Last Update: Sep 04, 2024 | Published: Oct 27, 2014
So you’ve installed Windows Server, the Directory Service (AD DS) bits, and promoted the server to a domain controller (DC), but now what? The first step is to create some Active Directory (AD) user accounts.
In this Ask the Admin, I’m going to show you how to create new Active Directory users with three different tools: Active Directory Administrative Center (ADAC), Active Directory Users and Computer (ADUC), and a command-line tool called dsadd. For more information on creating AD users with PowerShell, see Create New Active Directory Users with Excel and PowerShell on the Petri IT Knowledgebase.
If you haven’t already installed Windows Server and the AD Directory Service server role, make sure you check out How to Install Windows Server 2012 R2 and Install Active Directory on Windows Server 2012 with Server Manager.
If you’ve never used Windows Server or Active Directory before, then the Active Directory Administrative Center is the easiest management tool to get to grips with. You’ll need to log in to Windows Server 2012 R2 with a domain administrator account, or a domain-connected PC where the Remote Server Administration Tools (RSAT) are installed. For more information on RSAT, see Remote Server Administration Tools (RSAT) for Windows 8: Download and Install.
Click the refresh icon at the top of ADAC, and the new user object will appear in the central pane, from where you can edit it at a later stage if required. The user will be required to change the password the first time they log on, and don’t forget that the password you set must meet the password complexity requirements set in domain policy. Note that domain users don’t have the necessary rights to log in locally on domain controllers, so test new user logins from a domain-joined PC.
Creating new users with the Active Directory Users and Computers tool is almost as easy.
The new user account will appear in the Users container in ADUC.
Adding a new user with the dsadd command is a little easier than with PowerShell, as we don’t need to convert the password to a secure string. Open a PowerShell prompt or command prompt, type the command below and press ENTER. To open a PowerShell prompt, click the blue PowerShell icon on the desktop taskbar, or click the Windows PowerShell tile on the Start screen. It doesn’t matter that dsadd is not a PowerShell cmdlet, it can still be run from a PowerShell window.
dsadd user “cn=Russell Smith,cn=Users,dc=ad,dc=contoso,dc=com” -samid russellsmith -upn [email protected] -fn Russell -ln Smith -display “Russell Smith” -disabled no -pwd “PassW0rd!” -mustchpwd yes
The first parameter is the distinguished name (DN) for the new AD object, and is required. For more information about the available parameters for the
dsadd user
command, type
dsadd user -?
and press
ENTER
in the command prompt.