Get-ADUser command to see the new user:

Get-ADUser -Identity Nelson.Mendela -Properties * | select `name,department,city,country,title,state

Notice that the properties we listed are the same for the new user and Benedict Cumberbatch:

Create Users in Bulk with a PowerShell Script

Now, let’s use a PowerShell script to create ten similar Active Directory accounts in bulk. They will all have nearly the same username, except for a number at the end that is incremented for each user. We will set the same default password (P@ssw0rd) for each of them, sending it in a protected state by using the ConvertTo-SecureString parameter. Here’s the script to use and the first two users that it creates:

$path="OU=IT,DC=enterprise,DC=com"
$username="ITclassuser"
$count=1..10
foreach ($i in $count)
{ New-AdUser -Name $username$i -Path $path -Enabled $True -ChangePasswordAtLogon $true  `

-AccountPassword (ConvertTo-SecureString "P@ssw0rd" -AsPlainText -force) -passThru }

Now let’s make our script more flexible by adding the Read-Host parameter, which will prompt us for the stem username to use and the number of users to be created:

$path="OU=IT,DC=enterprise,DC=com"
$username=Read-Host "Enter name"
$n=Read-Host "Enter Number"
$count=1..$n
foreach ($i in $count)
{ New-AdUser -Name $username$i -Path $path -Enabled $True -ChangePasswordAtLogon $true  `

-AccountPassword (ConvertTo-SecureString "P@ssw0rd" -AsPlainText -force) -passThru }

Create Users in Bulk with a CSV Import

Another option for creating users in bulk is to import their attributes from a CSV file. This option is great when you have a list of users with predefined personal details such as their name, department, and OU.

The CSV file must be in UTF8 encoding and look like this:

The following script will create enabled user objects for any users in the CSV that do not already have accounts in Active Directory. The “Reset password at the next logon” option will be enabled for the new accounts, so you can use your default password:

#Define path to your import CSV file location in a variable as shown in below line.
$AD_Users = Import-csv C:\scripts\newusers.csv

foreach ($User in $AD_Users)
{

       $User_name    = $User.username
       $User_Password    = $User.password
       $First_name   = $User.firstname
       $Last_name    = $User.lastname
    $User_Department = $User.department
       $User_OU           = $User.ou

       #Below if-else condition will check if the user already exists in Active Directory.
       if (Get-ADUser -F {SamAccountName -eq $User_name})
       {
               #Will output a warning message if user exist.
               Write-Warning "A user $User_name has already existed in Active Directory."
       }
       else
       {
              #Will create a new user, if user is not available in Active Directory.
          
        #User account will be created in the OU listed in the $User_OU variable in the CSV file; it is necessary to change the domain name in the"-UserPrincipalName" variable in the script below.
              New-ADUser `
            -SamAccountName $User_name `
            -UserPrincipalName "$Username@example.com"
            -Name "$First_name $Last_name"
            -GivenName $First_name `
            -Surname $Last_name `
            -Enabled $True `
            -ChangePasswordAtLogon $True `
            -DisplayName "$Last_name, $First_name" `
            -Department $User_Department `
            -Path $User_OU `
            -AccountPassword (convertto-securestring $User_Password -AsPlainText -Force)

       }
}

After executing the script, we have two new users, Edward Franklin and Bill Jackson, in our Active Directory domain:

Create User Accounts in Bulk with a CSV File

Often, users need to be created on a daily or weekly basis. Suppose your HR department provides you with the details for each user in a CSV file that looks like this:

To create users from this file, we first import the CSV file into the variable $import_users, with each record as a separate line:

$import_users = Import-Csv -Path c:\bulkuser.csv

Then we create the users using the script below. Note that it takes each user’s password from the source file, converts it into a secure string and encrypts it.

