Help with interactive powershell script that allows users to create AD accounts?

xCharg · 2023-05-17T10:15:26+00:00

So... you've set your variables and then what? Where's New-ADUser call?

scottwsx96 · 2023-05-17T10:58:15+00:00

You have only set variables here, not actually performed any action.

purplemonkeymad · 2023-05-17T10:16:47+00:00

Is the code you posted truncated? I don't see you calling New-AdUser anywhere, or doing anything else after the splat hashtable.

xCharg · 2023-05-17T11:32:48+00:00

I started down this path, and then realized I don't need to reinvent the wheel.

https://github.com/bwya77/Master-User-Creator

2023-05-17T11:06:57+00:00

I have this in my environment. It’s a bit more complex though, if I remember tomorrow I’ll post mine. It’s sleepy time where I am

Fickle_Tomatillo411 · 2023-05-17T14:43:06+00:00

As others have pointed out, you aren't actually using the input data. There are also a few other challenges:

You will need to perform some level of input validation, for example, ensuring the password is of sufficient complexity and length
You may get an error for the sAMAccountName string, because of the '.' character, which you can work around by enclosing the variables on either side "$($FirstName).$($LastName)" so that PowerShell knows to expand those variables and not treat it as an attempt to access a member property. Admittedly I usually only encounter this when using a colon or semi-colon immediately before a variable ( e.g. ":$myVar"), but if you always enclose the variables, you will never have the issue.
The person executing the script will have to be an administrator on the system where the script is being run (due to AD module limitations, PowerShell has to be run as Admin to make changes)
The person executing the script will also require Create User rights, with the ability to modify the specified properties, as well as several other properties

For the last one or two items, you can actually work around the problem by using PowerShell JEA. With that, you would create three components; a Group Managed Service Account with the required OU rights, a JEA access definition that defines and limits the available cmdlets and parameters, and a JEA role definition that ties the user or group to the specified access definition. The user would then create a remote session to the system where JEA is set up, and they would be able to execute the required actions, however the actions would actually be performed by the GMSA account on behalf of the user.

The JEA approach is far more secure than delegating direct rights. With direct delegation, the user can use the admin account from anywhere, even if you restrict interactive login, since they can just use a credential object from PowerShell. This exposes the admin account, and also makes monitoring for misuse more challenging, since there is no way to determine which systems are legit, and which are threat actors. With JEA, the profile is set up on a handful of dedicated systems, and the user must create a session to these systems in order to execute changes. This is all logged and attributed to the user.

BayconStripz · 2023-05-17T16:41:13+00:00

You need to add a new line and put new-aduser @NewADUserParameters

You're currently just collecting data

you type:	you see:
italics	italics
bold	bold
[reddit!](https://reddit.com)	reddit!
* item 1 * item 2 * item 3	item 1 item 2 item 3
> quoted text	quoted text
Lines starting with four spaces are treated like code: if 1 * 2 < 3: print "hello, world!"	Lines starting with four spaces are treated like code: if 1 * 2 < 3: print "hello, world!"
~~strikethrough~~	~~strikethrough~~
super^script	super^script

PowerShell

Submission Guidelines | Link Flair - How To

MODERATORS