I need to migrate from AD Windows2003Forest to AD 2016. I have below script to create users in bulk. My requirement is to map the same SID of older AD to new AD. For example in older AD SID='xyz' then it should be the same in newAD too as SID='xyz'
I am having all the users data along with SID in CSV format & am using below PowerShell script which is somehow not working. As of advice or suggestions.
powershell code snippent:
#Enter a path to your import CSV file
$ADUsers = Import-csv C:\scripts\newusers.csv
foreach ($User in $ADUsers)
{
$Username = $User.username
$Password = $User.password
$Firstname = $User.firstname
$Lastname = $User.lastname
$Department = $User.department
$OU = $User.ou
$sid = $User.sid
$UserPrincipalName = $User.UserPrincipalName
$DistinguishedName = $User.DistinguishedName
#Check if the user account already exists in AD
if (Get-ADUser -F {SamAccountName -eq $Username})
{
#If user does exist, output a warning message
Write-Warning "A user account $Username has already exist in Active Directory."
}
else
{
#If a user does not exist then create a new user account
#Account will be created in the OU listed in the $OU variable in the CSV file; don’t forget to change the domain name in the"-UserPrincipalName" variable
New-ADUser `
-SamAccountName $Username `
-UserPrincipalName $UserPrincipalName `
-Name "$Firstname $Lastname" `
-GivenName $Firstname `
-Surname $Lastname `
-Enabled $True `
-ChangePasswordAtLogon $True `
-DisplayName "$Lastname, $Firstname" `
-Department $Department `
-DistinguishedName $DistinguishedName `
-SID $sid `
-Path $OU `
-AccountPassword (convertto-securestring $Password -AsPlainText -Force)
}
}
You won't be able to assign a SID as that's generated by the domain controller based on a RID. If trying to migrate to a new forest then you'll need to perform a proper AD migration. The old SIDs will be copied onto the migrated users' SID history attributes to allow permissions based on the old SID to still work.
If you simply want to upgrade to a newer version of AD then you're better off joining a newer domain controller to your existing Active Directory forest / domain. The forest functional level mush be 2003 or higher.
As a side note, I'd recommend then getting rid of the 2003 servers as soon as possible as these are no longer supported by Microsoft.
Related
I have a script that creates a new user in the Active Directory. I want to be able to include a groups value into my csv template and have these split into individual values to be added with the user.
I currently run a second script to assign groups to users by outlining the group name.
# Import active directory module for running AD cmdlets
Import-Module activedirectory
#Store the data from ADUsers.csv in the $ADUsers variable
$ADUsers = Import-csv C:\upload\batman.csv
#Loop through each row containing user details in the CSV file
foreach ($User in $ADUsers)
{
#Read user data from each field in each row and assign the data to a variable as below
$Username = $User.username
$Password = $User.password
$Firstname = $User.firstname
$Lastname = $User.lastname
$OU = $User.ou #This field refers to the OU the user account is to be created in
$email = $User.email
$Password = $User.Password
$groups = $User.groups
#Check to see if the user already exists in AD
if (Get-ADUser -F {SamAccountName -eq $Username})
{
#If user does exist, give a warning
Write-Warning "A user account with username $Username already exist in Active Directory."
}
else
{
#User does not exist then proceed to create the new user account
#Account will be created in the OU provided by the $OU variable read from the CSV file
New-ADUser `
-SamAccountName $username `
-UserPrincipalName "$username#lon.deloitterisk.cloud" `
-Name "$Firstname $Lastname" `
-GivenName $Firstname `
-Surname $Lastname `
-Enabled $True `
-DisplayName "$Lastname, $Firstname" `
-Path $OU `
-AccountPassword (convertto-securestring $Password -AsPlainText -
Force) -ChangePasswordAtLogon $False -PasswordNeverExpires:$True `
-group
{
foreach($groups in $ADUsers)
{
$Username = $User.username
$groups = $User.groups -split ","
foreach ($group in $groups)
}
}
}
}
This is the code that I currently have (I have added in the groups clause I am trying to add in however this section is producing errors. The column name in my template is "groups")
Disclaimer: This is untested
I would utilize what you already have and add in the Add-ADPrincipalGroupMembership command. I changed some of the formatting to use splatting with the New-ADUser command for readability purposes only.
