Creating Users with Windows PowerShell

Windows PowerShell is a powerful tool for performing and automating administrative tasks in Windows Server 2008. Windows PowerShell is both a command-line shell and a scripting language including more than 130 command-line tools called cmdlets (pronounced, “command-lets”) that follow extremely consistent syntax and naming conventions and can be extended with custom cmdlets.

Use the buttons below to navigate through the lesson

Unlike traditional command shells such as Cmd.exe in Windows that operate by sending a text command, or a separate process or utility, and then returning the
results of that command as text, Windows PowerShell performs direct manipulation of Microsoft .NET Framework objects at the command line.

Windows PowerShell is installed as a feature of Windows Server 2008. Open Server Manager and click the Add Features link to install Windows PowerShell. After you have installed Windows PowerShell, you can open it from the Start menu. It is likely that you will use Windows PowerShell often enough to warrant creating a shortcut in a more accessible location. Right-click Windows PowerShell in the Windows PowerShell program group and choose Pin To Start Menu. The Windows PowerShell command shell looks very similar to the command prompt of Cmd.exe except that the default background colour is dark blue, and the prompt includes PS.

Open Server Management console. Right click Features. Select Windows Powershell. Then click Next. Click Install. Installation completed. Click Close.

To access Windows PowerShell select Start>All Programs. Expand Windows PowerShell 1.0.  select Pin to Start Menu. To launch click Start>Windows PowerShell.

Windows PowerShell

You are now ready to learn how to apply Windows PowerShell to create a user in Active Directory. The most basic Windows PowerShell script to create a user will look similar to the following:
$objADSI = [ADSI]”LDAP://OU=Managers,DC=es-net,DC=co,DC=uk”
$objUser = $objADSI.Create(“User”,”CN=John Doe”)
$objUser.Put(“sAMAccountName”, “jdoe”)
$objUser.SetInfo()

This code exemplifies the four basic steps to creating an object in Active Directory with Windows PowerShell:

  1. Connect to the container—for example, the OU—in which the object will be created.
  2. Invoke the Create method of the container with the object class and relative distinguished name (RDN) of the new object.
  3. Populate attributes of the object with its Put method.
  4. Commit changes to Active Directory with the object’s SetInfo method.

The first step, then, is to connect to the container. Windows PowerShell uses the Active Directory Services Interface (ADSI) type adapter to tap into Active Directory objects. To connect to an Active Directory object, you submit an LDAP query string, which is simply the LDAP:// protocol moniker followed by the DN of the object. So the first line of code is as follows:
$objADSI = [ADSI]”LDAP://OU=Managers,DC=es-net,DC=co,DC=uk“
Then press Enter.

At this point, the variable $objADSI is a reference to the Managers OU. You can now ask the container to create the object, using the container’s Create method.
The Create method requires two parameters, passed as arguments: the object class and the RDN of the object. An object’s RDN is the portion of its name beneath its parent container. Most object classes use the format CN=object name as their RDNs.

The RDN of an OU, however, is OU=organizational unit name, and the RDN of a domain is DC=domain name. The following line, then, creates a user object with the RDN specified as CN=John Doe.
$objUser = $objADSI.Create(“User”,”CN=John Doe”)
The resulting object is assigned to the variable $objUser, which will represent the object and enables you to manipulate it.
Then press Enter.

It’s important to remember that the new object and the changes you make are not saved until you commit the changes, and you cannot commit the changes successfully until all required attributes are populated.
The required attribute for user objects is the pre-Windows 2000 logon name. The LDAP name for this attribute is sAMAccountName. Therefore, the next line of code assigns the sAMAccountName to the object, using the Put method. Put is a standard method for writing a property of an object. The resulting code is: $objUser.Put(“sAMAccountName”, “jdoe”)
Then press Enter.

To commit the changes, use the Active Directory object’s SetInfo method, as in the following line of code:
$objUser.SetInfo()
Then press Enter.

Although nothing appears to have happened, if you check Active Directory Users and Computers, The user has been created. if you check the properties of the account, The sAMAccountName has been created. Note no user attributes have been included.

Populating Additional User Attributes

The preceding commands created a user with only the mandatory sAMAccountName attribute configured. You should populate other user attributes when creating a user object. You just learned to use the Put method of a user object to write a property. All you have to do is use the same method repeatedly, specifying each attribute you want to add.

Each of these commands populates an attribute of a user with the value stored in a variable. Don’t forget to use the SetInfo() method of the user object to commit the changes to Active Directory! Until you use SetInfo(), the changes you make are occurring only in your local copy of the object. The SetInfo() method evaluates your object’s properties for validity. If you configured an invalid value for an attribute, you will receive an error on the SetInfo() line. Using the GetInfo() method of the user object reloads the original object, effectively undoing all your changes.

Open Windows PowerShell at the prompt type
get-childitem then press enter
The Get-ChildItem cmdlet enumerates all child objects of the object currently in the pipe. At the Windows PowerShell prompt, the current directory is in the pipe. Type cd documents then press enter. By default, Windows PowerShell prevents the execution of scripts as a security measure. Enable script execution by typing the following command: set-exceutionpolicy remotesigned.  Execute the script by typing .\usermod.ps1 and pressing Enter.  The .\ notation provides the current path as the path to the script. Without .\, an error is thrown. The script has completed with no errors. Confirm that the user’s attributes have been successfully modified in Active Directory.  All the attributes have been modified.