Powershell Script – Create AD OUs/Groups/Users

Active Directory, Automation, Script 5 Minutes

When planning a build of any kind of environment it is good practice to pre plan all user/service/application accounts that you will need. Now you could manually create each user but you’ve probably got better things to do (Beer anyone?!) so a script to do it all helps right?!

I searched the web and couldn’t find a script that would do everything that i wanted so i decided to create one using bits i found along with my customizations!

I wanted to do the following:

  1. Check for AD Powershell Module & install if not present
  2. Import csv (and validate csv path)
  3. Check for existing OU – Create if not present
  4. Check for existing Group – Create if not present
  5. Add Group to Group
  6. Check for existing Users – Create if not present
  7. Check if users are members of groups
  8. Add Users to groups

Simple right?!  Dr Google was not able to produce what i wanted so enter some manual labour!  Time to build the monster. I found bits n pieces of what i needed on TechNet etc… Compiled those pieces with some of my own customizations mainly around validation of paths to OU’s and pre checking for groups before adding users etc The resulting script will read from a csv and do all of the above.

The biggest issue i had was getting the script to ignore blank cells as not all cells may be populated (Certain users may not be added to any groups). The easiest solution i found was using the Where-Object cmdlet to verify if a cell has an entry.

The format of the CSV is important. Here is a sample of what it should look like. (There is also a sample CSV with the script on GitHub.)

csv1 csv2

 

The link to the script is below. I commented the code as much as i thought was relevant. If you have any questions please let me know..comment here or contact me on twitter @LifeOfBrianOC

I have absolutely no doubt that this can be done more efficiently and will welcome any and all suggestions for improvement!

It also needs a little more error checking so i will update it in the coming weeks but if you are working with clean csv data it should be ok!!!

 

Script & sample csv can be found here and the raw code is below

Beer_in_the_Coconut

 

#####################################################
# AUTHOR : Brian O'Connell @LifeOfBrianOC
# https://lifeofbrianoc.wordpress.com/
# It will do the following:
# Check for Active Directory Powershell Module and install if not Present
# Create OU's based on csv Input - Checks for existing OU first
# Create Groups based on csv input - Checks for existing Groups first
# Adds Groups to other Groups based on csv input
# Create Users based on csv Input - Checks for existing Users first
# Add Users to specific Groups based on csv Input
#####################################################
Write-host "This script will create all required AD users & groups in Active Directory
" -ForegroundColor Yellow

#####################################################
# AD Powershell Module #
#####################################################

# Checking for Required AD Powershell Module. Importing if not available
Write-host "Checking for Required AD Powershell Module
" -ForegroundColor Green

$name="ActiveDirectory"
if(-not(Get-Module -name $name))
{
if(Get-Module -ListAvailable | Where-Object { $_.name -eq $name })
{
# Module is installed so import it
Import-Module -Name $name
}
else
{
# If Module is not installed
$false
}
# Install Module
write-host "Active Directory powershell Module Not Installed - Installing
" -ForegroundColor Red
{
}
Import-Module servermanager
Add-WindowsFeature -Name "RSAT-AD-PowerShell" -IncludeAllSubFeature | Out-Null
}
# End if module is not installed
else
{
# If Module is already installed
write-host "Active Directory Module Already Installed - Continuing
" -ForegroundColor Green
}

#####################################################
# OU Creation #
#####################################################

# Set Console ForegroundColor to Yellow for Read-Host as -ForegroundColor doesn't work with Read-Host
[console]::ForegroundColor = "yellow"

# Ask user for csv path
$CSVPath = Read-Host "Please enter the full path to your csv with user details"

# Reset Console ForegroundColor back to default
[console]::ResetColor()

# Verify CSV Path
$testCSVPath = Test-Path $CSVPath
if ($testCSVPath -eq $False) {Write-Host "CSV File Not Found. Please verify the path and retry
" -ForegroundColor Red
Exit
}
else
{

# Continue if CSV is found
Write-host "
Creating Required OU's
" -ForegroundColor Yellow

# Import CSV and only read lines that have an entry in createOUName column
$csv = @()
$csv = Import-Csv -Path $CSVPath |
Where-Object {$_.createOUName}

# Loop through all items in the CSV
ForEach ($item in $csv)
# Check if the OU exists
{
$ouName = "OU=" + $item.createOUName
$ouExists = [ADSI]::Exists("LDAP://$($ouName),$($item.createOUPath)")

If ($ouExists -eq $true)
{
Write-Host "OU $($item.createOUName) already exists! OU creation skipped!
" -ForegroundColor Red
}
Else
{
# Create The OU
$createOU = New-ADOrganizationalUnit -Name $item.createOUName -Path $item.createOUPath
Write-Host "OU $($item.createOUName) created!
" -ForegroundColor Green
}
}
}

Write-Host "OU Creation Complete
" -ForegroundColor Green

#####################################################
# Group Creation #
#####################################################
Write-host "
Creating Required Groups
" -ForegroundColor Yellow

# Get Domain Base Path
$searchbase = Get-ADDomainController | ForEach {  $_.DefaultPartition }

# Import CSV and only read lines that have an entry in createGroup column
$csv = @()
$csv = Import-Csv -Path $CSVPath |
Where-Object {$_.createGroup}

# Loop through all items in the CSV
ForEach ($item In $csv)
{
# Check if the Group already exists
$groupName = "CN=" + $item.createGroup + "," + $item.groupOU
$groupExists = [ADSI]::Exists("LDAP://$($groupName),$($searchbase)")

if ($groupExists -eq $true)
{
Write-Host "Group $($item.createGroup) already exists! Group creation skipped!
" -ForegroundColor Red
}
else
{
# Create the group if it doesn't exist
$createGroup = New-ADGroup -Name $item.createGroup -GroupScope $item.GroupType -Path ($($item.groupOU) + "," + $($searchbase))
Write-Host "Group $($item.createGroup) created!
" -ForegroundColor Green
}

# Setup Nested Groups
# Split comma separated groups and only read lines that have an entry in addToGroup column
$groupNameSplit = $item.addGroupToGroup.Split(',') |
Where-Object {$item.addGroupToGroup}
ForEach ($group In $groupNameSplit)
{
# Check if the Group is already a member of the group
$groupIsMember = (Get-ADGroupMember -Identity $group).name -contains "$($item.createGroup)"
If ($groupIsMember -eq $true)
{
Write-Host "Group $($item.createGroup) is already a member of $($group). Add to Group skipped!
" -ForegroundColor Red
}
else
{
Add-ADGroupMember -Identity $group -Member $item.createGroup;
Write-Host "Group $($item.createGroup) added to group $($group)!
" -ForegroundColor Green
}
}
}

Write-Host "Group Creation Complete
" -ForegroundColor Green

#####################################################
# User Creation #
#####################################################
# Creating Users from csv
Write-Host "Creating EHC Users and Adding to Security Groups
" -ForegroundColor Yellow

# Import CSV
$csv = @()
$csv = Import-Csv -Path $CSVPath

# Loop through all items in the CSV
ForEach ($item In $csv)
{
#Check if the User exists
$samAccountName = "CN=" + $item.samAccountName
$userExists = [ADSI]::Exists("LDAP://$($samAccountName),$($item.ouPath),$($searchbase)")

If ($userExists -eq $true)
{
Write-Host "User $($item.samAccountName) Already Exists. User creation skipped!
" -ForegroundColor Red
}
else
{
# Create The User
$userPrincinpal = $item.samAccountName + "@" + $item.domain
New-ADUser -Name $item.Name `
-Path ($($item.ouPath) + "," + $($searchbase)) `
-SamAccountName $item.samAccountName `
-UserPrincipalName $userPrincinpal `
-AccountPassword (ConvertTo-SecureString $item.accountPassword -AsPlainText -Force) `
-ChangePasswordAtLogon $false `
-PasswordNeverExpires $true `
-Enabled $true
Write-Host "User $($item.samAccountName) created!
" -ForegroundColor Green
}
# Split comma separated groups and only read lines that have an entry in addToGroup column
$userGroupNameSplit = $item.addToGroup.Split(',') |
Where-Object {$item.addToGroup}
ForEach ($group In $userGroupNameSplit)
{
# Check if the User is already a member of the group
$userIsMember = (Get-ADGroupMember -Identity $group).name -contains "$($item.samAccountName)"
If ($userIsMember -eq $true)
{
Write-Host "User $($item.samAccountName) is already a member of $($group). Add to Group skipped!
" -ForegroundColor Red
}
else
{
Add-ADGroupMember -Identity $group -Member $item.samAccountName;
Write-Host "User $($item.samAccountName) added to group $($group)!
" -ForegroundColor Green
}

}
}
Write-host "Creating EHC Users and Adding to Security Groups Complete
" -ForegroundColor Green
Published

10 thoughts on “Powershell Script – Create AD OUs/Groups/Users

  1. Pingback: Powershell Script – Validate AD Users Credentials | LifeOfBrianOC

Leave a Reply to Rafail Cancel reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s