Native Bulk User Creation vs Netwrix GroupID
95% of Fortune 500 companies rely on Active Directory (AD). Launched in 1999, AD is a foundational component of all business – you’ll find it in government, at schools, and in IT environments of every type. Of course, it’s also in the cloud with Azure AD.
Creating users in AD and Azure AD is easy. It becomes tedious and a notable security risk when hundreds, thousands, and tens of thousands of users are created – which happens all the time. Add to that the groups that are stood up every day and the crisis is real.
One easy fix is creating bulk users with PowerShell.
Create Bulk Users in Active Directory via PowerShell
A common fix to mitigate the security risk by manual user creation is to opt for bulk user creation in Active Directory via PowerShell. To do that, you must have the ISE PowerShell module installed in your system and have administrative rights to create user accounts in Active Directory.
Step 1: Create a CSV file
To create users via PowerShell, you need to create a CSV file featuring your users’ data. The data fields in the file are the following:
- SAMAccount
- FirstName
- LastName
- Password
- OU (Organizational Unit)
You can add more if you want to. Your csv file should look something like this.
Once the file is updated, you need to save it to a location of your choice. Note down the pathway of this file as it will be required in the next step.
Step 2: Modify PowerShell Script
PowerShell has a command for bulk user creation in Active Directory. All you need to do is modify that command according to your data and run it in Windows PowerShell ISE.
Copy the following command and paste it into Windows PowerShell ISE:
# Import Active Directory module for running AD cmdlets
Import-Module activedirectory
#Store the data from your file in the $ADUsers variable
$ADUsers = Import-csv <fileandpath>
#Loop through each row containing user details in the CSV file
foreach ($User in $ADUsers)
{
#Read user data from each field in each row and assign the data to a variable as below
$Username = $User.username
$Password = $User.password
$Firstname = $User.firstname
$Lastname = $User.lastname
$OU = $User.ou
$email = $User.email
$streetaddress = $User.streetaddress
$city = $User.city
$zipcode = $User.zipcode
$state = $User.state
$country = $User.country
$telephone = $User.telephone
$jobtitle = $User.jobtitle
$company = $User.company
$department = $User.department
$Password = $User.Password
#Check to see if the user already exists in the AD
if (Get-ADUser -F {SamAccountName -eq $Username})
{
#If the user does exist, give a warning
Write-Warning "A user account with username $Username already exists in Active Directory."
}
else
{
#User does not exist then proceed to create the new user account
#Account will be created in the OU provided by the $OU variable read from the CSV file
New-ADUser `
-SamAccountName $Username `
-UserPrincipalName "$Username@<domain>" `
-Name "$Firstname $Lastname" `
-GivenName $Firstname `
-Surname $Lastname `
-Enabled $True `
-DisplayName "$Lastname, $Firstname" `
-Path $OU `
-City $city `
-Company $company `
-State $state `
-StreetAddress $streetaddress `
-OfficePhone $telephone `
-EmailAddress $email `
-Title $jobtitle `
-Department $department `
-AccountPassword (convertto-securestring $Password
-AsPlainText
-Force)
-ChangePasswordAtLogon $True
}
}
The following fields need to have your file details.
- <fileandpath> – Add the file path where you have saved your csv file.
- <domain> – Enter the domain name of your Active Directory server.
You also need to modify the field names according to your data source so that PowerShell can read your data. For example, if your data source has a username, “LoginName”, you can modify the following command
$Username = $User.username
Into:
$Username = $User.LoginName
Step 3: Run the Script
Now that you have modified the script, you can run the command by clicking the green play button on the top.
If there is any account that is already present in the directory, you will receive a warning message about that user. It won’t be created in the database. Once the import is complete, you can launch ADUC and go to the specified OU and domain to verify if the users have been successfully created.
Creating users through PowerShell is straightforward and gives you more flexibility. But if you do not have good scripting skills, you might find it complicated.
Create Bulk Users in Azure AD
Similarly, Azure provides an option for bulk user creation in Azure Active Directory. The entire process requires no complicated scripting. You need to sign in as a User Administrator or Global Administrator to execute a bulk operation.
Following are the steps for creating users in bulk with in Azure AD:
- Sign into the Azure portal, navigate to Users, and you will see the Bulk Operations option on the top.
- Click Bulk Operations.
- Select Bulk Create.
Step 1: Prepare the CSV file
You will get a bulk user creation wizard where you need to download the CSV template and fill in your data into that template. The CSV template contains most of the common attributes that are required to create a user, such as:
- SAMAccountName
- Password
- OU (Organizational Unit)
- First Name
- Last Name
- Description
- Country
- Postal Code
You can update that template and add new attributes, add users’ information, and save the file. Once it’s updated, you can rename and save it anywhere.
Step 2: Upload CSV file
Once the file is updated, upload it to the “Upload your File” option.