# Import active directory module for running AD cmdlets
Import-Module activedirectory
#Store the data from ADUsers.csv in the $ADUsers variable
$ADUsers = Import-csv C:\upload\batman.csv
#Loop through each row containing user details in the CSV file
foreach ($User in $ADUsers)
{
#Read user data from each field in each row and assign the data to a variable as below
$NewUser = #{
'SamAccountName' = $User.username
'UserPrincipalName' = "{0}#domain.com" -f $User.username
'Name' = "{0} {1}" -f $user.firstname,$user.lastname
'Enabled' = $true
'DisplayName' = "{1}, {0}" -f $user.firstname,$user.lastname
'AccountPassword' = ConvertTo-SecureString $User.password -AsPlainText -Force
'ChangePasswordAtLogon' = $false
'PasswordNeverExpires' = $true
'GivenName' = $User.firstname
'Surname' = $User.lastname
'Path' = $User.ou #This field refers to the OU the user account is to be created in
'Password' = $User.Password
}
$groups = $User.groups -split ","
$email = $User.email
#Check to see if the user already exists in AD
if (Get-ADUser -Filter "SamAccountName -eq '$($NewUser.SamAccountName)'")
{
#If user does exist, give a warning
Write-Warning "A user account with username $Username already exist in Active Directory."
}
else
{
#User does not exist then proceed to create the new user account
#Account will be created in the OU provided by the $OU variable read from the CSV file
New-ADUser #NewUser
Add-ADPrincipalGroupMembership -Identity $NewUser.SamAccountName -MemberOf $groups
}
}
I want to add/update data of Active Directory located on another server. I have server details but I don't know how to do it. However, I know how to add/update data if I run PowerShell Script from same server.
Here is my code which work if I add/update data by PowerShell Script located to same server. Can anybody please suggest me how can I add/update data to Active Directory located on another server?
Code
# Import active directory module for running AD cmdlets
Import-Module activedirectory
#Store the data from ADUsers.csv in the $ADUsers variable
$ADUsers = Import-csv C:\it\powershell_create_bulk_users\bulk_users1_quote.csv
foreach ($User in $ADUsers)
{
$Username = $User.username
$Password = $User.password
$Firstname = $User.firstname
$Lastname = $User.lastname
$OU = $User.ou #This field refers to the OU the user account is to be created in
$Password = $User.Password
if (Get-ADUser -F {SamAccountName -eq $Username})
{
Write-Warning "A user account with username $Username already exist in Active Directory."
}
else
{
New-ADUser `
-SamAccountName $Username `
-UserPrincipalName "$Username" `
-Name "$Firstname $Lastname" `
-Path $OU `
-AccountPassword (convertto-securestring $Password -AsPlainText -Force) -ChangePasswordAtLogon $True
}
}
You need to include the -Server <string> parameter for connecting to another server before creating / validating the user.
Also, I think you meant -Filter as the parameter with Get-ADUser cmdlet, and not -F.
-Server
Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a
corresponding domain name or directory server. The service may be any
of the following: Active Directory Lightweight Domain Services, Active
Directory Domain Services or Active Directory Snapshot instance. ...
Get-ADUser -Filter {SamAccountName -eq $Username} -Server a.b.c.d ...
# reference from https://learn.microsoft.com/en-us/powershell/module/addsadministration/get-aduser?view=win10-ps
New-ADUser ... -Server a.b.c.d ...
# reference from https://technet.microsoft.com/fr-fr/library/hh852238(v=wps.630).aspx
I'm using a script to create new users and everything is working fine. However, when I try to log in with a user created with this script, I get the following error:
A Problem has occurred and your network home directory is not available.
This may be because a network file server is offline.
You have been logged on with a temporary home drive (H:) which may be shared
with other users.
The script creates the user and applies the correct permissions as far as I can tell.
Here's the script:
# Import active directory module for running AD cmdlets
Import-Module activedirectory
#Store the data from ADUsers.csv in the $ADUsers variable
$ADUsers = Import-csv .\Create_Staff_Accounts.csv
#Loop through each row containing user details in the CSV file
foreach ($User in $ADUsers)
{
#Read user data from each field in each row and assign the data to a variable as below
$Username = $User.username
$Password = $User.password
$Firstname = $User.firstname
$Lastname = $User.lastname
$OU = $User.ou #This field refers to the OU the user account is to be created in
$group = $User.group
$title = $User.title
$start = $User.start
$Homedrive = "H:"
$UserRoot = "\\servername\st$\"
$HomeDirectory = $UserRoot + $Username
#Check to see if the user already exists in AD
if (Get-ADUser -F {SamAccountName -eq $Username})
{
#If user does exist, give a warning
Write-Warning "A user account with username $Username already exists in Active Directory."
