Copying Existing AD User to Create New User in Forest

This topic contains 5 replies, has 5 voices, and was last updated by Profile photo of Ron Ron 1 month ago.

  • Author
    Posts
  • #48946
    Profile photo of Jason Colotario
    Jason Colotario
    Participant

    Hello,

    I have a new AD User that I want to create from an existing User. We have several domains in our forest where his account already exists in one of those domains. I want to create his AD account individually in each domain, but I'm getting an error. Thanks for any help on this!

    Here is my PS Script:

    $userInstance = Get-ADUser -Identity "saraDavis"
    New-ADUser -SAMAccountName "ellenAdams" -Instance $userInstance -DisplayName "EllenAdams"

    Here is the error:

    8648 21C8 ERROR_DS_UPN_VALUE_NOT_UNIQUE_IN_FOREST The operation failed because UPN value provided for addition/modification is not unique forest-wide.

  • #48956
    Profile photo of Richard Siddaway
    Richard Siddaway
    Moderator

    Yep That'll always happen because the UPN has to be unique in the forest

    What you have to do is define the UPN for the new user so your second line becomes something like

    New-ADUser -samaccountname blah – name 'blah blah' -userprincipalname 'blah@blah' -instance $userinstance

    you might want to set the password for the new user and enable the account as well

  • #48964
    Profile photo of Richard Siddaway
    Richard Siddaway
    Moderator

    You don't actually need to recreate the user in each domain in the forest. You can grant rights across any or all domains in the forest – its what Universal groups are for

  • #56707
    Profile photo of ken vanden branden
    ken vanden branden
    Participant

    I'm just amazed on how many blogs just copy paste the original code from the get-help and claim it works (i've seen it on this website as well). While it doesn't
    This piece of code:

    $userInstance = Get-ADUser -Identity "saraDavis"
    New-ADUser -SAMAccountName "ellenAdams" -Instance $userInstance -DisplayName "EllenAdams"

    So is everyone just faking the hell out of it?

    • #56734
      Profile photo of Peter Jurgens
      Peter Jurgens
      Participant

      I'm not 100% certain but my understanding is that creating a new user in AD doesn't set the user object's UPN, but of course if you use an instance of another user object that does have a UPN set it will try to create the new user object with the same UPN, hence why you would need to override the UPN value of the reference instance with the userprincipalname parameter. I'm sure this is true for any other user object attribute that must be unique in AD but you may be able to set yourself.

  • #56786
    Profile photo of Ron
    Ron
    Participant

    Here's what I do to copy a user. I use a form for the info and it generates the commands I need. I only filled in the basic fields, you'll have to add the ones you need to define.

    $m=get-aduser "olduser" -properties memberof
    New-ADUser -path ($m.distinguishedname -replace '.+?,((?:DC|OU)=.+)','$1') -name "newuser1" -AccountPassword (ConvertTo-SecureString "password1" -AsPlainText -Force) -SamAccountName "newuser1" -ChangePasswordAtLogon $True -Enabled $True -CannotChangePassword $False -userprincipalname ("newuser1@" + (($m.userPrincipalName -split "@")[1])) -givenname "New" -surname "User" -displayname "New User"
    $m.memberof | add-adgroupmember -members "newuser1"
    

You must be logged in to reply to this topic.