How to easily create bulk accounts in Active Directory

Rich
5 min readJun 10, 2021

--

I had been meaning to test out and save a script that creates bulk accounts in AD. I finally got around to it after someone asked about such a thing on Facebook.

Creating bulk computer accounts; what did not work and why:

This was one of the rare cases where CW6 Google was wrong, or only half right. I found the following script on a couple different sites (http://www.kuskaya.info/2013/09/06/how-to-create-bulk-of-computer-objects-with-powershell/?fbclid=IwAR2X7wboLob5SrFrgpLkJIXLM8TLn2lCdDymbWiaGHbAsPk-Af9aEPj-V4o):

Import-Module ActiveDirectory
$CSV="C:\Temp\List.csv"
$OU="OU=Clients,DC=test,DC=local"
Import-Csv -Path $CSV | ForEach-Object {New-ADComputer -Name $_.ComputerAccount -Path $OU -Enabled $True}

However this script did not work at all in the lab. I checked a script I hobbled together awhile back and the issue seems to be the ‘ $CSV=”C:\Temp\List.csv” ‘. PowerShell provides an easy way to sanity check a variable though; simply type the variable and hit Enter. PowerShell will even autocomplete the variable once you start typing it.

My prior script used ‘ $variable = Get-Content X.csv ‘ Run a sanity check on that method of pulling the contents of the CSV file and we see:

Creating bulk computer accounts; what did work:

In the lab the domain is test.local. The workstation OU is called Clients. I created a Distributed File System share and mapped it to the I Drive via GPO. This makes a handy place to put scripts, installers, etc.

The working script is:

Import-Module ActiveDirectory
$systems = Get-Content "I:\PS scripts\List.csv"
$OU="OU=Clients,DC=test,DC=local"
ForEach ($system in $systems)
{
New-ADComputer -Name "$system" -Path "$OU"
}

The script looks much better in PowerShell_ISE:

The CSV that the script pulls from is very simple:

Just change the “$systems=<path>” and “OU=<path>” variables to suit your domain and where you saved the list of computernames in a CSV file.

This script is quite simple as we are not setting anything other than the OU and simply pulling the computer names from the CSV. If we wanted to set more attributes by pulling from additional fields in the CSV file then we would set it up much like the script below for creating bulk user accounts.

Creating bulk user accounts:

I had more success finding a good template for creating bulk user accounts. Once I filtered through all the Google results from vendors trying to sell a third party product I found Adam the Automator’s handy script. I just tweaked the path to the CSV, the domain name, created a sample CSV, and tested it out in the lab.

#https://adamtheautomator.com/new-aduser/
$import_users = Import-Csv -Path "I:\PS scripts\UserList.csv"
$import_users | ForEach-Object {
New-ADUser `
-Name $($_.FirstName + " " + $_.LastName) `
-Path "OU=User accounts,DC=test,DC=local" `
-GivenName $_.FirstName `
-Surname $_.LastName `
-Department $_.Department `
-State $_.State `
-EmployeeID $_.EmployeeID `
-DisplayName $($_.FirstName + " " + $_.LastName) `
-Office $_.Office `
-UserPrincipalName $_.UserPrincipalName `
-SamAccountName $_.SamAccountName `
-AccountPassword $(ConvertTo-SecureString $_.Password -AsPlainText -Force) `
-Enabled $True
}

The script looks much better in PowerShell_ISE:

The CSV file that the script pulls from is formatted like this:

Of course if one wanted to set more attributes via the CSV file and the script then they would simply add the corresponding field to the CSV and tweak the script. For example to add a description to each account one would add a column to the CSV titled ‘Description’. Add the following to the script:

Description = $_.Description `

A sidenote on security:

Obviously save the CSV somewhere that only trusted folks have access or an attacker or insider will find it and happily start checking to see who has not logged in and changed the initial password. I have heard plenty of horror stories about how attackers simply found the login credentials that got them their initial access from a sticky note on a desk. They moved laterally or escalated privileges after finding more credentials in a text file or an Excel spreadsheet on someone’s Desktop or on a share drive accessible to Authenticated Users.

Conclusion:

Hopefully this was helpful and maybe saves someone some time and hassle. I had to poke around on Google a bit, tweak some stuff, and validate the scripts. In the case of the computer accounts I had to almost completely rewrite the script from Google. Luckily I had an existing project to borrow from. Awhile back someone who shall rename nameless sent us a completely unsorted list of computernames in Excel with no column to show where they physically were or what section they belonged to. I had to hobble together a script that pulled the unsorted list from a CSV, queried the OU of each computername, then output to another CSV that showed who each computer belonged to. At least it was an excellent training opportunity.

Always remember that as much as everyone loves the ADUC GUI tool, PowerShell is much more, well, PowerFull.

References:

https://www.risual.com/2015/07/bulk-create-computer-accounts-with-powershell/

https://activedirectorypro.com/create-bulk-users-active-directory/

https://adamtheautomator.com/new-aduser/

https://docs.microsoft.com/en-us/powershell/module/activedirectory/new-adcomputer?view=windowsserver2019-ps

https://docs.microsoft.com/en-us/powershell/module/activedirectory/new-aduser?view=windowsserver2019-ps&fbclid=IwAR30VbxR4Qig5gmggG88d9c8tfxwOecsZEyDLZlV1bAvTvumE7cnDnu23FY

https://attack.mitre.org/techniques/T1552/001/

--

--

Rich
Rich

Written by Rich

I work various IT jobs & like Windows domain security as a hobby. Most of what’s here is my notes from auditing or the lab.

No responses yet