• Inside Webster’s Lab: Creating Active Directory Organizational Units, Users, Groups and Computers Using PowerShell

    January 1, 2015

    Active Directory, PowerShell

    OK, I heard from enough of you that wanted me to do this in PowerShell instead of my batch file. Here is the original article using built-in Windows utilities.  This article will show the original batch file converted to PowerShell.

    I created four variables.  One for the domain name, one for the top level domain identifier, one to determine if you want the OUs protected from accidental deletion and the last to hold the initial password as a secure string.

    The structure of the script is exactly the same as the original batch file:

    • Creates the OUs
    • Creates the security groups
    • Creates the user accounts
    • Adds the user accounts into the security groups
    • Creates the computer accounts
    $ADDomain = "labaddomain"
    $TLD = "com"
    $Protect = $False
    $CryptoPwd = (ConvertTo-SecureString -AsPlainText "FakePwd" -Force)
    
    #Create OUs
    New-ADOrganizationalUnit -Name "Lab" `
    -Path "dc=$ADDomain,dc=$TLD" `
    -ProtectedFromAccidentalDeletion $Protect -verbose
    
    New-ADOrganizationalUnit -Name "Accounts" `
    -Path "ou=Lab,dc=$ADDomain,dc=$TLD" `
    -ProtectedFromAccidentalDeletion $Protect -verbose
    
    New-ADOrganizationalUnit -Name "Admin" `
    -Path "ou=Accounts,ou=Lab,dc=$ADDomain,dc=$TLD" `
    -ProtectedFromAccidentalDeletion $Protect -verbose
    
    New-ADOrganizationalUnit -Name "Service" `
    -Path "ou=Accounts,ou=Lab,dc=$ADDomain,dc=$TLD" `
    -ProtectedFromAccidentalDeletion $Protect -verbose
    
    New-ADOrganizationalUnit -Name "User" `
    -Path "ou=Accounts,ou=Lab,dc=$ADDomain,dc=$TLD" `
    -ProtectedFromAccidentalDeletion $Protect -verbose
    
    New-ADOrganizationalUnit -Name "Desktops" `
    -Path "ou=Lab,dc=$ADDomain,dc=$TLD" `
    -ProtectedFromAccidentalDeletion $Protect -verbose
    
    New-ADOrganizationalUnit -Name "Admin" `
    -Path "ou=Desktops,ou=Lab,dc=$ADDomain,dc=$TLD" `
    -ProtectedFromAccidentalDeletion $Protect -verbose
    
    New-ADOrganizationalUnit -Name "XD76" `
    -Path "ou=Desktops,ou=Lab,dc=$ADDomain,dc=$TLD" `
    -ProtectedFromAccidentalDeletion $Protect -verbose
    
    New-ADOrganizationalUnit -Name "Groups" `
    -Path "ou=Lab,dc=$ADDomain,dc=$TLD" `
    -ProtectedFromAccidentalDeletion $Protect -verbose
    
    New-ADOrganizationalUnit -Name "Admin" `
    -Path "ou=Groups,ou=Lab,dc=$ADDomain,dc=$TLD" `
    -ProtectedFromAccidentalDeletion $Protect -verbose
    
    New-ADOrganizationalUnit -Name "Desktops" `
    -Path "ou=Groups,ou=Lab,dc=$ADDomain,dc=$TLD" `
    -ProtectedFromAccidentalDeletion $Protect -verbose
    
    New-ADOrganizationalUnit -Name "User" `
    -Path "ou=Groups,ou=Lab,dc=$ADDomain,dc=$TLD" `
    -ProtectedFromAccidentalDeletion $Protect -verbose
    
    New-ADOrganizationalUnit -Name "Servers" `
    -Path "ou=Lab,dc=$ADDomain,dc=$TLD" `
    -ProtectedFromAccidentalDeletion $Protect -verbose
    
    New-ADOrganizationalUnit -Name "PVS" `
    -Path "ou=Servers,ou=Lab,dc=$ADDomain,dc=$TLD" `
    -ProtectedFromAccidentalDeletion $Protect -verbose
    
    New-ADOrganizationalUnit -Name "XD76" `
    -Path "ou=Servers,ou=Lab,dc=$ADDomain,dc=$TLD" `
    -ProtectedFromAccidentalDeletion $Protect -verbose
    
    #Create AD security groups
    New-ADGroup -Name "LocalAdmins" -SamAccountName LocalAdmins `
    -GroupCategory Security -GroupScope Global `
    -DisplayName "Group for users who need local admin rights" `
    -Path "ou=Admin,ou=Groups,ou=Lab,dc=$ADDomain,dc=$TLD" `
    -Description "Group for users who need local admin rights" -verbose
    
    New-ADGroup -Name "XDUsers" -SamAccountName XDUsers `
    -GroupCategory Security -GroupScope Global `
    -DisplayName "Group for users who need XenDesktop desktop access" `
    -Path "ou=User,ou=Groups,ou=Lab,dc=$ADDomain,dc=$TLD" `
    -Description "Group for users who need XenDesktop desktop access" -verbose
    
    #Create user accounts
    New-ADUser -Name svc_ctxpvs -AccountPassword $CryptoPwd `
    -CannotChangePassword $True -ChangePasswordAtLogon $False `
    -Description "Citrix PVS Service Account" `
    -DisplayName "Citrix PVS Service Account" -Enabled $True `
    -PasswordNeverExpires $True `
    –Path "ou=Service,ou=Accounts,ou=Lab,dc=$ADDomain,dc=$TLD" `
    -SamAccountName "svc_ctxpvs" –UserPrincipalName "svc_ctxpvs@$ADDomain.$TLD" `
    -verbose
    
