This is the guide, I’ll show you two options on how to bulk create users in Active Directory. Both options allow you to create AD users from a csv file. By using a PowerShell script or a tool you can streamline the user creation process and save yourself lots of time.
In this article.
- Option 1. Bulk Create AD Users with the AD Pro Toolkit
- Option 2. Bulk Create AD Users with PowerShell
- Verify AD User Import
- Bulk Modify Users After Import
Option 1. Bulk Create AD Users with the AD Pro Toolkit
In this first example, I’ll use the AD User Creation Tool that is included with the AD Pro Toolkit. This tool makes it very easy to bulk import users and is a great alternative if you don’t want to deal with PowerShell scripts. Also, there are certain user fields that PowerShell does not support and a 3rd party import tool is needed.
You can download a free trial of the toolkit and try it for yourself.
Below is a summary of how to bulk create Active Directory users with the AD Pro Toolkit.
- Open the “Import Users” Tool.
- Click the “Download CSV Template” button.
- Fill out the CSV file and save it. Use the provided template as a reference.
- Select the “Import Options” button and change any options you need.
- Click “Browse” to select your csv template and click “Run” to start the import.
In the example below, I created 98 AD user accounts, added them to multiple groups, set the users manager and multiple other attributes.
If any accounts from the CSV fail to import it will provide an error in the logs. You can see below I had six accounts that did not create because the logon name already exists.
Requirements
I recommend the follow CSV headers and settings when creating new user accounts. You can remove any column in the CSV that you do not need.
- SamAccountName (required) = This will be the users logon name.
- password (required) = users password. Make sure it meets your password requirements.
- givenName (required) = First name
- sn (required) = Last name
- OU = The organizational unit to add the user accounts into. This is the distinguished name of the OU. If you leave it blank it will import into the default users container.
- DisplayName = This is the users display name.
- Groups = Groups to add the users to. Separate each group with a comma.
- Force Password Change at Next Logon = Click the import options button to enable this for each user.
Download the included CSV template as a reference or starter template.
Here is a screenshot of my CSV file (click to enlarge).
You can download my CSV template here.
Import Options
Under import options you can change the follow settings.
- Enable Users = This will enable the accounts when they are created (on by default).
- Force Password Change = Select this to enable force password change at next logon
- Name = Select this to change the name format to LastName, FirstName.
The GUI tool is a huge time saver and makes importing user accounts into Active Directory super easy. Plus you don’t have to modify any scripts or need PowerShell experience.
The AD Pro Toolkit also includes a Bulk User Update Tool to modify multiple user accounts at once. This is a huge time saver for when you need to mass update user information such as department, telephone number, email addresses, and so on.
Try the AD Pro Toolkit for FREE, download your copy here.
Option 2: Bulk Create AD Users with PowerShell
What you will need:
- PowerShell Active Directory Module loaded – The script I provide will load the module you just need to run it from a computer that has RSAT tools installed or the AD role.
- Rights to create user accounts in Active Directory
- CSV File (See below)
- PowerShell Script (See below)
Step 1: Setup the CSV file
A basic CSV file should have the following headers. Technically you can import new accounts with just the SamAccountName, Name, and the password column but that is not recommended.
- SamAccountName = this will be the users logon name
- password = users password. Make sure it meets your password requirements.
- path = OU where you want to import users to. This is the distinguished name of the OU. If you leave it blank it will import into the default users container.
- GivenName = First name
- Surname = Last name
- Name = Name
- DisplayName = Display Name
Above is an example of my CSV file.
How do you find the OU path?
The OU path is the distinguishedName attribute, to find this open up Active Directory Users and Computers and browse to the OU you want to import to, then right click and select properties then select attribute editor.
Copy the path into the path column in the CSV file.
At this point the CSV file has the required fields, you can jump to step 2 (setting up the PowerShell script) or keep reading to configure optional fields for user accounts.
Add additional user fields to the CSV file.
You may want to include some additional user fields in the CSV. Just know that whatever columns you add to the CSV you will also need to include them in the PowerShell script.
I’ve included several common user fields in the CSV template and PowerShell script.
- UserPrincipalName
- Department
- Description
- Office
- OfficePhone
- EmailAddress
- StreetAddress
- POBox
- City
- State
- PostalCode
- Title
- Company
To add more I recommend looking at the PowerShell new-aduser cmdlet to see which parameters are supported.
