This article was originally posted on the ConnectWise blog.

Employee onboarding is one of those tasks that is ripe for automation. It's a task that's performed hundreds of times that rarely changes. When hired, every employee needs an Active Directory user account, an email mailbox, access to this and that system, a home folder with specific permissions only to them and so on. A task that's performed the same way multiple times is a perfect candidate for automation.

It seems like nearly every organization has Active Directory (AD). AD is a big part of employee onboarding that a lot of organizations may still be doing manually. The helpdesk is still opening Active Directory Users & Computers, right-clicking and creating a new user. They're then manually adding that user to a specific set of groups and will ultimately screw it up do to all of their other responsibilities. Again, something automation can alleviate!

So you're convinced automation is the way to go when onboarding new employee in AD, right? If so, how to do it?

One of the easiest ways to automate Active Directory tasks is with PowerShell. By using a freely available PowerShell module, you can create scripts to do just about anything with AD. For our purposes, we need to create a script to create a new user account for an employee and perhaps add her to a few common groups. To do this, grab a copy of Remote Server Administration Tools. This will give you the ActiveDirectory PowerShell module. Once you do this, ensure you're on a domain-joined computer and you have the appropriate rights to create new users.

In the ActiveDirectory PowerShell module, you have a command called New-AdUser. There are lots of ways to use this command but below is a common way. In this PowerShell code, I'm generating a random password and then using it along with a first name, last name and username to create a new AD user. That's it! No mouse clicking involved.

$password = [System.Web.Security.Membership]::GeneratePassword((Get-Random -Minimum 20 -Maximum 32), 3)
$secPw = ConvertTo-SecureString -String $password -AsPlainText -Force

$NewUserParameters = @{
	GivenName = 'Adam'
	Surname = 'Bertram'
	Name = 'abertram'
	AccountPassword = $secPw
}
New-AdUser @NewUserParameters

We also have a command called Add-AdGroupMember. This will add the user that was just created to a few groups in a single line.

Add-AdGroupMember -Identity 'Accounting','Access to App1' -Members 'abertram'

One the great things about automation employee onboarding with PowerShell is that once the code is built, it can be ran for one, ten or a hundred employees with no extra effort. For example, perhaps I have a ton of new employees I need to provision in AD. By using the Import-Csv command, I can read each row in that CSV file and run the code we just went over.

This example is assuming you have a CSV with the columns FirstName and LastName.

Import-Csv -Path C:\Employees.csv | foreach {
	$password = [System.Web.Security.Membership]::GeneratePassword((Get-Random -Minimum 20 -Maximum 32), 3)
	$secPw = ConvertTo-SecureString -String $password -AsPlainText -Force

	$userName = '{0}{1}' -f $_.FirstName.Substring(0,1),$_.LastName
	$NewUserParameters = @{
		GivenName = $_.FirstName
		Surname = $_.LastName
		Name = $userName
		AccountPassword = $secPw
	}
	New-AdUser @NewUserParameters
	Add-AdGroupMember -Identity 'Accounting','Access to App1' -Members $userName
}

We just scratched the surface here to what's possible to automate employee onboarding in Active Directory. If your organization has a predefined process with specific rules that have to be followed, this code could be just the beginniing of a much larger employee onboarding process that can be 100% automated!

Join the Jar Tippers on Patreon

It takes a lot of time to write detailed blog posts like this one. In a single-income family, this blog is one way I depend on to keep the lights on. I'd be eternally grateful if you could become a Patreon patron today!

Become a Patron!