PowerShell allows you to read, write and update Active Directory Objects. In conjunction with PowerShell's many other advanced features this provides a great environment to manage your AD, and to automate tasks.
To Create a user object:
First we need to set a variable to hold the domain object, and link the instance to the domain.
PS C:\> $domain = [ADSI] "LDAP://main:389/dc=domain,dc=local"
This will allow you to interact with AD from using this $domain variable.
You can list the root of your domain by typing:
PS C:\> $domain.psbase.Get_children()
This will list the root containers in your active directory by Distinguished Name.
To get more information about a specific branch in the directory we can associate that branch to a new variable.
$usersOU = [ADSI] "LDAP://CN=Users,DC=domain,DC=local"
and then again using the "psbase.Get_children()"
$usersOU.psbase.Get_children()
This will list all the AD objects (users and computers) in the OU.
Lets finish off by creating a user.
PS C:\> $newUser = $usersOU.Create("user","cn=MyNewUser")
PS C:\> $newUser.put("title", "PowerShell Test Account")
PS C:\> $newUser.put("employeeID", 123)
PS C:\> $newUser.put("description", "Test User Account for LazyAdmin Demo")
PS C:\> $newUser.SetInfo()
Now If you enter this into your command prompt you may get an access denied error:
This is usually because you're not logged into the domain with an account that has sufficient privileges to create a computer account.
Launch a PowerShell window with an account that has the correct permissions:
runas /env /user:administrator@domain.local "powershell.exe"
You'll have to bind to the OU again, and re-enter the information for the user object.
Looking at the DC we can see that the user has been created:
News Source: TheLazyAdmin.com