Azure will immediately start creating users from the data source and within a few seconds, you can view the logs from the notification bar on the top. The logs will display successful and unsuccessful outcomes, presenting a statistical overview of the user accounts created. All the users will also be listed in the Users tab for you to verify.
Synchronize – A Better Alternative for Bulk User Creation
Bulk user creation has relieved organizations from the huge manual work to create one user at a time. What if there is a tool that provides a solution for bulk user creation but with much more advanced options to work with different kinds of data sources?
GroupID Synchronize answers this question easily. It is a synchronization engine with a very intuitive GUI. You can provision, edit, and deprovision users with a few simple steps.
Synchronize supports the following providers:
- 3rd Party Switchvox Provider
- Adacel View500
- Generic LDAP version 3.0
- Lotus Notes (LDAP)
- Microsoft Access Driver (.mdb, .accdb)
- Microsoft Active Directory (LDAP)
- Microsoft Excel Driver (.xls, .xlsx)
- Microsoft SQL Server
- Microsoft Text Driver (.txt, .csv)
- Novell Directory Services (LDAP)
- ODBC Data Source
- Oracle
- Sun ONE Directory Server/iPlanet (LDAP)
Bulk User Creation in AD via Synchronize
Synchronize directly connects two data sources through a job. It does not use or require a staging area or meta directory. A job defines the connection information needed to access each data source, how the data is related and how the data should flow. Following is the step-by-step process for bulk user creation in Active Directory:
- Enter connection details for the source and destination providers
- Modify the data and connection settings of the source provider.
- Choose the object type(s) you want to create, for example, user.
- Select the required fields for bulk user creation.
- Transform data prior to saving it to the destination.
- Set notifications for the job.
- Preview the job before running it.
Let’s get into the details of each of these steps.
Enter Source & Destination Providers’ details
You start by creating a new job in Synchronize. The job wizard will ask you to provide data source and destination provider information. For example, in the case of a CSV file, you will have to enter the pathway and specify a delimiter that can be used as a separator in a CSV file.
If you have added Active Directory as your provider, you will have to enter the name of the domain controller, the credentials to use to connect to it, etc.
Modify Data or Connection Settings of Source Provider
You can also go to advanced options to modify the data and connection settings of your source and destination providers.
Schema
Schema settings allow you to modify the Display and Field names of the selected source or destination provider. You can also save your schema settings to an XML file, which you can use to import the schema for data sources in other jobs that you define.
Connections Settings
The Settings tab displays the connection settings in key-value pairs. The Key column displays the setting name and the Value column shows its current value. Double-click a value to modify it.
Create Different Object Types
Synchronize allows you to create different types of objects. You can also specify the action to take if the data or object being exported from the source does not exist at the destination.
A messaging provider must be configured so that the Synchronize job can create mail-enabled objects at the destination directory. Synchronize allows subscriptions from Office 365 and G-Suite messaging providers.
Option to Select Few Fields for Bulk User Creation
Sometimes you just need a few attributes to create users. As your destination may contain a huge number of attributes for each user, Synchronize gives you the option to select a few fields of your choice to create users.
Transform Data Prior to Saving it in Destination
Once the fields are selected, you can further manipulate the source data before saving it to the destination. You can:
- Combine the values of two source fields into one destination field.
- Extract a set of characters from field values using Substring and Left transform.
- Assign a string constant to a field regardless of source restrictions.
- Write your transformation scripts using the Visual Basic .NET editor.
Job Notifications Set-Up
While creating a job, you can specify the email address of the person/s who should receive job notifications. Other than that, you can also specify conditions when the notifications should be sent.
Preview the Job
Once you are done with all the steps, you can preview your results before executing the job. It helps in highlighting any errors and verifying the results. In case of any discrepancy, you can go back to edit the related fields and options instead of doing the job all over again.
Bulk User Update
Usually, there are multiple changes that you need to execute for multiple users. Doing this manually takes a lot of time and can create errors that might go unnoticed. To prevent such errors, Synchronize allows you to save the job, that you use to create users, as a template. The next time, when there is any update in the users’ fields, you can go to that job to edit its synchronization and job scheduling settings.
Directory Synchronization Settings
You can specify whether you want to update all the records each time the job is run or only those that have changed. In the case of changed records only, you must select the attribute or field in the source that would contain the time stamp value
Job Scheduling
With job scheduling, specify a schedule for the job to run on its own. It does not require the user/administrator to run the job again and again. Instead, they simply receive a notification informing them that the job has been performed.
Conclusion
As organizations go through numerous employee changes daily, they look for options that store their information immediately without manual labor. Active Directory provides some options that may save time and effort. GroupID takes it to the next level and beyond with unparalleled automation.
Jonathan Blackwell
View ProfileSince 2012, Jonathan Blackwell, an engineer and innovator, has provided engineering leadership that has put GroupID at the forefront of group and user management for Active Directory and Azure AD environments. His experience in development, marketing, and sales allows Jonathan to fully understand the Identity market and how buyers think.