I like to keep the name of the headers the same as the new-aduser parameters, it makes it easier to troubleshoot.
At this point, you should have a CSV file configured, and save the file to your local computer.
Step 2: Configure the PowerShell Script
Copy the script below and modify it as needed.
#Import active directory module for running AD cmdlets
#Author: Robert Allen
#Website: activedirectrypro.com
Import-Module activedirectory
#Store the data from ADUsers.csv in the $ADUsers variable
$Users = Import-csv c:\it\users.csv
#Loop through each row containing user details in the CSV file
foreach ($User in $Users) {
# Read user data from each field in each row
# the username is used more often, so to prevent typing, save that in a variable
$Username = $User.SamAccountName
# Check to see if the user already exists in AD
if (Get-ADUser -F {SamAccountName -eq $Username}) {
#If user does exist, give a warning
Write-Warning "A user account with username $Username already exist in Active Directory."
}
else {
# User does not exist then proceed to create the new user account
# create a hashtable for splatting the parameters
$userProps = @{
SamAccountName = $User.SamAccountName
Path = $User.Path
GivenName = $User.GivenName
Surname = $User.Surname
Initials = $User.Initials
Name = $User.Name
DisplayName = $User.DisplayName
UserPrincipalName = $user.UserPrincipalName
Department = $User.Department
Description = $User.Description
Office = $User.Office
OfficePhone = $User.OfficePhone
StreetAddress = $User.StreetAddress
POBox = $User.POBox
City = $User.City
State = $User.State
PostalCode = $User.PostalCode
Title = $User.Title
Company = $User.Company
Country = $User.Country
EmailAddress = $User.Email
AccountPassword = (ConvertTo-SecureString $User.Password -AsPlainText -Force)
Enabled = $true
ChangePasswordAtLogon = $true
} #end userprops
New-ADUser @userProps
# Write-Host "The user account $User is created." -ForegroundColor Cyan
} #end else
}
You will need to modify the path to the CSV file you saved from step 1 (unless it matches what I have in the script).
$ADUsers = Import-csv C:\it\bulk_import.csv
By default, the script sets the accounts to enable. You can change this by setting Enabled to false
Enabled = $false
By default, the script sets the accounts to change password at the next logon. To change this set “ChangePasswordAtlogon to false.
ChangePasswordAtLogon = $false
That should do it for configuring the script. It’s pretty much ready to go as is.
Step 3: Run the PowerShell Script to import the accounts
At this point, the CSV file should be setup with the user’s information and the Powershell script should be modified (if needed)
Now it’s time to execute the script.
In PowerShell ISE just click the green button to run the script. If you saved the script to a ps1 file just run the script instead of running directly from ISE.
It will return the prompt when completed. Any errors will be displayed in the console.
Now check Active Directory to verify the accounts imported.
Verify AD User Import
This step is optional but I like to list all accounts from the domain or OU I imported to as a way to verify the import. It’s also useful for getting a list of user accounts and exporting it to csv.
Below is the PowerShell command to get all domain users. The results are sent to a gridview to make it easier to read.
You can add or remove whatever user attributes you need.
Get-ADUser -filter * -properties * | select-object samaccountname, givenname, surname,streetaddress,st,physicalDeliveryOfficeName,manager,mail,title,company,whenCreated
Another option is to use the user export tool that is included in the AD Pro Toolkit. You can select to list all domain users, users from an OU or from a group. You can also easily add or remove columns to the report.
Bulk Modify Users After Import
What if you made an error during the import or forgot to include user details in the CSV?
No worries, you can bulk modify user accounts after the import completes. You can use PowerShell and the GUI tool to bulk update existing AD users. Check out the guides and resources below.
The AD Pro Toolkit includes the Bulk Updater Tool. It also works by using a CSV file, just fill it out and run the tool to bulk modify user attributes.
Additional Resources
- LDAP Mapping – Shows a mapping of the user fields in the Active Directory User and Computer console to their LDAP attribute names.
- Active Directory Pro Documentation – Guides and examples on how to use the AD Pro Toolkit.
