Inside Webster's Lab: Creating Active Directory Organizational Units, Users, Groups and Computers Using PowerShell | Carl Webster

Inside Webster’s Lab: Creating Active Directory Organizational Units, Users, Groups and Computers Using PowerShell

January 1, 2015

Active Directory, PowerShell
OK, I heard from enough of you that wanted me to do this in PowerShell instead of my batch file. Here is the original article using built-in Windows utilities. This article will show the original batch file converted to PowerShell.

I created four variables. One for the domain name, one for the top level domain identifier, one to determine if you want the OUs protected from accidental deletion and the last to hold the initial password as a secure string.

The structure of the script is exactly the same as the original batch file:
- Creates the OUs
- Creates the security groups
- Creates the user accounts
- Adds the user accounts into the security groups
- Creates the computer accounts
```
$ADDomain = "labaddomain"
$TLD = "com"
$Protect = $False
$CryptoPwd = (ConvertTo-SecureString -AsPlainText "FakePwd" -Force)

#Create OUs
New-ADOrganizationalUnit -Name "Lab" `
-Path "dc=$ADDomain,dc=$TLD" `
-ProtectedFromAccidentalDeletion $Protect -verbose

New-ADOrganizationalUnit -Name "Accounts" `
-Path "ou=Lab,dc=$ADDomain,dc=$TLD" `
-ProtectedFromAccidentalDeletion $Protect -verbose

New-ADOrganizationalUnit -Name "Admin" `
-Path "ou=Accounts,ou=Lab,dc=$ADDomain,dc=$TLD" `
-ProtectedFromAccidentalDeletion $Protect -verbose

New-ADOrganizationalUnit -Name "Service" `
-Path "ou=Accounts,ou=Lab,dc=$ADDomain,dc=$TLD" `
-ProtectedFromAccidentalDeletion $Protect -verbose

New-ADOrganizationalUnit -Name "User" `
-Path "ou=Accounts,ou=Lab,dc=$ADDomain,dc=$TLD" `
-ProtectedFromAccidentalDeletion $Protect -verbose

New-ADOrganizationalUnit -Name "Desktops" `
-Path "ou=Lab,dc=$ADDomain,dc=$TLD" `
-ProtectedFromAccidentalDeletion $Protect -verbose

New-ADOrganizationalUnit -Name "Admin" `
-Path "ou=Desktops,ou=Lab,dc=$ADDomain,dc=$TLD" `
-ProtectedFromAccidentalDeletion $Protect -verbose

New-ADOrganizationalUnit -Name "XD76" `
-Path "ou=Desktops,ou=Lab,dc=$ADDomain,dc=$TLD" `
-ProtectedFromAccidentalDeletion $Protect -verbose

New-ADOrganizationalUnit -Name "Groups" `
-Path "ou=Lab,dc=$ADDomain,dc=$TLD" `
-ProtectedFromAccidentalDeletion $Protect -verbose

New-ADOrganizationalUnit -Name "Admin" `
-Path "ou=Groups,ou=Lab,dc=$ADDomain,dc=$TLD" `
-ProtectedFromAccidentalDeletion $Protect -verbose

New-ADOrganizationalUnit -Name "Desktops" `
-Path "ou=Groups,ou=Lab,dc=$ADDomain,dc=$TLD" `
-ProtectedFromAccidentalDeletion $Protect -verbose

New-ADOrganizationalUnit -Name "User" `
-Path "ou=Groups,ou=Lab,dc=$ADDomain,dc=$TLD" `
-ProtectedFromAccidentalDeletion $Protect -verbose

New-ADOrganizationalUnit -Name "Servers" `
-Path "ou=Lab,dc=$ADDomain,dc=$TLD" `
-ProtectedFromAccidentalDeletion $Protect -verbose

New-ADOrganizationalUnit -Name "PVS" `
-Path "ou=Servers,ou=Lab,dc=$ADDomain,dc=$TLD" `
-ProtectedFromAccidentalDeletion $Protect -verbose

New-ADOrganizationalUnit -Name "XD76" `
-Path "ou=Servers,ou=Lab,dc=$ADDomain,dc=$TLD" `
-ProtectedFromAccidentalDeletion $Protect -verbose

#Create AD security groups
New-ADGroup -Name "LocalAdmins" -SamAccountName LocalAdmins `
-GroupCategory Security -GroupScope Global `
-DisplayName "Group for users who need local admin rights" `
-Path "ou=Admin,ou=Groups,ou=Lab,dc=$ADDomain,dc=$TLD" `
-Description "Group for users who need local admin rights" -verbose

