PowerShell allows you to read, write and update Active Directory Objects. In conjunction with PowerShell's many other advanced features this provides a great environment to manage your AD, and to automate tasks.

To Create a user object:

First we need to set a variable to hold the domain object, and link the instance to the domain.

PS C:\> $domain = [ADSI] "LDAP://main:389/dc=domain,dc=local"

This will allow you to interact with AD from using this $domain variable.

You can list the root of your domain by typing:

PS C:\> $domain.psbase.Get_children()

This will list the root containers in your active directory by Distinguished Name.

To get more information about a specific branch in the directory we can associate that branch to a new variable.

$usersOU = [ADSI] "LDAP://CN=Users,DC=domain,DC=local"

and then again using the "psbase.Get_children()"

$usersOU.psbase.Get_children()

This will list all the AD objects (users and computers) in the OU.

Lets finish off by creating a user.

PS C:\> $newUser = $usersOU.Create("user","cn=MyNewUser")
PS C:\> $newUser.put("title", "PowerShell Test Account")
PS C:\> $newUser.put("employeeID", 123)
PS C:\> $newUser.put("description", "Test User Account for LazyAdmin Demo")
PS C:\> $newUser.SetInfo()

Now If you enter this into your command prompt you may get an access denied error:

This is usually because you're not logged into the domain with an account that has sufficient privileges to create a computer account.

Launch a PowerShell window with an account that has the correct permissions:

runas /env /user:administrator@domain.local "powershell.exe"

You'll have to bind to the OU again, and re-enter the information for the user object.

Looking at the DC we can see that the user has been created: