# --------------------------------------------------------------------------------------------------- # # Microsoft PowerShell Source File # NAME: New-Account.ps1 # # AUTHOR: Adam Bell, www.leadfollowmove.com # DATE : 12/03/2007 # # PURPOSE: Create an account in Active Directory # # COMMENT: Best viewed in Notepad2 # Sample code only. Educational purposes only. # # --------------------------------------------------------------------------------------------------- # Constants from: http://msdn2.microsoft.com/en-us/library/aa772300.aspx Set-Variable -Name ADS_UF_ACCOUNT_DISABLE -value 0x2 -option constant Set-Variable -Name ADS_UF_DONT_EXPIRE_PASSWORD -value 0x10000 -option constant Set-Variable -Name ADS_UF_PASSWORD_EXPIRED -value 0x800000 -option constant $rootdn = ([adsi]"").distinguishedName # --------------------------------------------------------------------------------------------------- function Convert-DNtoFQDN # --------------------------------------------------------------------------------------------------- { # Inputs: 1) Relative Distinguished Name (DN) # Objective: 1) Convert a Relative DN of an object to a Fully Qualified DN # Returns: 1) the FQDN Param ( $DNname ) $FQDN = $null $bits = $DNname.split(",") # Put each section back together again with the period in place. foreach ($part in $bits) { $a = $part.split("=") $FQDN = $FQDN+$a[1]+"." } # Need to drop the trailing dot from the end. $FQDN = $FQDN.substring(0,$FQDN.length -1) return $FQDN } # --------------------------------------------------------------------------------------------------- function create-account # --------------------------------------------------------------------------------------------------- { # Inputs: 1) OU / Container to create the account in. # 2) Account username # 3) Desription attribute of the account # 4) Password to set on the account - MUST comply with Password Policy Restrictions to work! # Objective: 1) Create an account in Active Directory # Returns: 1) Nothing. Param ( $Location, $User, $Desc = $null, $Password = $null ) # If a password isn't provided use this one. $DefaultPass = "LetM3In" $ou = [adsi]("LDAP://"+$Location+","+$rootdn) $newuser = $ou.create("user", "cn="+$User) $newuser.Put("sAMAccountName", $User) if ($Desc -ne $null) { $newuser.Put("Description", $desc) } # Build the UPN based on the $rootdn value. $newuser.Put("userPrincipalName", $User+"@"+(Convert-DNtoFQDN $rootDn.ToString())) $newuser.SetInfo() If ($Password -ne $null) { $newuser.psbase.invoke("setpassword", $Password) } else { $newuser.psbase.invoke("setpassword", $DefaultPass) } $newuser.SetInfo() # Enable the account $newuser.psbase.invokeset('accountdisabled', $false) # a value of 0 effectively ticks the "User must change password at next logon" # box. A value of -1 clears this tick. $newuser.PwdLastSet = 0 $newuser.Setinfo() # When manipulating UAC bits, you need to OR them to the existing UAC flag to enable them # and AND (NOT) them to remove them. Or you can just write the bitwise number to the attribute... $uacFlag = $newuser.userAccountControl $newflag = $uacFlag[0] -bor $ADS_UF_DONT_EXPIRE_PASSWORD $newuser.userAccountControl = $newflag $newuser.setinfo() } # --------------------------------------------------------------------------------------------------- #Sample calling statement: create-account "ou=Test OU" "BellA" "Adam's Test Account" "Password12"