SIDDAWAY: AD ADmin MOL New-ADUser (template)

This topic contains 5 replies, has 3 voices, and was last updated by  Richard Siddaway 7 months, 3 weeks ago.

  • Author
  • #80942

    Jeff Taylor

    on page 21 of AD Admin in a Month of Lunches Mr. Siddaway suggest code that uses an AD User as a template for creation of another new AD user:

    $secpass = Read-Host "Password" -AsSecureString
    $user = Get-ADUser -Identity Fcsr -Properties memberOf
    New-ADUser -Name "FirstLevel2 CSR" -SamAccountName 'Fcsr2' `
     -UserPrincipalName "" -AccountPassword $secpass -Path "OU=Users,OU=Contractors,DC=MY,DC=foo,DC=com" `
     -Enabled:$true -Instance $user

    ...why would the administrator bother to retrieve the memberOf property of the template user if in the next paragraph Siddaway reminds the reader that "This technique doesn't copy group memberships or other multi valued attributes, which is put into the -Instance parameter"?

  • #80987

    Richard Siddaway

    If you're going to quote me please quote in full.

    In the Tip on page 21 I state

    This technique doesn't copy group memberships or other multivalue attributes. I reccommend using ADUC for copying accounts

    The technique was included for completeness and as the Tip shows I recommended that the PowerShell approach, IN THIS INSTANCE, wasn't the best option to adopt

    • #80993

      Jeff Taylor

      I see ok thanks for explaining Mr. Siddaway.

      I think based on what I had read earlier in your book led me to believe that this (-Properties memberOf) might have been a typo.

      pg 08 "There are no trick questions"
      pg 18 Which of the three methods to use? 1) What tools I have in my environment 2) What I feel comfortable using
      pg 19 Your recommendations for creating a single user 1) "Powershell by preference and is a viable option. Compared to the GUI Tools, it's a little more difficult to use when you're creating users from a template account..."

      ...I read that last point as "a little more difficult" but not impossible.

      So this seems a bit of a red herring then, as I couldn't reconcile why it (-Properties memberOf) was there in the first place... for completeness as you put it.

      At any rate, the exercise got me to try it on my own to see the (lack of) intended results and was most instructive!

      It might have been useful to put in a caveat somewhere like "NOTE: Not all examples of Powershell code will actually work to create all intended results but are included for the sake of completeness". (My particular environment is not "really weird" fyi). Maybe you did, but I can't find it.

      Anyway, thanks for taking my feedback, I love the book.


  • #80990


    Another approach may be to use a separate command to pull the group memberships of the template user account then pipe it to add-AdGroupMember.

    Get-ADPrincipalGroupMembership Fcsr | Where-Object -Property Name -NotMatch ("Domain Users") `
    	      |Select -ExpandProperty SamAccountName|ForEach-Object { Add-ADGroupMember -Identity $PSItem -Members Fcsr2}
    • #80996

      Jeff Taylor

      Thanks Juan, I will try this approach


  • #81004

    Richard Siddaway

    Also remember that the book is a tutorial. The code as it stands shows that the attribute isn't populated which if if you remember the Tip is part of the point of the section...

You must be logged in to reply to this topic.