3 Ways to Create New Active Directory Users
So you’ve installed Windows Server, the Directory Service (AD DS) bits, and promoted the server to a domain controller (DC), but now what? The first step is to create some Active Directory (AD) user accounts.
In this Ask the Admin, I’m going to show you how to create new Active Directory users with three different tools: Active Directory Administrative Center (ADAC), Active Directory Users and Computer (ADUC), and a command-line tool called dsadd. For more information on creating AD users with PowerShell, see Create New Active Directory Users with Excel and PowerShell on the Petri IT Knowledgebase.
If you haven’t already installed Windows Server and the AD Directory Service server role, make sure you check out How to Install Windows Server 2012 R2 and Install Active Directory on Windows Server 2012 with Server Manager.
Option #1: Creating new users with Active Directory Administrative Center
If you’ve never used Windows Server or Active Directory before, then the Active Directory Administrative Center is the easiest management tool to get to grips with. You’ll need to log in to Windows Server 2012 R2 with a domain administrator account, or a domain-connected PC where the Remote Server Administration Tools (RSAT) are installed. For more information on RSAT, see Remote Server Administration Tools (RSAT) for Windows 8: Download and Install.
Say Goodbye to Traditional PC Lifecycle Management
Traditional IT tools, including Microsoft SCCM, Ghost Solution Suite, and KACE, often require considerable custom configurations by T3 technicians (an expensive and often elusive IT resource) to enable management of a hybrid onsite + remote workforce. In many cases, even with the best resources, organizations are finding that these on-premise tools simply cannot support remote endpoints consistently and reliably due to infrastructure limitations.
- To run ADAC, start Server Manager by clicking the blue icon next to the Start button on the desktop taskbar, or the Server Manager tile on the Start screen.
- In Server Manager, select Active Directory Administrative Center from the Tools menu.
- In the Active Directory Administrative Center, click Users below ad (local) in the left pane.
- In the Tasks pane on the right, click New under Users, and select User from the menu.
- In the Create User dialog box, all required fields are marked by an asterisk. Start by filling out the First name and Last name fields, and the Full name field will be automatically populated.
- All new users must have a SamAccountName, which is the user’s AD logon name, but I recommend filling out the User UPN logon field, and SamAccountName will be filled in automatically.
- Enter and confirm a password, and then click OK.
Click the refresh icon at the top of ADAC, and the new user object will appear in the central pane, from where you can edit it at a later stage if required. The user will be required to change the password the first time they log on, and don’t forget that the password you set must meet the password complexity requirements set in domain policy. Note that domain users don’t have the necessary rights to log in locally on domain controllers, so test new user logins from a domain-joined PC.
Option #2: Creating new with Active Directory Users and Computer
Creating new users with the Active Directory Users and Computers tool is almost as easy.
- Open Server Manager and select Active Directory Users and Computers from the Tools menu.
- In the left pane of ADUC, expand your domain and click the Users container.
- In the right pane, right click some empty space and select New > User from the menu.
- In the New Object – User dialog, enter a First name, Last name, User logon name and then click Next.
- Type and confirm a password, then click Next.
- Check the information for the new user on the confirmation screen and click Finish.
The new user account will appear in the Users container in ADUC.
Option #3: Creating new users with the dsadd command
Adding a new user with the dsadd command is a little easier than with PowerShell, as we don’t need to convert the password to a secure string. Open a PowerShell prompt or command prompt, type the command below and press ENTER. To open a PowerShell prompt, click the blue PowerShell icon on the desktop taskbar, or click the Windows PowerShell tile on the Start screen. It doesn’t matter that dsadd is not a PowerShell cmdlet, it can still be run from a PowerShell window.
dsadd user “cn=Russell Smith,cn=Users,dc=ad,dc=contoso,dc=com” -samid russellsmith -upn [email protected] -fn Russell -ln Smith -display “Russell Smith” -disabled no -pwd “PassW0rd!” -mustchpwd yes
The first parameter is the distinguished name (DN) for the new AD object, and is required. For more information about the available parameters for the dsadd user command, type dsadd user -? and press ENTER in the command prompt.