Powershell New-ADUser Password Complexity Exception - powershell

I'm trying to mass import AD users from a CSV file. But I keep getting the following error:
The password does not meet the length, complexity, or history requirement of the domain
But the password that's created with $InitialPassword has uppercase, lowercase, numbers and special characters so I don't get what it's not meeting.
ForEach($user in $CSV){
$FirstName = $user.Voornaam
$LastName = $user.Familienaam
$DayOfBirth = $user.geboortedatum
$Enrollment = $user.inschrijvingsjaar
$Classroom = $user.Klas
$PhoneNumber = $user.contactnummer
# create and sanatize username
$UserName = "$($FirstName.ToLower()).$($LastName.ToLower())"
$Username = $UserName.Replace(" ", "")
# generate password
$InitialPassword = (ConvertTo-SecureString "$($FirstName[0])$($LastName.ToLower())$($Enrollment)!" -AsPlainText -Force)
New-ADUser -Name "$FirstName $LastName" `
-GivenName "$FirstName" `
-Surname "$LastName" `
-UserPrincipalName ("{0}#{1}" -f $UserName, "arrow.local") `
-SamAccountName $UserName `
-Initials "$($FirstName[0])$($LastName[0])" `
-DisplayName "$FirstName $LastName" `
-HomePhone $PhoneNumber `
-Description $Classroom `
-Office $Enrollment `
-AccountPassword $InitialPassword `
-Enabled $true
Write-Host "$UserName"
Write-Host "$InitialPassword"
}

The default password complexity rules disallow the account's name or username in the password - so when you compose the password of strings that also go into the Display Name, you're in violation of the complexity requirement!
If you're also seeing errors due to invalid user names, be aware that sAMAccountName attributes must be:
Unique at the forest-level
No more than 20 characters long

Related

Powershell Instance Parameter

I am automating the creation of user accounts in our Windows AD. I am trying to copy the permissions from one account to another,(like you would if you right click and copied a user inside of the "Active Directory Users and Computers" application) but when using the cmdlet 'New AD-User' and passing in a variable to the 'instance' parameter, it does nothing different than if I do not pass the variable at all.
This is what I am using to obtain the $userInstance variable:
$userInstance = Get-ADUser -Identity $department User
This is the code I am using to create a new user:
New-ADUser `
-SamAccountName $userName `
-UserPrincipalName "$userName#123.COM" `
-Name "$firstName $lastName" `
-GivenName $firstName `
-Surname $lastName `
-Enabled $true `
-DisplayName "$firstName $lastName" `
-City $city `
-PostalCode $zip `
-Company $company `
-State $state `
-EmailAddress $email `
-Department $department `
-Instance $userInstance `
-AccountPassword (ConvertTo-SecureString "1234" -AsPlainText -Force)
When I run this command, it does the same exact thing as if I ran this command without the instance parameter.
New-ADUser `
-SamAccountName $userName `
-UserPrincipalName "$userName#123.COM" `
-Name "$firstName $lastName" `
-GivenName $firstName `
-Surname $lastName `
-Enabled $true `
-DisplayName "$firstName $lastName" `
-City $city `
-PostalCode $zip `
-Company $company `
-State $state `
-EmailAddress $email `
-Department $department `
-AccountPassword (ConvertTo-SecureString "1234" -AsPlainText -Force)
Am I missing something? I do not understand what the 'instance' parameter is supposed to be doing if it only copies certain attributes that are easily obtainable(state, company, city). Is there something out there that actually copies a template account or do I need to write a loop that goes through every single attribute, permission, and group in the template account that provides some sort of meaning to my organization and assign them manually?
What exactly do you mean by "permission"?
Permissions on resources are set based on the objectSid of a user. Since this is unique to every user you can never "copy" them (and related permissions) to a new user.
Group memberships are stored on groups not on users. The memberOf attribute is just a "backLink" so this won't be copied neither.
Group membership needs to be added in a separate step, e.g. by using
Add-ADGroupMember
cmdlet in PowerShell...
"Permissions" might not have been the word I was looking for necessarily. I wanted to create the user and assign them the same groups and directory location as a previous User. I was able to add group membership to my new users by using the method stated by #Oliver Hauck earlier
Add-ADGroupMember
This aided me in my findings, but what I desired was to not have to write long, repetitive switch code for each new employee type, along with their groups, we could onboard. In hopes that someone sees this and doesn't feel intrigued in writing super long, boring switch code, I wanted to share how I achieved this if it helps anyone else in the future. I still obtained the $userInstance variable in the same way, but adding the -Property parameter defined to MemberOf
$userInstance = Get-ADUser -Identity $department User -Properties MemberOf
I then used the $userInstance variable to obtain the properties I needed from it (Groups to copy, Directory Path)
//Obtains the Path from the copied User, without their common name (CN) attached
$path = $userInstance.DistinguishedName.split(",",2)[-1]
I still created the new user with the same command as above but added the -Path parameter to assign the directory path to the New-ADUser cmd
New-ADUser `
-SamAccountName $userName `
-UserPrincipalName "$userName#123.COM" `
-Name "$firstName $lastName" `
-GivenName $firstName `
-Surname $lastName `
-Enabled $true `
-DisplayName "$firstName $lastName" `
-City $city `
-PostalCode $zip `
-Company $company `
-State $state `
-Path $path `
-EmailAddress $email `
-Department $department `
-AccountPassword (ConvertTo-SecureString "1234" -AsPlainText -Force)
And here is how I obtained and assigned the Group Membership to the New User
//Obtains the groups to be copied from the existing User
$refGroups = $userInstance.MemberOf
//Adds AD Group Membership to User
$refGroups | Add-ADGroupMember -Members $userName