}
else
{
#User does not exist then proceed to create the new user account
#Account will be created in the OU provided by the $OU variable read from the CSV file
New-ADUser `
-SamAccountName $Username `
-Name "$Firstname $Lastname" `
-UserPrincipalName "$($username)#domain.local" `
-GivenName $Firstname `
-Surname $Lastname `
-Enabled $True `
-DisplayName "$Firstname $Lastname" `
-Path $OU `
-AccountPassword (convertto-securestring $Password -AsPlainText -Force) `
-Homedrive $Homedrive `
-HomeDirectory $HomeDirectory `
-ScriptPath "logonscript.bat" `
-Description "Staff Account: $($title) from: $($start)"
#-ChangePasswordAtLogon $True `
#Now create the home folder and set modify permissions
Add-ADGroupMember -Identity $group -Members $Username
Add-ADGroupMember -Identity groupname -Members $Username
Add-ADGroupMember -Identity groupname -Members $Username
New-Item -ItemType Directory -Path "\\servername\st$\$($User.username)"
$path = Get-Item -Path "\\servername\st$\$($User.username)"
$acl = (Get-Item $path).GetAccessControl('Access')
$AR = New-Object System.Security.AccessControl.FileSystemAccessRule($Username, 'Modify', 'ContainerInherit,ObjectInherit', 'None', 'Allow')
$acl.SetAccessRule($AR)
Set-Acl -Path $Path -AclObject $acl
}
}
Thank you for your help and support.
I am working on a Power Shell script that will create bulk users in Active Directory. As stated in a previous post, I'm fairly new to Power Shell and want to be safe before I go live with anything. Below is the script, some of it borrowed. It will be reading data from the .csv noted in the Import-CSV cmdlet. Ideally, this would create the user and define the user's full name, first name, last name, username, SAM name, e-mail, title, description and manager. It would also set a password.
I would love any feedback on how the below script looks. Please let me know if you have any questions or need any additional information.
Import-Module activedirectory
$ADUsers = Import-CSV C:\scripts\hourlyimport.csv
foreach ($User in $ADUsers)
{
#read user data from each field in each row and assign the data to a variable as below
$Username = $User.username
$Firstname = $User.firstname
$Lastname = $User.lastname
$Password = $User.password
$OU = $User.ou
$Title = $User.title
$Manager = $User.manager
#check to see if the user already exists in AD
if (Get-ADUser -F {SamAccountName -eq $Username})
{
#if user does exist, give a warning
Write-Warning "A user account with username $Username already exist in Active Directory. Say wha?!?"
}
else
{
#if user does not exist then proceed to create the new user account
#account will be created in the OU provided by the $OU variable read from the CSV file
New-ADUser `
-SamAccountName $Username `
-UserPrincipalName "$Username#thredup.com" `
-Email "$Username#thredup.com" `
-Name "$Firstname $Lastname" `
-GivenName $Firstname `
-Surname $Lastname `
-Enabled $True `
-DisplayName "$Lastname, $Firstname" `
-Path $OU `
-Description "$Title" `
-Title "$Title" `
-Manager "$Manager" `
-AccountPassword (convertto-securestring $Password -AsPlainText -Force)
}
}
Looks pretty good to me. You are somewhat inconsistent with the use of ", for example you don't need to write -Title "$Title", you can leave away the " in this case.
You could probably do some fancy optimization with splatting here, reducing the assignments, but since it is a quite unknown feature among many readers I wouldn't go for it here.
One thing I'm missing is error handling. With the default settings, your script will print out errors when something goes wrong, but continue the loop. Is this intended? It is often good practice to state your intention explicitly by setting $ErrorActionPreference at the start of your script.
I know I can move an AD user using powershell. What i want to accomplish is moving a bunch of users based on their description. I have a csv file and in that csv their is a year of graduation column. I want all users that have a YOG from 2016 to 2022 moved to the High School OU.
I haven't tried writing the code yet. I was successful in powershell of grabbing user accounts based on dept but not description. Here is a some same data
"ID","FNAME","LNAME","BDATE","GRD","SCHID"
"111111","TEst","student1","19980601","2016","1480"
"222222","test","Student2","19980522","2017","1480"
"333333","test","Student3","19970813","2025","1479"
I've gone ahead and added the schoolcode to the csv file. I think this will be a lot easier to move the students to the correct ou based on this file. 1480 being elem, 1479 hs. Also here is the code I'm using toe create the AD accounts.