    New-ADUser -Name svc_ctxsqldb -AccountPassword $CryptoPwd `
    -CannotChangePassword $True -ChangePasswordAtLogon $False `
    -Description "Citrix SQL DBA Service Account" `
    -DisplayName "Citrix SQL DBA Service Account" -Enabled $True `
    -PasswordNeverExpires $True `
    –Path "ou=Service,ou=Accounts,ou=Lab,dc=$ADDomain,dc=$TLD" `
    -SamAccountName "svc_ctxsqldb" –UserPrincipalName "svc_ctxsqldb@$ADDomain.$TLD" `
    -verbose
    
    New-ADUser -Name User1 -AccountPassword $CryptoPwd `
    -CannotChangePassword $True -ChangePasswordAtLogon $False `
    -Description "User1 PvD" `
    -DisplayName "User1" -Enabled $True `
    -PasswordNeverExpires $True `
    –Path "ou=User,ou=Accounts,ou=Lab,dc=$ADDomain,dc=$TLD" `
    -SamAccountName "User1" –UserPrincipalName "User1@$ADDomain.$TLD" `
    -verbose
    
    New-ADUser -Name User2 -AccountPassword $CryptoPwd `
    -CannotChangePassword $True -ChangePasswordAtLogon $False `
    -Description "User2 PvD" `
    -DisplayName "User2" -Enabled $True `
    -PasswordNeverExpires $True `
    –Path "ou=User,ou=Accounts,ou=Lab,dc=$ADDomain,dc=$TLD" `
    -SamAccountName "User2" –UserPrincipalName "User2@$ADDomain.$TLD" `
    -verbose
    
    New-ADUser -Name User3 -AccountPassword $CryptoPwd `
    -CannotChangePassword $True -ChangePasswordAtLogon $False `
    -Description "User3 PvD" `
    -DisplayName "User3" -Enabled $True `
    -PasswordNeverExpires $True `
    –Path "ou=User,ou=Accounts,ou=Lab,dc=$ADDomain,dc=$TLD" `
    -SamAccountName "User3" –UserPrincipalName "User3@$ADDomain.$TLD" `
    -verbose
    
    #all users in the Lab/Accounts/User OU get added to the XDUsers security group
    $Users = get-aduser `
    -searchbase "ou=user,ou=accounts,ou=lab,dc=$ADDomain,dc=$tld" `
    -filter *
    Add-ADGroupMember -Identity XDUsers -Members $Users
    
    #any user in the Lab/Accounts/User OU that has PvD in the description
    #gets added to the LocalAdmins security group
    $Users = get-aduser `
    -searchbase "ou=user,ou=accounts,ou=lab,dc=$ADDomain,dc=$tld" `
    -filter 'Description -like "*PvD*"'
    Add-ADGroupMember -Identity LocalAdmins -Members $Users
    
    #Create AD computer accounts
    New-ADComputer -Name PVS76 -SamAccountName PVS76 -Description "PVS76" `
    -Path "ou=PVS,ou=Servers,ou=Lab,dc=$ADDomain,dc=$TLD" -Enabled $True -verbose
    
    New-ADComputer -Name XD76 -SamAccountName XD76 -Description "XD76" `
    -Path "ou=XD76,ou=Servers,ou=Lab,dc=$ADDomain,dc=$TLD" -Enabled $True -verbose
    
    New-ADComputer -Name Director -SamAccountName Director -Description "Director" `
    -Path "ou=XD76,ou=Servers,ou=Lab,dc=$ADDomain,dc=$TLD" -Enabled $True -verbose
    
    New-ADComputer -Name StoreFront -SamAccountName StoreFront -Description "StoreFront" `
    -Path "ou=XD76,ou=Servers,ou=Lab,dc=$ADDomain,dc=$TLD" -Enabled $True -verbose
    
    New-ADComputer -Name SQL -SamAccountName SQL -Description "SQL" `
    -Path "ou=XD76,ou=Servers,ou=Lab,dc=$ADDomain,dc=$TLD" -Enabled $True -verbose
    

    I named the script CreateLab.ps1.

    Figure 1 shows my Active Directory structure before running the script.

    Figure 1
    Figure 1

    Figure 2 shows the results of running the PowerShell script.

    Figure 2
    Figure 2

    Figures 3 through 13 show the AD structure after running the script (which matches the results of running the batch file).

    Figure 3
    Figure 3
    Figure 4
    Figure 4
    Figure 5
    Figure 5
    Figure 6
    Figure 6
    Figure 7
    Figure 7
    Figure 8
    Figure 8
    Figure 9
    Figure 9
    Figure 10
    Figure 10
    Figure 11
    Figure 11
    Figure 12
    Figure 12
    Figure 13
    Figure 13

    There you go, a PowerShell version of the batch file I use to create my lab’s AD structure.

    You can get a PS1 version here and a TXT version here.

    Thanks

    Webster

    About Carl Webster

    Webster is a Sr. Solutions Architect for Choice Solutions, LLC and specializes in Citrix, Active Directory and Technical Documentation. Webster has been working with Citrix products for many years starting with Multi-User OS/2 in 1990.

    View all posts by Carl Webster

    2 Responses to “Inside Webster’s Lab: Creating Active Directory Organizational Units, Users, Groups and Computers Using PowerShell”

    1. robert jaudon Says:

      Carl,

      I didn’t mean for you to burn your free time to convert the batch file to PS!!! Cool that you provided the PS script to accomplish the same as the batch file. I intend to test this sucker out.

      Thanks for providiing your knowledge…always a great resource.

      Rob

      Reply

    Leave a Reply