Bulk provisioning users in Active Directory is an important task for new employee onboarding. It’s also a common practice if you have a system of record that has to stay in sync with your directory. This practice is common for schools. Students have their own inherent turnover as they progress through the system. Most schools have a Student Information System as their system of record.
Provisioning isn’t always about creating new users. A good provisioning solution should give options if a duplicate is found. It’s common, for example, to allow for updates if a user already exists.
Bulk Provisioning Users in Active Directory Using PowerShell
The following is an example of a user import script in PowerShell. It shows how such a script can create a new user if they do not exist in your directory and update them if they do.
Import-Module ActiveDirectory
$users = Import-Csv -Path "C:\userimport.csv"
foreach ($u in $users) {
$OU = $u.'OU'
$Password = $u.'Password'
$dispname = $u.'Firstname' + " " + $u.'Lastname'
$existing = Get-AdUser -LDAPFilter "(Samaccountname=$($u.SAM))"
$splat = @{ "DisplayName" = $dispname; "GivenName" = $u.'Firstname'; "Surname" = $u.'Lastname'; "Description" = $u.'Description'}
if (!$existing) {
$splat.Add( "SamAccountName",$u.SAM)
$splat.Add("UserPrincipalName", $u.'Firstname' + "." + $u.'Lastname' + "@" + $u.'Maildomain')
$splat.Add("Name",$dispname)
New-ADUser @splat -AccountPassword (ConvertTo-SecureString $Password -AsPlainText -Force) -Enabled $true -Path "$OU" -ChangePasswordAtLogon $false –PasswordNeverExpires $true
Write-Output "Created user $($u.SAM)."
}
else {
Set-AdUser -Identity $existing.SamAccountName @splat
Write-Output "Updated user $($existing.SamAccountName)."
}
}
This script is meant to process a file that looks like this:
Firstname,Lastname,Maildomain,SAM,OU,Password,Description
“Bobby”,”Gilkey”,”vrad.org”,”bgilkey”,”OU=Elementary,OU=StudentOU,DC=vrad,DC=org”,”Passw0rd1″,”Description here”
You can enhance the script in many ways. More comprehensive output indicating what attributes have changed, notifications, a less fixed file format would all be good first enhancements to try. In addition, this doesn’t start to tackle the concept of business rules where differing input data could affect the users OU, group membership, etc.
Web Active Directory’s PeopleNexus
Perform bulk provisioning actions in a scheduled fashion or on demand with Web Active Directory’s PeopleNexus. PeopleNexus is part of PeoplePlatform, a comprehensive identity management solution which works across multiple directory platforms. Define multiple data sources and completely control how users are created in Active Directory. Preconfigure business rules to dynamically determine group membership, the user’s OU, and much more based on your input data. You can control how duplicates are handled and what constitutes duplicate records.
Safely and securely specify the service account to use to perform the user creation tasks. Customize the import process without scripting or coding. You can also simultaneously provision users in other systems like Azure Active Directory or G Suite in real-time without the burden of a sync. This simultaneous provisioning insures good experiences for your users across platforms.
Configure notifications that are different depending on the recipient. For example, when a new user is created, administrators might receive one email while the new user might receive a welcome email with their new password. You can also have notifications to administrators be completely exception based– to only be notified if there is a problem or anomaly in the data.