Scripting user creation in Windows Server is something we’ve long done using LDIF files; however, when building a system that creates users in more of a one-off capacity it’s pretty easy to script the creation process using PowerShell, piping information in from other solutions. To create a user, use the New-ADUser cmdlet.
I’ve found that we usually need to populate this with a few pieces of information, including the account name (SamAccountName), the password (AccountPassword), the full name (name) enabling the account (enabled), setting the password not to expire (PasswordNeverExpires) and forcing the user to change their password when they log on (ChangePasswordAtLogon). Respectively, the following example would create user cedge with a password of mypassword, a name of Charles Edge, enabling the account, allowing the password to expire and forcing me to change my password the first time I log in:
New-ADUser -SamAccountName cedge -AccountPassword (read-host "Set user password" -mypassword) -name "Charles Edge" -enabled $true -PasswordNeverExpires $false -ChangePasswordAtLogon $true
Once created, the account likely needs to be made a member of some groups. At this point, we’ll need to identify the user by cn (so if the user is in a specific OU, that would need to be included in the -Identity parameter. Because namespace collisions can happen, you’ll need to provide the full CN of both the user (using the Identity parameter) and the group (using the MemberOf parameter). Let’s say I’m going to add that account that I just created, which is in Users of krypted.com to the Enterprise Admins group of the same domain, that would look like this:
Add-ADPrincipalGroupMembership -Identity "CN=cedge,CN=Users,DC=corp,DC=krypted,DC=com" -MemberOf "CN=Enterprise Admins,CN=Users,DC=contoso,DC=com","CN=Domain Admins,CN=Users,DC=krypted,DC=com"
Overall, it’s pretty easy to call these cmdlets from other scripts, so for example, if you wanted to build a system that allowed an HR professional to enter a username and password for a user then create their account in AD, Google Apps and a few other solutions, this would make for the first step, piping that account name and password into each.