can't create userS via powershell

I can't import users in powershell with a script via an csv file, but If I print the parameters on the screen,it shows them as it should.
what I am doing wrong? in my life plenty with that mustache, but plis focus on the script.
is running windows server 2016 on the powershell ise, on virtualbox
The Script:
If(-Not(Get-ADOrganizationalUnit -Filter {Name -eq "991-5D"}))
{New-ADOrganizationalUnit "991-5D" -Path (Get-ADDomain).DistinguishedName}
If(-Not(Get-ADOrganizationalUnit -Filter {Name -eq "911-5V"}))
{New-ADOrganizationalUnit "911-5V" -Path (Get-ADDomain).DistinguishedName}
$domain=(Get-ADDomain).DNSRoot
Import-Csv -Path "C:\Alumnos.csv" | foreach-object {
[int]$number= $_.X
If($number -ge 10 -and $number -le 26)
{
$UO="991-5D"
}
//there are many others O.U.
$ou= "UO="+$UO+","+$domain
$UPN = $_.LETRA+$_.PATERNO+$_.X+"#"+ "$domain"
$CUENTA= $_.LETRA+$_.PATERNO+$_.X
New-ADUser -SamAccountName $CUENTA -UserPrincipalName $CUENTA -Name $_.NOMBRE
-SurName $_.PATERNO -GivenName $_.NOMBRE -EmailAddress $UPN -AccountPassword
(ConvertTo-SecureString "Leica666" -AsPlainText -force) -Path $ou
-Enabled $true -ChangePasswordAtLogon $true -Verbose}
the data:
X,PATERNO,MATERNO,NOMBRE,SEGUNDO,LETRA
10,ARÉVALO,CORNEJO,NICOLÁS,ALEJANDRO,N
11,BARRIOS,MONTERO,BENJAMÍN,IGNACIO,B
12,BUSTAMANTE,LOYOLA,IGNACIO,HERNANDO,I
13,BUSTOS,GARRIDO,ARTURO,IGNACIO,A
this are the results on each line:
+ New-ADUser -SamAccountName $CUENTA -UserPrincipalName $CUENTA -Name $ ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo:NotSpecified: (CN=IGNACIO,UO=9...da.com:String)
[New-ADUser], ADException
+ FullyQualifiedErrorId : ActiveDirectoryServer:8335,
Microsoft.ActiveDirectory.Management.Commands.NewADUser
the head:
X,PATERNO,MATERNO,NOMBRE,SEGUNDO,LETRA
echo:
#{X=42; PATERNO=PAYACÁN; MATERNO=ZAPATA; NOMBRE=NICOLÁS; SEGUNDO=N; LETRA=}.NOMBRE
I know that reads the file and instead of reading just the column reads all the line($_), and then prints whatever I wrote next to it(".name", ".section", etc).
I've made some variable and format changes to make this code more successful.
$domain=Get-ADDomain
Import-Csv -Path "C:\Alumnos.csv" |
Foreach-Object {
[int]$number= $_.X
If($number -ge 10 -and $number -le 26)
{
$UO="991-5D"
}
$ou = "OU={0},{1}" -f $UO,$domain.DistinguishedName
$UPN = "{0}{1}{2}#{3}" -f $_.LETRA,$_.PATERNO,$_.X,$domain.DNSRoot
$CUENTA= "{0}{1}{2}" -f $_.LETRA,$_.PATERNO,$_.X
New-ADUser -SamAccountName $CUENTA -UserPrincipalName $UPN -Name $_.NOMBRE `
-SurName $_.PATERNO -GivenName $_.NOMBRE -EmailAddress $UPN `
-AccountPassword (ConvertTo-SecureString "Leica666" -AsPlainText -force) -Path $ou `
-Enabled $true -ChangePasswordAtLogon $true -Verbose
}
Explanation:
$domain: I've made this an ADDomain object. This allows the DistinguishedName and DNSRoot properties to be accessed where appropriate.
-f operator: I used the format operator to make it easier to read the string concatenation attempts.
$ou: This is constructed using the DistinguishedName of the domain. This is the proper format for the OU path.
$UPN: This is constructed using the DNSRoot of the domain. It can obviously be different than your domain, but must be in an email address or FQDN format.
Additional Comments:
You are setting -Name to be $_.NOMBRE. This could be problematic because Name must be unique in each OU. Name is used to build the CN, which is where uniqueness is required. If you have NICOLAS in OU 991-5D, you are going to get an error if you try to create another NICOLAS in the same place. IMHO, I would do something different. You could also implement the use of splatting for building the properties of your New-ADUser command, but that is only for readability purposes. Below is an example of splatting:
$NewUserProperties = #{
SamAccountName = $CUENTA
UserPrincipalName = $UPN
Name = $_.NOMBRE
Surname = $_.PATERNO
GivenName = $_.NOMBRE
EmailAddress = $UPN
AccountPassword = (ConvertTo-SecureString "Leica666" -AsPlainText -force)
Path = $ou
Enabled = $true
ChangePasswordAtLogon = $true
}
New-ADUser #NewUserProperties -Verbose

