Feeding Variables in new-aduser -path option in powershell - powershell

Here is the Command I am trying to work with:
New-ADUser -name "$firstName $lastName" -SamAccountName "$firstName.$lastName" -GivenName "$firstName" -Surname "$lastName" -DisplayName "$firstName $lastName" -Path "OU=Employees,OU=$Dpart,DC=OPR,DC=Local" -Enabled $true -AccountPassword $PWD -ChangePasswordAtLogon $true -EmailAddress "$firstName.$lastName#opr.org"
The Error Message I get:
ObjectNotFound: (CN=FIRST LAST...DC=OPR,DC=Local:String)
Once I remove the $Dpart from the -Path the command fires off correctly, but does not place the person into the correct OU. The command is filtered before hand and matches the name inside AD of the sub OU.
How can I use a variable inside the path command? I know it's simple, but I am just starting off with powershell.

New-ADUser -name "$firstName $lastName" -SamAccountName "$firstName.$lastName" -GivenName "$firstName" -Surname "$lastName" -DisplayName "$firstName $lastName" -Path "OU=$Dpart,OU=Employees,DC=OPR,DC=Local" -Enabled $true -AccountPassword $PWD -ChangePasswordAtLogon $true -EmailAddress "$firstName.$lastName#opr.org"
It was so obvious that a snake would have bit me...
Lowest level OU first, then each level up after that. So, OU=$Dpart, OU=Employees

Related

Powershell Instance Parameter

I am automating the creation of user accounts in our Windows AD. I am trying to copy the permissions from one account to another,(like you would if you right click and copied a user inside of the "Active Directory Users and Computers" application) but when using the cmdlet 'New AD-User' and passing in a variable to the 'instance' parameter, it does nothing different than if I do not pass the variable at all.
This is what I am using to obtain the $userInstance variable:
$userInstance = Get-ADUser -Identity $department User
This is the code I am using to create a new user:
New-ADUser `
-SamAccountName $userName `
-UserPrincipalName "$userName#123.COM" `
-Name "$firstName $lastName" `
-GivenName $firstName `
-Surname $lastName `
-Enabled $true `
-DisplayName "$firstName $lastName" `
-City $city `
-PostalCode $zip `
-Company $company `
-State $state `
-EmailAddress $email `
-Department $department `
-Instance $userInstance `
-AccountPassword (ConvertTo-SecureString "1234" -AsPlainText -Force)
When I run this command, it does the same exact thing as if I ran this command without the instance parameter.
New-ADUser `
-SamAccountName $userName `
-UserPrincipalName "$userName#123.COM" `
-Name "$firstName $lastName" `
-GivenName $firstName `
-Surname $lastName `
-Enabled $true `
-DisplayName "$firstName $lastName" `
-City $city `
-PostalCode $zip `
-Company $company `
-State $state `
-EmailAddress $email `
-Department $department `
-AccountPassword (ConvertTo-SecureString "1234" -AsPlainText -Force)
Am I missing something? I do not understand what the 'instance' parameter is supposed to be doing if it only copies certain attributes that are easily obtainable(state, company, city). Is there something out there that actually copies a template account or do I need to write a loop that goes through every single attribute, permission, and group in the template account that provides some sort of meaning to my organization and assign them manually?
What exactly do you mean by "permission"?
Permissions on resources are set based on the objectSid of a user. Since this is unique to every user you can never "copy" them (and related permissions) to a new user.
Group memberships are stored on groups not on users. The memberOf attribute is just a "backLink" so this won't be copied neither.
Group membership needs to be added in a separate step, e.g. by using
Add-ADGroupMember
cmdlet in PowerShell...
"Permissions" might not have been the word I was looking for necessarily. I wanted to create the user and assign them the same groups and directory location as a previous User. I was able to add group membership to my new users by using the method stated by #Oliver Hauck earlier
Add-ADGroupMember
This aided me in my findings, but what I desired was to not have to write long, repetitive switch code for each new employee type, along with their groups, we could onboard. In hopes that someone sees this and doesn't feel intrigued in writing super long, boring switch code, I wanted to share how I achieved this if it helps anyone else in the future. I still obtained the $userInstance variable in the same way, but adding the -Property parameter defined to MemberOf
$userInstance = Get-ADUser -Identity $department User -Properties MemberOf
I then used the $userInstance variable to obtain the properties I needed from it (Groups to copy, Directory Path)
//Obtains the Path from the copied User, without their common name (CN) attached
$path = $userInstance.DistinguishedName.split(",",2)[-1]
I still created the new user with the same command as above but added the -Path parameter to assign the directory path to the New-ADUser cmd
New-ADUser `
-SamAccountName $userName `
-UserPrincipalName "$userName#123.COM" `
-Name "$firstName $lastName" `
-GivenName $firstName `
-Surname $lastName `
-Enabled $true `
-DisplayName "$firstName $lastName" `
-City $city `
-PostalCode $zip `
-Company $company `
-State $state `
-Path $path `
-EmailAddress $email `
-Department $department `
-AccountPassword (ConvertTo-SecureString "1234" -AsPlainText -Force)
And here is how I obtained and assigned the Group Membership to the New User
//Obtains the groups to be copied from the existing User
$refGroups = $userInstance.MemberOf
//Adds AD Group Membership to User
$refGroups | Add-ADGroupMember -Members $userName

