Automating employee onboarding in Active Directory

| By:
Guest Author

Employee onboarding is a task that is ripe for automation. Spend any time in the tech industry and you know that Active Directory (AD) helps improve workflow and operational services. In other words, it’s critical to an IT organization. When hired, every employee should be given an Active Directory user account, an email mailbox, access to various operating systems, a home folder with specific permissions available only to them, and so on.

However, AD is a big part of employee onboarding that many organizations are still doing manually. In many companies, the helpdesk is still manually opening Active Directory Users & Computers, creating a new user, and adding that user to a specific set of groups. This ultimately increases the risk of messing up that person’s other responsibilities within their account. Again, this is something automation can alleviate!

Because staff onboarding is one of those tasks that’s performed hundreds of times and rarely changes, it’s a perfect candidate for automation.

So, how do you go about automating onboarding in AD?

One of the easiest ways to automate AD tasks is with PowerShell – an automating management structure. By using a freely available PowerShell module, you can create scripts to do just about anything with AD.

For our purposes, we need to create a script to make a new user account for an employee and potentially add it to a few common groups. To do this, download a copy of Remote Server Administration Tools (RSAT) which will give you the Active Directory PowerShell module. Once you do this, ensure you're on a company domain-joined computer and that you have the appropriate rights to create new users.

In the Active Directory PowerShell module, there is a command called “New-AdUser.” There are lots of ways to use this command but below is one of the most common ways. In this PowerShell code, we’ll generate a random password and then use it along with a first name, last name and username to create a new AD user.

Here’s an example of what this code looks like:

  • $password = [System.Web.Security.Membership]::GeneratePassword((Get-Random -Minimum 20 -Maximum 32), 3)
  • $secPw = ConvertTo-SecureString -String $password -AsPlainText -Force
  • $NewUserParameters = @{
  • GivenName = 'Adam'
  • Surname = 'Bertram'
  • Name = 'abertram'
  • Name = 'abertram'
  • }
  • New-AdUser @NewUserParameters

That's it! No mouse clicking involved.

Once the above actions have been completed, we can move on to another useful AD onboarding command called “Add-AdGroupMember.” This will add the user that was just created to a few groups in a single line:

  • Add-AdGroupMember -Identity 'Accounting','Access to App1' -Members 'abertram'

One of the great things about automating employee onboarding with PowerShell is that once the code is built, it can be used for one – or even one hundred – employees with no extra effort.

For example, perhaps you have a ton of new employees you need provision for in AD. By using the “Import-CSV” command, you can read each row in that CSV file and run the code we just went over.

This example assumes you have a CSV with the columns “FirstName” and “LastName.”

Here it is exemplified below:

  • Import-Csv -Path C:\Employees.csv | foreach {
  • $password = [System.Web.Security.Membership]::GeneratePassword((Get-Random -Minimum 20 -Maximum 32), 3)
  • $secPw = ConvertTo-SecureString -String $password -AsPlainText -Force
  • $userName = '{0}{1}' -f $_.FirstName.Substring(0,1),$_.LastName
  • $NewUserParameters = @{
  • GivenName = $_.FirstName
  • Surname = $_.LastName
  • Name = $userName
  • AccountPassword = $secPw
  • }
  • New-AdUser @NewUserParameters
  • Add-AdGroupMember -Identity 'Accounting','Access to App1' -Members $userName
  • }

These are only a few of the many user onboarding tools available when you automate employee onboarding in Active Directory. If your organization has a predefined process with specific rules that must be followed, this could be just the beginning of a much larger employee onboarding process that can be 100% automated. For further information and best practices for securing active directory, download Remote Server Administration Tools and sign up for a free trial of ConnectWise Automate®.

Adam Bertram is an independent thinker, consultant, and entrepreneur. He’s passionate about solving technical problems through automation and sharing his knowledge with the world.