Encoding limit exceeded

I have a pretty lengthy script that takes either user input or data from a .csv file to create AD accounts. Not all the time, but sometimes I receive the following error while running it:
New-ADUser : The server has returned the following error: encoding limit exceeded.
Is there a limit on the amount of variables I can use? Because I do have quite a few.. here's what the sample code looks like where it sometimes get stuck:
If($GuardAccount){
If($Clone){
If($Attribute6){
$newuser = New-ADUser -SamAccountName $Username -Enabled $true -Name $DisplayName -Path $Path -AccountPassword $Password `
-GivenName $FirstName -Surname $LastName -Initials $Initials -DisplayName $DisplayName -City $City `
-Company $Company -Department $Department -Country $Country -State $State `
-StreetAddress $Street -PostalCode $Postal -OfficePhone $Telephone -Fax $Fax -Description $Description `
-Title $Title -Office $Office -Instance $Cloneuser -UserPrincipalName "$Username#business.com" -PassThru `
-OtherAttributes #{
'extensionattribute6'=$Attribute6;
}
...
So what does encoding limit exceeded mean? Is there any way around it?
I've tried googling for answers but there doesn't seem to be much info on this error.

Take two variables and put them on the same line

I have a script (thanks in largely to this site) that takes names of people from a text file and splits them into FullName, FirstName, LastName and FirstLetter.
I now plan on importing these into AD and largely, I know what I am doing.
However, I am struggling with the following section
New-ADUser -Name
I would like to do something like this
$result.ForEach({
New-ADUser -Name $_.FirstName + $_.LastName -GivenName $_.FirstName -Surname
$_.LastName -AccountPassword
(ConvertTo-SecureString -AsPlainText "APassword!" -Force)
-PasswordNeverExpires $True -UserPrincipalName
"$_.FirstLetter+$_.LastName#vennershipley.co.uk"
-SamAccountName "$_.FirstLetter $_.LastName"
-Path 'OU=Users,OU=London,OU=Sites,DC=MyCompany,DC=local'
})
This returns a error stating 'The name provided is not a properly formed account name'. Now I presume this is because, if I do this
$result.FirstName + $result.LastName
It returns the 3 first names and the 3 last names on seperate lines, so I would presume it is trying to name each person with a name on two seperate lines like
FirstName
LastName
So how would I make the result display on one line, presuming this is the issue?
Also, if there are better ways of doing the AD Creation then please advise, I am still learning!
Enclose the two variables in parentheses to get the results of the addition just like you did in the ConvertTo-SecureString part:
$result.ForEach({
New-ADUser -Name ($_.FirstName + "" + $_.LastName) -GivenName $_.FirstName -Surname
$_.LastName -AccountPassword
(ConvertTo-SecureString -AsPlainText "APassword!" -Force)
-PasswordNeverExpires $True -UserPrincipalName
"$_.FirstLetter+$_.LastName#vennershipley.co.uk"
-SamAccountName "$_.FirstLetter $_.LastName"
-Path 'OU=Users,OU=London,OU=Sites,DC=MyCompany,DC=local'
})
Now, as you asked for better ways, see few possibilities including Splatting parameters and string.format (-f) Also notice the differents between the string formatting in the Name and SamAccountName Parameters:
foreach ($user in $result)
{
