Create active directory accounts using Powershell

This How-To guide provides an example of how you might use a powershell script to create accounts in an Active Directory. The information provided to the powershell script would typically come from an account activation service. This could be eduID or antagning.se for students or a account portal. 

A scenario involving a student who needs to create their account. The account activation process involves using eduID or antagning.se as a method of authenticating the user. Antagning.se or eduID provides a person number (personnummer) back to the web portal. The web portal then uses the person number to interrogate Ladok to see if the person is eligable for an account. Using that information the web portal then decides what actions need to be performed on the University's systems. One possible outcome is the generation of a new account in an Active Directory.

The following function shows the commands used to create a new item in the AD tree, create the user, the home directory, assign the user to a group and set permissions and ownership of the home directory. The input source is a CSV file.

function create_ADusers(){
Param(
[string[]]$t=""
)

# Read in the csv file containing the user data
$errorsInCreation=@();
$errorsInCreation=$errorsInCreation+" "
$x = Get-Content $orgfile
$x[0] = "Username,Fullname,Password,Desc,X,Y,Z,B"
$x | Out-File $newfile
$i=0
$nf=0
$importlist = import-csv $newfile

import-module ActiveDirectory

# Loop over each user
foreach ($newuser in $importlist)
    {
    
    if ($newuser.Username.length -gt 5) 
    {
    $f=0
    $userhomepath = ("\\Fileserver\home$\" + $newuser.Username)
    $ErrorActionPreference = "Stop"; #Make all errors terminating

	# Add a new item in the appropriate path
    try
    {
        New-Item -ItemType directory -Path $userhomepath
    }
    catch
    {  
       $f=1
       $nf=$nf+1
       $errorsInCreation=$errorsInCreation+$newuser.Username+" "
       $errorsInCreation=$errorsInCreation+$error[0]+"`r`n"
    }
    finally
    {
       $ErrorActionPreference = "Continue"; #Reset the error action pref to default
    }
    
	# Try to create the user
    try
    {
        New-ADuser -Name ($newuser.Username) -DisplayName ($newuser.Fullname) -Description ($newuser.Desc) -Path ("OU=Users,OU=Student,DC=Student,DC=example,DC=se") -SamAccountName ($newuser.Username) -UserPrincipalName ($newuser.Username + "@student.example.se") -Homedrive ("H") -Homedirectory ("\\nas-s1\home$\" + $newuser.Username) -ProfilePath ("\\nas-s1\profiles$\" + $newuser.Username) -AccountPassword (ConvertTo-SecureString $newuser.Password -AsPlainText -force) -Enabled $true
    }
    catch
    {  
       $f=1
       $nf=$nf+1
       $errorsInCreation=$errorsInCreation+$newuser.Username+" "
       $errorsInCreation=$errorsInCreation+$error[0]+"`r`n"
    }
    Start-Sleep -Seconds 10
 
	# Add the user to an appropriate group
    try
    {
    Add-ADgroupmember -Identity IAS_Student_Users -Member $newuser.Username
    }
    catch
    {  
       $f=1
       $nf=$nf+1
       $errorsInCreation=$errorsInCreation+$newuser.Username+" "
       $errorsInCreation=$errorsInCreation+$error[0]+"`r`n"
    }
	Start-Sleep -Seconds 3

	# Grant privileges and set ownership on the home directory	
    $iccmd1 = "ICACLS " + $userhomepath + " /GRANT student\" + $newuser.username +":(OI)(CI)F"
    $iccmd2 = "ICACLS " + $userhomepath + " /SETOWNER " + $newuser.username
    [string]$cmderror=(cmd.exe /C $iccmd1)
    if (!$cmderror.contains("Failed processing 0 files")) {
       $f=1
       $nf=$nf+1
    }
    $errorsInCreation=$errorsInCreation+$cmderror+"`r`n"
     	
	Start-Sleep -Seconds 3
	
    [string]$cmderror=(cmd.exe /C $iccmd2)
    if (!$cmderror.contains("Failed processing 0 files")) {
       $f=1
       $nf=$nf+1
    }
    $errorsInCreation=$errorsInCreation+$cmderror+"`r`n"
    if ($f -eq 0){$i=$i+1}
    }
        else 
        {
        write-host "Fel i input filen"
		# Do something with the information contained in $errorsInCreation (for example send it as an email to helpdesk)
        } 
    }
}