Manager = $User.Manager
how to add those fields without error
Hi, I get this error on every line:
New-ADUser : Directory object not found
At line:33 char:10
+ New-ADUser @userProps
+ ~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (CN=Tom Jones…domain,DC=com:String) [New-ADUser], ADIdentityNotFoundException
+ FullyQualifiedErrorId : ActiveDirectoryCmdlet:Microsoft.ActiveDirectory.Management.ADIdentityNotFoundException,Microsoft.ActiveDirectory.Management.Commands.NewADUser
Every csv line is typically like this (except for the header which appears only once):
SamAccountName,password,path,GivenName,Surname,Name,DisplayName
Tom,password,”CN=Tom Jones,CN=Users,DC=domain,DC=com”,Tom,Jones,Tom Jones,Tom Jones
I would double check the -path value.
Country = $User.Country
MobilePhone = $User.MobilePhone
Manager = $User.Manager
how to add those fields without error
New-ADUser : Identity info provided in the extended attribute: ‘Manager’ could not be resolved. Reason: ‘Cannot find an object with identity:
anyone can help ?
Figured it out… There were blank rows with commas in my CSV. This post pointed me some-what in the right direction: https://stackoverflow.com/questions/69985192/powershell-automation-script-update-ad-error-the-search-filter-is-not-recognized
Hi,
Seeing the below error multiple times:
Get-ADUser : The search filter cannot be recognized
At C:\path\to\ps\file:14 char:9
+ if (Get-ADUser -Filter {SamAccountName -eq $Username}) {
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Get-ADUser], ADException
+ FullyQualifiedErrorId : ActiveDirectoryServer:8254,Microsoft.ActiveDirectory.Management.Commands.GetADUser
Doesn’t appear to be preventing the creation of the user account and am getting the warning message that the user exists so it does seem like the filter is doing something. Any ideas how to get it from popping up? Thank you!
Getting the following error on all lines:
Get-ADUser : Variable: ‘Username’ found in expression: $Username is not defined.
At C:\bulk_import_script.ps1:14 char:9
+ if (Get-ADUser -F {Username -eq $Username}) {
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (:) [Get-ADUser], ArgumentException
+ FullyQualifiedErrorId : ActiveDirectoryCmdlet:System.ArgumentException,Microsoft.ActiveDirectory.Management.Commands.GetADUser
Hi Robert Allen,
Thank you sharing. This script is work but I found a result issue e.g. In the CSV file, I input mark1@mydomain.com but my result is mark@yourdomain.com
How to fix the result to mydomain.com?
Note: In my servers, there are more than one authoritative domains.
Can we skip adding an attribute to @userProps if that attribute has blank value in Csv file?
Yes
Error–UserPrincipalName: The term “-userPrincipalname” is not recognized as the name of a cmdlet.
-UserPrincipalName “$Username@domain.com” `
Hi.
Is anyone find how to update also the Country?
Thanks,
Rafael Almeida
User Ranjan Sahoo: Error while saving user. Access is denied.
I got this error, anyone help pls
New-ADUser : The server is unwilling to process the request
At line:43 char:9
+ New-ADUser `
+ ~~~~~~~~~~~~
hi
Is there a way to add home directory and home drive from this script
Previusly it was working perfectly, But now last 2 week i’m getting this error could you please look into this.
WARNING: Error initializing default drive: ‘Unable to find a default server with Active Directory Web Services running.’.
Get-ADUser : Unable to find a default server with Active Directory Web Services running.
At line:23 char:6
+ if (Get-ADUser -F {SamAccountName -eq $Username})
+ ~~~~~~~~~~~~~~~~
+ CategoryInfo : ResourceUnavailable: (:) [Get-ADUser], ADServerDownException
+ FullyQualifiedErrorId : ActiveDirectoryServer:1355,Microsoft.ActiveDirectory.Management.Commands.GetADUser
Server is down. Restart server.
THank for Sharing
But if i want add group in the csv file . so How can i do
can you sharing with powershell ???
Bulk tool throws error, no matter what csv is used:
2021-04-29 14:18:05.9174|FATAL|Bulk_User_Creator.Form1|You can ignore bad data by setting BadDataFound to null.
2021-04-29 14:18:05.9174|FATAL|Bulk_User_Creator.Form1|You can ignore bad data by setting BadDataFound to null.
2021-04-29 14:18:05.9327|FATAL|Bulk_User_Creator.Form1| at CsvHelper.CsvParser.Read()
at CsvHelper.CsvReader.Read()
at CsvHelper.CsvReader.d__63`1.MoveNext()
at System.Collections.Generic.List`1..ctor(IEnumerable`1 collection)
at System.Linq.Enumerable.ToList[TSource](IEnumerable`1 source)
at Bulk_User_Creator.Form1.BeginUserCreation()
Ivan, send me an email with the csv.