$Params = #{
Name = "$($user.FirstName) $($user.LastName)"
GivenName = $user.FirstName
Surname = $user.LastName
AccountPassword = (ConvertTo-SecureString -AsPlainText "APassword!" -Force)
PasswordNeverExpires = $true
UserPrincipalName = "{0}{1}#vennershipley.co.uk" -f $user.FirstName.Chars(0),$_.Lastname
SamAccountName = "{0}{1}" -f $user.FirstName.Chars(0),$_.Lastname
Path = 'OU=Users,OU=London,OU=Sites,DC=MyCompany,DC=local'
}
New-ADUser #Params
}
One more thing: to check everything is good just before executing this in production, i suggest you to add the -WhatIf parameter to the New-ADUser cmdlet, it will demonstrate the operation but will not run it

New-Aduser : The object name has bad syntax

I have a script which i use to create bulk users from a csv file which works fine.
Import-Csv e:\temp\newemps.csv | %{
$ou = $_.ou
$firstname = $_.first
$lastName = $_.last
$accountName = $("{0}{1}" -f $firstname.Substring(0,1),$lastName).ToLower()
$description = $_.desc
$password = "Welcome1"
$name = "$firstName $lastName"
New-AdUser -SamAccountName $accountName -GivenName $firstName -UserPrincipalName "$accountName#ba.net" -Surname $lastName -DisplayName $name -Name $name -AccountPassword (ConvertTo-SecureString -AsPlainText $password -Force) -Enabled $true -Path $ou -Description $description -ChangePasswordAtLogon:$False
If ($_.Group -ne ""){
Add-adgroupmember -identity $_.group -members $accountName
}
If ($_.email -eq "y"){
Enable-Mailbox -Identity $accountName -Alias $accountName
Set-Mailbox $accountName -MaxSendSize 10mb -MaxReceiveSize 10mb
Get-CasMailbox $accountName -OwaEnabled:$false -ActiveSyncEnabled:$false
}
}
I was trying modify this script so that i could create some generic accounts that would not follow our typical convention. The input is a here-string as supposed to a csv as the only unique item is an Airport code. I have shortened the here-string for brevity.
$bases = #"
YAB
YEK
YYH
YHI
"#
$bases.Split("`n") | %{
$ou = "CN=Users,DC=BA,DC=NET"
$firstname = "$_".ToString()
$lastName = "Counter"
$accountName = "$_" + "Counter"
$description = "Base Front Counter"
$password = "Welcome1"
$name = "$firstName $lastName"
New-AdUser -SamAccountName $accountName -GivenName $firstName -UserPrincipalName "$accountName#ba.net" -Surname $lastName -DisplayName $name -Name $name -AccountPassword (ConvertTo-SecureString -AsPlainText $password -Force) -Enabled $true -Path $ou -Description $description -ChangePasswordAtLogon:$False
}
There is something about using a here-string that I am not accounting for. The only account it successfully creates is the one for YHI (The last one of the here-string). For all others it gives New-AdUser : The object name has bad syntax. Internet research shows many errors for csv-imports where the data has whitespace and other issues there but im not sure what the issue is here.
In the end I just made a csv file instead of using the here-string but I would like to know what i was doing wrong.
This worked for me. got rid of the null values and the new line values and just gave me each string value from each line. Seams there may have been some white space or some other characters that interfere if you just do split "`n"
$test = #"
user1
user2
user3
"#
$test.split(“`r`n”) | ForEach-Object {if($_){get-aduser $_}}