New-ADGroup -Name "XDUsers" -SamAccountName XDUsers `
-GroupCategory Security -GroupScope Global `
-DisplayName "Group for users who need XenDesktop desktop access" `
-Path "ou=User,ou=Groups,ou=Lab,dc=$ADDomain,dc=$TLD" `
-Description "Group for users who need XenDesktop desktop access" -verbose

#Create user accounts
New-ADUser -Name svc_ctxpvs -AccountPassword $CryptoPwd `
-CannotChangePassword $True -ChangePasswordAtLogon $False `
-Description "Citrix PVS Service Account" `
-DisplayName "Citrix PVS Service Account" -Enabled $True `
-PasswordNeverExpires $True `
–Path "ou=Service,ou=Accounts,ou=Lab,dc=$ADDomain,dc=$TLD" `
-SamAccountName "svc_ctxpvs" –UserPrincipalName "svc_ctxpvs@$ADDomain.$TLD" `
-verbose

New-ADUser -Name svc_ctxsqldb -AccountPassword $CryptoPwd `
-CannotChangePassword $True -ChangePasswordAtLogon $False `
-Description "Citrix SQL DBA Service Account" `
-DisplayName "Citrix SQL DBA Service Account" -Enabled $True `
-PasswordNeverExpires $True `
–Path "ou=Service,ou=Accounts,ou=Lab,dc=$ADDomain,dc=$TLD" `
-SamAccountName "svc_ctxsqldb" –UserPrincipalName "svc_ctxsqldb@$ADDomain.$TLD" `
-verbose

New-ADUser -Name User1 -AccountPassword $CryptoPwd `
-CannotChangePassword $True -ChangePasswordAtLogon $False `
-Description "User1 PvD" `
-DisplayName "User1" -Enabled $True `
-PasswordNeverExpires $True `
–Path "ou=User,ou=Accounts,ou=Lab,dc=$ADDomain,dc=$TLD" `
-SamAccountName "User1" –UserPrincipalName "User1@$ADDomain.$TLD" `
-verbose

New-ADUser -Name User2 -AccountPassword $CryptoPwd `
-CannotChangePassword $True -ChangePasswordAtLogon $False `
-Description "User2 PvD" `
-DisplayName "User2" -Enabled $True `
-PasswordNeverExpires $True `
–Path "ou=User,ou=Accounts,ou=Lab,dc=$ADDomain,dc=$TLD" `
-SamAccountName "User2" –UserPrincipalName "User2@$ADDomain.$TLD" `
-verbose

New-ADUser -Name User3 -AccountPassword $CryptoPwd `
-CannotChangePassword $True -ChangePasswordAtLogon $False `
-Description "User3 PvD" `
-DisplayName "User3" -Enabled $True `
-PasswordNeverExpires $True `
–Path "ou=User,ou=Accounts,ou=Lab,dc=$ADDomain,dc=$TLD" `
-SamAccountName "User3" –UserPrincipalName "User3@$ADDomain.$TLD" `
-verbose

#all users in the Lab/Accounts/User OU get added to the XDUsers security group
$Users = get-aduser `
-searchbase "ou=user,ou=accounts,ou=lab,dc=$ADDomain,dc=$tld" `
-filter *
Add-ADGroupMember -Identity XDUsers -Members $Users

#any user in the Lab/Accounts/User OU that has PvD in the description
#gets added to the LocalAdmins security group
$Users = get-aduser `
-searchbase "ou=user,ou=accounts,ou=lab,dc=$ADDomain,dc=$tld" `
-filter 'Description -like "*PvD*"'
Add-ADGroupMember -Identity LocalAdmins -Members $Users

#Create AD computer accounts
New-ADComputer -Name PVS76 -SamAccountName PVS76 -Description "PVS76" `
-Path "ou=PVS,ou=Servers,ou=Lab,dc=$ADDomain,dc=$TLD" -Enabled $True -verbose

New-ADComputer -Name XD76 -SamAccountName XD76 -Description "XD76" `
-Path "ou=XD76,ou=Servers,ou=Lab,dc=$ADDomain,dc=$TLD" -Enabled $True -verbose

New-ADComputer -Name Director -SamAccountName Director -Description "Director" `
-Path "ou=XD76,ou=Servers,ou=Lab,dc=$ADDomain,dc=$TLD" -Enabled $True -verbose

New-ADComputer -Name StoreFront -SamAccountName StoreFront -Description "StoreFront" `
-Path "ou=XD76,ou=Servers,ou=Lab,dc=$ADDomain,dc=$TLD" -Enabled $True -verbose

New-ADComputer -Name SQL -SamAccountName SQL -Description "SQL" `
-Path "ou=XD76,ou=Servers,ou=Lab,dc=$ADDomain,dc=$TLD" -Enabled $True -verbose
```
I named the script CreateLab.ps1.