add AD account with custom attribute using powershell

I am trying to add an account using powershell along with a cutom attribute. Schema extension is done and from attribute editor i can see that value of custom attribute "test" is not set.
$pw = "jakdakjdJAKJKA123";
$spw = ConvertTo-SecureString $pw -AsPlainText -force;
$accountname = "mytest";
$des = "Description";
$otherAttributes = #{'test' = "testval"};
New-AdUser -UserPrincipalName "$accountname#testdomain.local" -path "OU=Services,OU=Users,OU=OrgA,DC=testdomain,DC=local" -Name "$accountname" -SamAccountName "$accountname" -GivenName "$accountname" -Description $des -CannotChangePassword $true -DisplayName "$accountname" -PasswordNeverExpires $true -AccountPassword $spw -Enabled $true -otherAttributes $otherAttributes
when i run above code i get an error.
New-AdUser : The parameter is incorrect
At line:6 char:1
+ New-AdUser -UserPrincipalName "$accountname#testdomain.local" -path "OU=S ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (CN=mytest...testdomain,DC=local:String) [New-ADUser], ADInvalidOperationException
+ FullyQualifiedErrorId : ActiveDirectoryServer:87,Microsoft.ActiveDirectory.Management.Commands.NewADUser
if i remove "-otherAttributes $otherAttributes", account will be added successfully.
Question is how can i add account with custom attribute?
Take the email out of the UserPrincipalName
New-AdUser -UserPrincipalName "$accountname" -path "OU=Services,OU=Users,OU=OrgA,DC=testdomain,DC=local" -Name "$accountname" -SamAccountName "$accountname" -GivenName "$accountname" -Description $des -CannotChangePassword $true -DisplayName "$accountname" -PasswordNeverExpires $true -AccountPassword $spw -Enabled $true -otherAttributes $otherAttributes

Encoding limit exceeded

I have a pretty lengthy script that takes either user input or data from a .csv file to create AD accounts. Not all the time, but sometimes I receive the following error while running it:
New-ADUser : The server has returned the following error: encoding limit exceeded.
Is there a limit on the amount of variables I can use? Because I do have quite a few.. here's what the sample code looks like where it sometimes get stuck:
If($GuardAccount){
If($Clone){
If($Attribute6){
$newuser = New-ADUser -SamAccountName $Username -Enabled $true -Name $DisplayName -Path $Path -AccountPassword $Password `
-GivenName $FirstName -Surname $LastName -Initials $Initials -DisplayName $DisplayName -City $City `
-Company $Company -Department $Department -Country $Country -State $State `
-StreetAddress $Street -PostalCode $Postal -OfficePhone $Telephone -Fax $Fax -Description $Description `
-Title $Title -Office $Office -Instance $Cloneuser -UserPrincipalName "$Username#business.com" -PassThru `
-OtherAttributes #{
'extensionattribute6'=$Attribute6;
}
...
So what does encoding limit exceeded mean? Is there any way around it?
I've tried googling for answers but there doesn't seem to be much info on this error.

