A popular function in the Windows operating system tool “Active Directory Users and Computers” (ADUC) is to “copy” a user.  At Web Active Directory we have found cloning users in Active Directory is a common need.  Administrators want to use an object in their directory as a template to create others.

If you want to delegate user provisioning to others within your organization, giving access to ADUC via remote desktop to organizations outside of IT is dangerous.  Even using service accounts that restrict what users can do having others remote into your servers for simple data entry tasks isn’t great.  Delegation to non-technical users should also be possible.  Using ADUC isn’t for the faint of heart.

When you use ADUC to make a copy of a user, it takes several inputs including the new user’s name and the new user’s new account name.  In IT you probably also don’t want your HR department naming your new accounts.  If they just had to enter a new user name that would be better.  Then generate the account name according to your business rules.

Using PowerShell to Copy Users in Active Directory

If you try to write a script to do this, it’s not as straightforward as it might seem at first glance.  Consider these PowerShell commands:

$clone = get-aduser -identity $user_to_clone.sid -Properties *

$cloned_user = New-ADUser -Credential $BindUserCredentials -SAMAccountName $sAMAccountName  -Instance $clone -PassThru

(Remember if we’re using the Active Directory PowerShell commandlets this isn’t good for portability with other directories.  This example is very Active Directory-centric.  Other solutions involve using other more complex technologies that can work generically across different directory solutions.)

Using PowerShell to Clone Active Directory Users isn’t Straightforward

These commands are going to fail on a few fronts.  First, “-Properties *” is just going to grab too many properties to pass on to the cloned user.  The script is going to fail with a cryptic error due to this.  You’re going to have to pick and choose.  See:  http://support.microsoft.com/kb/276382 for more detail as to why.  “-Properties *” isn’t the worst thing in the world if you’re querying your directory for a single object (it’s really bad on large queries) but it’s better to be more selective.  In this case, you need to discriminate but you also don’t want to leave out key properties.  When you want to create a clone you want a complete copy.

Second, you’re going to have to account for other properties:  userprincipalname, name, displayname, firstname, lastname, initials, etc.  These need to be gathered into your script from another source or constructed in your script from data that comes from somewhere else.

Third, when you pass those hurdles, the new (cloned) user isn’t going to be created in the same OU as your old one.  (Bummer!)  This requires more work to get the existing user’s container.  This isn’t a property on the user object.

Finally, the new (cloned) user won’t have the groups as your original user did.  You can use Add-ADPrincipalGroupMembership but this can lead to permission errors even if you’re using a service account that has domain admin privileges.  It might be better to get the group objects themselves and use them to add the user individually.  Filter out existing groups like “Domain Users” when you use your existing user as a template.  Your cloned user won’t need to be added to that one.

PeoplePlatform, an Extensible Web Solution

Using Web Active Directory’s PeoplePlatform, you can delegate the copy user or clone user functionality in Active Directory to your department or others via a friendly to use web interface.  Present your end-users with a search form out of the box, create one you want, or copy and customize what we give you.  You can make it so that the user only must fill in a name and all of the other items (account name, user principal name, etc.) are constructed the way you want it from that name.  The software comes with smart defaults.

You can restrict which users your end-users can clone by their role in the company.  A power user might have the ability to clone anyone in your directory.  Others you might want to restrict to their department.  It’s easy to configure to do that.  There isn’t a worry about the complications of cloning the user’s OU or groups; all of this is done for you.