$import_users | ForEach-Object {New-ADUser -Name $($_.First + " " + $_.Last) -GivenName $_.First -Surname $_.Last -Department $_.Department -State $_.State -EmployeeID $_.EmployeeID -DisplayName $($_.First + " " + $_.Last) -Office $_.OfficeName -UserPrincipalName $_.UserPrincipalName -SamAccountName $_.samAccountName -AccountPassword $(ConvertTo-SecureString $_.Password -AsPlainText -Force) -City $_.City -StreetAddress $_.Address -Title $_.Title -Company $_.Company -EMailAddress $_.Email -Path $_.OU -Enabled $True}

We can use the following command to review the new users and their properties:

Get-ADUser -Filter 'Name -like "*"' -SearchBase "OU=BaseOU,DC=milkyway,DC=local" -Properties * | select name,samaccountname,title,department,city,state,employeeid,userprincipalname,mail,streetaddress

How Netwrix Can Help

User provisioning is a never-ending task. Every day, organizations need to:

• Provision new user accounts in Active Directory.
• Update user accounts as users change their names, switch departments and so on.
• Add users to and remove users from security groups to ensure they have the right permissions.
• Deprovision and disable accounts when users leave the organization.

Moreover, to ensure strong security and user productivity, all of these tasks need to be completed accurately, reliably and promptly.

Netwrix GroupID simplifies group and user management for Active Directory, Azure AD, and Microsoft 365. In particular, you can provision and deprovision AD users through an automated, bi-directional data sync with your HR systems, such as SQL or Oracle databases. .Let’s look at a few screenshots depicting the Synchronize GUI.

• The following screenshot shows the providers that can be used as a data source in a Synchronize job.
  
• The following screenshot shows that Active Directory is selected as the destination provider for creating user, contact, mailbox, and external mail-enabled user objects. As a source provider, we can use simple (e.g., text or CSV) to complex (e.g., Microsoft SQL Server or Oracle Server) data stores.
  
• The following screenshot shows that you can choose to create different objects (such as mailbox-enabled users, mail-enabled users, and contacts) at the destination. You can also update these objects at the destination when there is a change in the source provider.
  
• The Create option button enables you to create the respective objects at the destination.
• The Skip option button enables you to update the respective objects at the destination.

Conclusion

Now that you have seen how to create users in Active Directory using PowerShell, try out the commands and scripts shown here in your own environment, and explore the many other parameters of the New -ADUser cmdlet.

Then be sure to check out Netwrix GroupID. It combines the benefits of ADAC and PowerShell by offering a user-friendly GUI for performing and automating your user provisioning and deprovisioning tasks.

FAQs

Q: What is new-ADUser in Active Directory?

A: New-ADUser is a PowerShell command for creating an Active Directory user.

Q: How do I use the new-ADUser PowerShell cmdlet?

A: To use New-ADUser, specify as many parameters as you need, as in this sample command:

New-ADUser -Name "Jason Bourne" -GivenName "Jason" -Surname "Bourne" -SamAccountName "Jason-Bourne" -AccountPassword (ConvertTo-SecureString -AsPlainText “webdir123R” -Force) -ChangePasswordAtLogon $True -Company "Versacorp" -Title "CEO" -State "California" -City "San Francisco" -Description "Test Account Creation" -EmployeeNumber "45" -Department "Engineering" -DisplayName "Jason Bourne" -Country "US" -PostalCode "94001" -Enabled $True

Q: How do I create a new user in Active Directory?

A: You can create a new user easily using Active Directory Users and Computers, but you might not be able to populate all the user properties you need and you can’t create user accounts in bulk. A more powerful and flexible alternative is PowerShell. Here is an example of how you can use the New-ADUser cmdlet to create a user in Active Directory and populate many common attributes:

New-ADUser -Name "Mike Hussey" -GivenName "Mike" -Surname "Hussey" -SamAccountName "Mike-Hussey" -AccountPassword (ConvertTo-SecureString -AsPlainText “Sas123R” -Force) -ChangePasswordAtLogon $True -Company "DeltaCorp" -Title "COO" -State "California" -City "San Jose" -Description "Test Account Creation-2" -EmployeeNumber "46" -Department "Operations" -DisplayName "Mike Hussey" -Country "US" -PostalCode "94089" -Enabled $True

Q: How can I create 1,000 users in Active Directory?

A: You can use the PowerShell cmdlet New-ADUser to create many user accounts based on a CSV file containing the details for each user. An even easier option is to use Netwrix GroupID, which provides an easy-to-use wizard and accepts input from not just CSV files but SQL Server and Oracle databases.