Good script.
Modified some little stuff :
Adding -Encoding UTF8 to the Import-CSV.
No funky char for non-english
Adding $SAMAccountName = try { $Username.substring(0, 20) } catch [ArgumentOutOfRangeException] { $Username }
Add Flexibility for long username but prevent errors by trunking it for the SAMAccountName.
Good stuff. Thanks for sharing.
Hello,
What if I want to add in the attribute „adminDescription”
What should it look like?
{‘adminDescription’=noemail} ?
Thanks,
I know this isn’t the best way to do this but this is what they want us to do.
We have about 1200 accounts we need to create from a company we are merging with.
These folks will not be logging into our domain, and they want them to have their company email address.
Firstname Lastname Email Address EmployeeID
John Smith Jsmith@othercompany.com 12345
I wanted to just create contacts for these user, but they are insisting that we include the employee ID.
Will your script allow me to do this?
If it will All of these users will go into the same OU. Can I change this line:
-Path $OU `
to read
-Path “OU=Users,OU=Parent OU,OU=Grandparent OU,DC=WGI,DC=local
Thanks for your help on this, and this script. It has been very helpful in the past.
Hi
Yes, you just need to put that path in the CSV OU column.
Hello,
On a AWS AD Server, and receiving this error :
-AccountPassword : The term ‘-AccountPassword’ is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or
if a path was included, verify that the path is correct and try again.
Thanks
Get-ADUser : Zmienna: „Username” znaleziona w wyrażeniu $Username nie jest zdefiniowana.
At line:31 char:6
+ if (Get-ADUser -Filter {SamAccountName -eq $Username})
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (:) [Get-ADUser], ArgumentException
+ FullyQualifiedErrorId : ActiveDirectoryCmdlet:System.ArgumentException,Microsoft.ActiveDirectory.Management.Commands.GetADUser
PS C:\Users\Administrator>
Will this work for creating local users?
This is just for creating users in Active Directory.
when i run you script i get this error can you assist.
-Description : The term ‘-Description’ is not recognized as the name of a cmdlet, function, script file, or operable
program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
At line:52 char:13
+ -Description $description
+ ~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (-Description:String) [], CommandNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundException
ConvertTo-SecureString : Cannot bind argument to parameter ‘String’ because it is null.
At line:54 char:54
+ … -AccountPassword (convertto-securestring $Password8 -AsPlai …
+ ~~~~~~~~~~
+ CategoryInfo : InvalidData: (:) [ConvertTo-SecureString], ParameterBindingValidationException
+ FullyQualifiedErrorId : ParameterArgumentValidationErrorNullNotAllowed,Microsoft.PowerShell.Commands.ConvertToSecureS
tringCommand
New-ADUser : The password does not meet the length, complexity, or history requirement of the domain.
At line:35 char:3
+ New-ADUser `
+ ~~~~~~~~~~~~
+ CategoryInfo : InvalidData: (CN=Sam smith,CN…=hra,DC=nycnet :String) [New-ADUser], ADPasswordComplexityExc
eption
+ FullyQualifiedErrorId : ActiveDirectoryServer:1325,Microsoft.ActiveDirectory.Management.Commands.NewADUser
-Description : The term ‘-Description’ is not recognized as the name of a cmdlet, function, script file, or operable
program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
At line:52 char:13
+ -Description $description
+ ~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (-Description:String) [], CommandNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundException
ConvertTo-SecureString : Cannot bind argument to parameter ‘String’ because it is null.
At line:54 char:54
+ … -AccountPassword (convertto-securestring $Password8 -AsPlai …
+ ~~~~~~~~~~
+ CategoryInfo : InvalidData: (:) [ConvertTo-SecureString], ParameterBindingValidationException
+ FullyQualifiedErrorId : ParameterArgumentValidationErrorNullNotAllowed,Microsoft.PowerShell.Commands.ConvertToSecureS
tringCommand
Thank you! works
hey ,
you have any video or document from that i can learn how to make a script for adding bulk user in AD with .bat file ?
Why do you want to use .bat file? The best option for creating bulk users is to use PowerShell or the GUI tool I created.
Is there any script available that creates bulk ad-users and copies the properties from a template user?