Thursday, September 15, 2011

Adding local users (and to a group) via PowerShell

After researching numerous sites over a two-day period, I've finally figured out how to use PowerShell, write a PS script, and complete the transition of users from one local server to another. And, add those users to a group on the new server. Here are the steps necessary to complete the task:

1. Ensure PowerShell has permissions to run scripts by either running the PS command set-executionpolicy unrestricted. I found out that the UAC stops this regkey from being created so I manually added the string value of Unrestricted in the HKLM\Software\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell key.

2. No matter what security privileges you have on your computer, ALWAYS run PowerShell as Administrator. Again, the UAC will cause problems if you don't.

3. All PowerShell scripts have the extension .PS1. Ensure you name your script file accordingly. Also, when running the script, use the current folder . and backslash \ . For instance, I created a folder off the root called PowerShell. To run a script from the same folder, type in .\scriptname.ps1.

4. Create a CSV from your old server by going to the Computer Management MMC, clicking on Local Users and Groups, right-clicking on the Users folder, and selecting Export List. The resulting file will need to be converted from a tab-based file to a comma-based one. Use Excel to create this conversion.

5. Once you have a comma separated list of users, place three entries on the first line of your list of users: Users, FullName, and Description. Use commas between the words. Your CSV file should look something like this:

Users,FullName,Description
Bob,Bob Smith,Accountant
Jane,Jane Thomas,HR Lead
etc...

6. Create a script similar to this:

$target = [adsi]"WinNT://ComputerName"
$group = [adsi]"WinNT://ComputerName/Group1"
Import-CSV users.csv|foreach {
$newuser = $target.Create("user",$_.User)
$newuser.SetPassword("P@ssW0rd")
$newuser.SetInfo()
$newuser.InvokeSet("FullName",$_.FullName)
$newuser.SetInfo()
$newuser.InvokeSet("Description",$_.Description)
$newuser.SetInfo()
$user = "WinNT://ComputerName/" + $_.User
$group.Add($user)
}

Change ComputerName to your servers name. You can abbreviate your server name with . (ie. WinNT://. ) but found adding the user to a group section didn't work unless I explicitly named the server.

The $_. pulls the information from the CSV file based on the column heading name.

7. Ensure you've created the group you want all the new users to be apart of. If you don't want them in any special group, you can edit the script and place # in front of each line that pertains to the group addition. # is a remark character and PS ignores processing for that line.

8. Run the script, ensuring you've pointed it to the correct location of your CSV file. If you've done everything right, you'll simply see PS run the command and go back to the prompt. If something is wrong, you'll see lots of red text.

9. As a precaution, once you've run your script, set-executionpolicy restricted should be done to ensure rogue scripts aren't performed against your server.

Hope this helps you save time and enjoy PowerShell, it's very powerful.