PowerShell create AD group in specific OU

In PowerShell, it is relatively easy to create user accounts and groups, add users to groups or remove users from groups. In order for the cmdlets to be available, the corresponding PowerShell module must be installed on the client or server.

Installing the PowerShell module for Active Directory administration

On domain controllers, the PowerShell module is automatically installed with the other management tools. On Windows 10 and Windows 11 machines, the installation is done through the Features on Demand feature. The settings for this can be found in the Settings apps of Windows 10 and Windows 11. These optional features are available via Settings\Apps. Via this, the RSAT: Tools for Active Directory Domain Services and Lightweight Directory Services are available as part of the RSAT Tools. With Windows 11, you also have to click on Show features.

With the Install button, the integration of the module takes place. By installing this feature, the PowerShell module for Active Directory is also available.

Installing the Active Directory module for PowerShell in Windows 10

On servers, installation is done by adding the Remote Administration Tools for Active Directory in Server Manager. Alternatively, the Windows Admin Center can be used to add the Active Directory Extension. 

On Windows servers, the Active Directory management tools can also be installed using PowerShell. For this purpose the command Install-WindowsFeature RSAT-AD-PowerShell is used.

The Add-AdGroupMember takes for its -Member parameter an (array of) values. These must be either the users DistinguishedName, ObjectGUID, ObjectSID, SamAccountName or a Microsoft.ActiveDirectory.Management.ADUser object.

You are feeding it the $user object from your CSV, which has none of these properties. The way to go there is to capture the result of the New-ADUser cmdlet in a variable and use that (or one of the above mentioned properties from that) object for the -Member parameter.

Also, I would strongly advise to use Splatting the parameters so you don't have to create those horrible long lines of code where mistakes can be made quite easily.

Try:

$userParams = @{ # you forgot this one SamAccountName = $user.Achternaam # and UserPrincipalName must have format: username@domain name (UPN suffix) UserPrincipalName = '{0}@asgard.com' -f $user.Achternaam Name = '{0} {1}' -f $user.Voornaam, $user.Achternaam GivenName = $user.Voornaam Surname = $user.Achternaam AccountPassword = $password ProfilePath = '\\Thor\UserProfiles\{0}' -f $user.Achternaam Path = 'OU={0},OU={1},OU=Asgard,DC=Asgard,DC=com' -f $user.Locatie, $user.Afdeling Homedrive = 'D' Homedirectory = '\\Thor\UserData\{0}' -f $user.Achternaam OfficePhone = '+31{0}'-f $user.Telefoon Office = $user.Locatie Department = $user.Afdeling Title = $user.Functie PasswordNeverExpires = $True ChangePasswordAtLogon = $False Enabled = $True } $ADUser = New-ADUser @userParams -PassThru # use PassThru to capture the newly created user

Now that you have an ADUser object, you can use that on the Add-ADGroupMember line:

Add-ADGroupMember -Identity $globalgroup -Members $ADUser

P.S. It is also advisable to first check if a user with that SamAccountName already exists in the domain, and if so output a warning and skip that user. For that use:

foreach ($user in $users) { $ADUSer = Get-ADUser -Filter "SamAccountName -eq '$($user.Achternaam)'" -ErrorAction SilentlyContinue if ($ADUser) { Write-Warning "A user '$($user.Achternaam)' already exists in the domain" continue # skip this user and proceed with the next one } # here the rest of the code }

---

O yes, the reason why New-ADUser failed was:

• You didn't specify the (required) SamAccountName
• The UserPrincipalName was syntactically wrong (see inline comment)

How do I add an AD to a specific OU?

How do I create AD group in PowerShell?

How do I create an OU in Active Directory using PowerShell?

How do you get a list of all groups from a specific OU?