Hybrid environments are still common in enterprise environments, even as cloud services expand into all sectors of business. Although Active Directory Domain Services was introduced over 20 years ago in Windows 2000 Server, it is still the primary method of identity management for nearly 90% of companies globally, according to Mickey Bresman of Forbes Business Council. Even as companies transition away from on-premise infrastructure into hybrid or exclusively cloud, learning the fundamentals of Active Directory Domain Services is invaluable, and the skills learned to manage accounts, groups and organizational units can transition to Microsoft cloud Identity and Access management services such as Entra ID.
In this post I will show you how to loop through the users in specific on-premise organizational units and filter disabled accounts or set certain user properties such as a job title. This is useful in hybrid environments because, for example, changes to the Active Directory user object replicates to Entra ID when Entra ID Connect is used to synchronize data. This works when an on-premise domain controller is running the Microsoft Entra Connect Sync service and propagates changes made on-premise to the Entra ID tenant.
For this lab you will need a Windows Server with AD DS server role, and optionally create an Azure tenant and synchronize AD with Entra ID. You can use this straightforward tutorial on how to setup a domain controller on Windows Server 2019. You can use a Hyper-V Manager and spin up a virtual machine or an old workstation. You even buy some decently priced servers on Amazon.
Let’s get started Creating Active Directory Users
Open up PowerShell ISE or a text editor on your domain controller. Download or add, then Import the ActiveDirectory Module. Now you’re ready to rock!
# make sure you have the active Directory Powershell module installed if youhave AD DS
if ( -not (Get-Module -Name ActiveDirectory -ListAvailable)) {
Write-Error "ActiveDirectory module is not available."
exit 1
}
Import-Module ActiveDirectory
The above code snippet tests for the ActiveDirectory PowerShell module by installing RSAT. This tutorial is comprehensive for the task.
function gr{ return Get-Random -Maximum 10 }
$errors = @()
$testUsers = @("Hugh Jass", "Rita Book", "Anita Shyt", "Al Koholic")
$testUsers | ForEach-Object {
#using splat syntax we can assign a hashtable of Active directory user object properties to the newly created user.
try{
$splatParams = @{
title = "Tutorial Helper"
Name = $_
OfficePhone = "302-932-$(gr)$(gr)$(gr)$(gr)"
UserPrincipalName = "$($_ -replace " ", ".")@$((Get-ADDomain).DNSRoot)"
AccountPassword = (ConvertTo-SecureString -AsPlainText "MySecretPass$((Get-date).Millisecond)" -Force)
Enabled = $true
PasswordNotRequired = $false
}
# Lets create some verbose error logging to make sure the users were created and we can retrieve their info using cmdlet
if( -not (Get-ADUser -Filter "Name -eq '$_'")){
$errors += "$_ was not created"
}
}catch {
# If an error occurs during user creation, append error message to $errors array
$errors += "Error creating $_ : $($_.Exception.Message)"
}
}
# output the errors or let admin know users were created.
if($errors.Count -ge 1){
$errors | % { Write-host $_ -ForegroundColor Red }
}else {
Write-Host "All Users were successfully added :-)" -ForegroundColor Green
}We create an array of test user that will be created. We decare an empty errors array; any time creating a new user fails it will add a new array index with the username that failed. I put a bit of sugar in here like a function to return random integers for phone numbers, or passing in a secure string, but ideally you would be using another data structure or a csv file, with each row containing user information, then passing each unit in the row to a specific AD user object property. The ActiveDirectory PowerShell documentation is certainly helpful, but so is having another use-case example to reference. Leave a comment for any advice or improvements!
Now loading...