PowerShell New-ADUser : Cannot bind parameter because parameter 'OtherAttributes' is specified more than once

I'm trying to automate AD user creation with PowerShell.
This is the code:
Create AD User
New-ADUser -Name $DisplayName `
-SamAccountName $SamAccountName `
-GivenName $FirstName `
-Surname $LastName `
-DisplayName $DisplayName `
-AccountPassword (ConvertTo-SecureString $Password -AsPlainText -Force) `
-Enabled $true `
-PasswordNeverExpires $False `
-ChangePasswordAtLogon $True `
-UserPrincipalName $UserPrincipalName `
-EmailAddress $PrimaryEmailAddress `
-OtherAttributes #{'proxyAddresses' = $proxyAddressesEmailMandatory} `
-OtherAttributes #{'ipPhone' = $UserExtension} `
Attribute "proxyAddress" is necessary so we can have Azure AD Sync between on-premise AD and Azure AD.
But now, we are trying to connect FreePBX with on-premise AD. In order to achieve that, we need to have "ipPhone" attribute.
Before I added last line, script was working fine.
I can see where the problem is, but I don't know how to fix it. Help with an example would be appreciated.
New-ADUser -Name $DisplayName `
-SamAccountName $SamAccountName `
-GivenName $FirstName `
-Surname $LastName `
-DisplayName $DisplayName `
-AccountPassword (ConvertTo-SecureString $Password -AsPlainText -Force) `
-Enabled $true `
-PasswordNeverExpires $False `
-ChangePasswordAtLogon $True `
-UserPrincipalName $UserPrincipalName `
-EmailAddress $PrimaryEmailAddress `
-OtherAttributes #{
'proxyAddresses' = $proxyAddressesEmailMandatory
'ipPhone' = $UserExtension
}

Powershell new-aduser attribute was not in the acceptable range

I'm having an issue with the following Powershell script. It is
a value for the attribute was not in the acceptable range of values Line 1 char 59
Import-Csv .\tableofusers.csv | foreach-object {New-ADUser -Path "ou=ou,dc=dc" -SamAccountName $_.SamAccountName -Name $_.name -DisplayName $_.name -GivenName $_.gn -SurName $_.sn -StreetAddress $_.SA -city $_.city -state $_.state -PostalCode $_.PostalCode -Country $_.Country -officephone $_.officephone -emailaddress $_.emailaddress -AccountPassword (ConvertTo-SecureString "Password1" -AsPlainText -force) -enabled $true -PasswordNeverExpires $false -Passthru}
I have been over it many times I cannot see the issue in or arround on character 59
any help would be welcome
it was country that was the problem, it took a bit but I was able to comment out most of the block until I found that $_.Country did not work
Your piped variable token is wrong, it should be $_ rather than $ ie:
Import-Csv .\tableofusers.csv | foreach-object {New-ADUser -Path "ou=ou,dc=dc" -SamAccountName $_.SamAccountName -Name $_.name -DisplayName $_.name -GivenName $_.gn -SurName $_.sn -StreetAddress $_.SA -city $_.city -state $_.state -PostalCode $_.PostalCode -Country $_.Country -officephone $_.officephone -emailaddress $_.emailaddress -AccountPassword (ConvertTo-SecureString "Password1" -AsPlainText -force) -enabled $true -PasswordNeverExpires $false -Passthru}
This should do the trick.
At a guess the value given to -country in the CSV file was something like United Kingdom instead of the code for the country which is GB.
You can look up a country code by setting the country/region in AD on the address page using the drop down list. Then whilst you have Advanced Features turned on (View>Advanced Features) open the user and on the Attribute Editor tab look look for the value of attribute c to see the code for the country you've set. Put that country code into the CSV file and it should work.
In my case it was using initials with more than 6 characters. Using dots between the initials means that > 6 is already reached when the initials are "A.B.C."