Employee onboarding is one of those tasks that is ripe for automation. A PowerShell onboarding script is a perfect tool for the job.
Not a reader? Watch this related video tutorial!Onboarding is a task that’s performed hundreds of times that rarely changes. When hired, every employee needs an Active Directory user account, an email mailbox, access to this and that system, a home folder with specific permissions only to them and so on. A task that’s performed the same way multiple times is a perfect candidate for automation.
It seems like nearly every organization has Active Directory (AD). AD is a big part of employee onboarding that a lot of organizations may still be doing manually. The helpdesk is still opening Active Directory Users & Computers, right-clicking and creating a new user. They’re then manually adding that user to a specific set of groups and will ultimately screw it up do to all of their other responsibilities. Again, something automation can alleviate!
So you’re convinced automation is the way to go when onboarding new employee in AD, right? If so, how to do it?
One of the easiest ways to automate Active Directory tasks is with a PowerShell onboarding script. By using a freely available PowerShell module, you can create scripts to do just about anything with AD. For our purposes, we need to create a script to create a new user account for an employee and perhaps add her to a few common groups. To do this, grab a copy of Remote Server Administration Tools. This will give you the ActiveDirectory PowerShell module. Once you do this, ensure you’re on a domain-joined computer and you have the appropriate rights to create new users.
In the ActiveDirectory PowerShell module, you have a command called New-AdUser
. There are lots of ways to use this command but below is a common way. In this PowerShell code, I’m generating a random password and then using it along with a first name, last name and username to create a new AD user. That’s it! No mouse clicking involved.
Add-Type -AssemblyName System.Web
$password = [System.Web.Security.Membership]::GeneratePassword((Get-Random -Minimum 20 -Maximum 32), 3)
$secPw = ConvertTo-SecureString -String $password -AsPlainText -Force
$NewUserParameters = @{
GivenName = 'Adam'
Surname = 'Bertram'
Name = 'abertram'
AccountPassword = $secPw
}
New-AdUser @NewUserParameters
We also have a command called Add-AdGroupMember
. This will add the user that was just created to a group.
Add-AdGroupMember -Identity 'Accounting' -Members 'abertram'
One the great things about automation employee onboarding with PowerShell is that once the code is built, it can be ran for one, ten or a hundred employees with no extra effort. For example, perhaps I have a ton of new employees I need to provision in AD. By using the Import-Csv
command, I can read each row in that CSV file and run the code we just went over.
This example is assuming you have a CSV with the columns FirstName and LastName.
Add-Type -AssemblyName System.Web
Import-Csv -Path C:\Employees.csv | foreach {
$password = [System.Web.Security.Membership]::GeneratePassword((Get-Random -Minimum 20 -Maximum 32), 3)
$secPw = ConvertTo-SecureString -String $password -AsPlainText -Force
$userName = '{0}{1}' -f $_.FirstName.Substring(0,1),$_.LastName
$NewUserParameters = @{
GivenName = $_.FirstName
Surname = $_.LastName
Name = $userName
AccountPassword = $secPw
}
New-AdUser @NewUserParameters
Add-AdGroupMember -Identity 'Accounting' -Members $userName
}
We just scratched the surface here to what’s possible to automate employee onboarding in Active Directory. If your organization has a predefined process with specific rules that have to be followed, this code could be just the beginniing of a much larger employee onboarding process that can be 100% automated!