# Import active directory module for running AD cmdlets
Import-Module activedirectory
#Store the data from ADUsers.csv in the $ADUsers variable
$ADUsers = Import-csv userimport.csv
#Store report in log file in the $log variable
$log = "log.txt"
#Loop through each row containing user details in the CSV file
foreach ($User in $ADUsers)
{
#Read user data from each field in each row and assign the data to a variable as below
$Username = $User.ID
$Password = $User.BDATE
$Firstname = $User.FNAME
$Lastname = $User.LNAME
$Department = $User.GRD
$Company = $User.SCHID #This field refers to the OU the user account is to be moved to
#Check to see if the user already exists in AD
if (Get-ADUser -F {SamAccountName -eq $Username})
{
#If user does exist, give a warning
Write-Warning "A user account with username $Username already exist in Active Directory."
}
else
{
#User does not exist then proceed to create the new user account
"Processing started (on " + $date + "): " | Out-File $log -append
"--------------------------------------------" | Out-File $log -append
#Account will be created in the OU provided by the $OU variable read from the CSV file
New-ADUser `
-SamAccountName $Username `
-UserPrincipalName "$Username#clasd.net" `
-Name "$Firstname $Lastname" `
-GivenName $Firstname `
-Department "$Department" `
-Company "$Company" `
-EmailAddress "$Username#clasd.net" `
-Surname $Lastname `
-Enabled $True `
-Scriptpath "login.vbs" `
-DisplayName "$Firstname $Lastname" `
-Path "ou=users,ou=hs,dc=clasd,dc=net" `
-AccountPassword (convertto-securestring $Password -AsPlainText -Force) `
-ChangePasswordAtLogon $true
# Add User to Groups
#Add-ADPrincipalGroupMembership -Identity $Username -MemberOf "Elem","Elem Students"
Start-Sleep 3
# Move Users to appropiate OU based on School Code
$usr = import-csv userimport.csv
foreach ($User in $usr) {
if ($user.grd -in 2016){
Get-ADUser $User.ID | Move-ADObject -TargetPath 'OU=users,ou=hs,dc=clasd,dc=net'
}
}
}
}
As their AD Username is unique and already contained in your CSV, it's simply a case of checking if the GRD field is in the range 2016-2022 and then moving the account using the ID field:
$filepath = "C:\path\to\data.csv"
$csv = Import-CSV $filepath
foreach ($user in $csv) {
if ($user.GRD -in 2016..2022) {
Get-ADUser $user.ID | Move-ADObject -TargetPath 'OU=High School,DC=domain,Dc=com'
}
}
EDIT: Didn't see your comment that YOG is the Description field, and I've used GRD instead, let me know if this isn't correct?
EDIT2: My answer above would be run after every account is created not during your existing script, it is more efficient to put the account in the correct OU at creation like so:
foreach ($User in $ADUsers)
{
#Read user data from each field in each row and assign the data to a variable as below
$Username = $User.ID
$Password = $User.BDATE
$Firstname = $User.FNAME
$Lastname = $User.LNAME
$Department = $User.GRD
$Company = $User.SCHID #This field refers to the OU the user account is to be moved to
# Choose OU
Switch ($Department)
{
"2016" {$OU = 'OU=users,ou=hs,dc=clasd,dc=net'}
"2017" {$OU = 'OU=2017,OU=users,ou=hs,dc=clasd,dc=net'}
}
#Check to see if the user already exists in AD
if (Get-ADUser -F {SamAccountName -eq $Username})
{
#If user does exist, give a warning
Write-Warning "A user account with username $Username already exist in Active Directory."
}
else
{
#User does not exist then proceed to create the new user account
"Processing started (on " + $date + "): " | Out-File $log -append
"--------------------------------------------" | Out-File $log -append
#Account will be created in the OU provided by the $OU variable read from the CSV file
New-ADUser `
-SamAccountName $Username `
-UserPrincipalName "$Username#clasd.net" `
-Name "$Firstname $Lastname" `
-GivenName $Firstname `
-Department "$Department" `
-Company "$Company" `
-EmailAddress "$Username#clasd.net" `
-Surname $Lastname `
-Enabled $True `
-Scriptpath "login.vbs" `
-DisplayName "$Firstname $Lastname" `
-Path $OU `
-AccountPassword (convertto-securestring $Password -AsPlainText -Force) `
-ChangePasswordAtLogon $true
# Add User to Groups
#Add-ADPrincipalGroupMembership -Identity $Username -MemberOf "Elem","Elem Students"
Start-Sleep 3
}
}