Figure 1 shows my Active Directory structure before running the script.

Figure 1

Figure 2 shows the results of running the PowerShell script.

Figure 2

Figures 3 through 13 show the AD structure after running the script (which matches the results of running the batch file).

Figure 3

Figure 4

Figure 5

Figure 6

Figure 7

Figure 8

Figure 9

Figure 10

Figure 11

Figure 12

Figure 13

There you go, a PowerShell version of the batch file I use to create my lab’s AD structure.

You can get a PS1 version here and a TXT version here.

Thanks

Webster
About Carl Webster

Webster is a Sr. Solutions Architect for Choice Solutions, LLC and specializes in Citrix, Active Directory and Technical Documentation. Webster has been working with Citrix products for many years starting with Multi-User OS/2 in 1990.
View all posts by Carl Webster →
Subscribe
Subscribe to our e-mail newsletter to receive updates.
Related Posts:

Microsoft Active Directory Documentation Script V3.00

Update Active Directory DNS Reverse Lookup Zones from Sites and Services Subnets (Update-ReverseZonesFromSubnets.ps1 V1.10)

Find Services Using a Domain Account on Specified Computers in Microsoft Active Directory (Get-ServiceAccounts V1.10)

Microsoft Active Directory Documentation Script Update Version 2.26

Microsoft Active Directory Health Check PowerShell Script Version 2.08
Post navigation

← Inside Webster’s Lab: Installing a Domain Controller Using PowerShell
Documenting VMware vCenter with Microsoft PowerShell and Word Version 1.2 →
2 Responses to “Inside Webster’s Lab: Creating Active Directory Organizational Units, Users, Groups and Computers Using PowerShell”
1. robert jaudon Says:
  January 7, 2015 at 9:39 pm
  Carl,
  
  I didn’t mean for you to burn your free time to convert the batch file to PS!!! Cool that you provided the PS script to accomplish the same as the batch file. I intend to test this sucker out.
  
  Thanks for providiing your knowledge…always a great resource.
  
  Rob
  
  Reply
  - Carl Webster Says:
    January 8, 2015 at 7:34 am
    Only took an hour to do it.
    
    Webster
    
    Reply
Leave a Reply

Click here to cancel reply.

Name (required)

Mail (will not be published) (required)

Website

Current ye@r *

Leave this field empty