Bulk populate an AD using a CSV file and New-ADUser, including Passwords

Problem : New-ADUser is not working as expected to populate a password coming from a CSV file (the account stays disabled) here is the example and the reason:

Prerequisites: Import the Active Directory module on your powershell session using Import-Module ActiveDirectory



Here is my BulkAddADUsers.csv file sample :



 The following command will create the users with the attributes defined above, but since the Password is not encrypted, the account will be deactivated.

[PS] C:\users\Administrator.DOMAINA\Desktop>import-CSV .\BulkAddADUsers.csv|New-ADUser




Note the AD accounts are not enabled, because the password was not taken from the CSV file, as New-ADUser requires a Secure String for the Password. Here is what you get when you try to enable it :

image ==> image



Solution : Type a longer command line using all New-ADUser properties + the ConvertTo-SecureString commandlet

[PS] C:\users\Administrator.DOMAINA\Desktop>import-csv .\BulkAddADUsers.csv | % {New-ADUser -GivenName $_.GivenName -Surname $_.Surname -Name $_.Name -SamAccountName $_.SamAccountName -Description $_.Description -Department $_.Department -EmployeeID $_.EmployeeID -Path $_.Path -Enabled $True -AccountPassword (ConvertTo-SecureString $_.Password -AsPlainText -force) -PasswordNeverExpires $True}




Quod erat demonstrandum.


Comments (13)

  1. Anonymous says:

    @Mahesh (example followup of my answer)

    – So first add a column (or field) on your CSV file named "DisplayNAme"

    Then populate this column with the displayname you would like for your users

    – Then take the article's code line with the import-csv / New-ADUser cmdlets, and add the "-DisplayName $_.DisplayNAme" at the very end (you can add it anywhere after the "New-ADUser" commandlet, but it's easier to add it at the end), before the last curly bracket. You will have something like this:

    import-csv .BulkAddADUsers.csv | % {New-ADUser -Name $_.Name -SamAccountName $_.SamAccountName -Description $_.Description -Department $_.Department -EmployeeID $_.EmployeeID -Path $_.Path -Enabled $True -AccountPassword (ConvertTo-SecureString $_.Password -AsPlainText -force) -PasswordNeverExpires $True -DisplayName $_.DisplayName}

  2. Anonymous says:

    @Mahesh: Hi Mahesh, to add the display name, you must have an additional column in your CSV file which I recommend to name "DisplayName", populate the value for each of your users (or you can use a formula in Excel to auto-populate the "DisplayName" column with for example a concatenation of FirstName and LastName that you would have added as new columns)

    Then take the above New-ADUser command, and with all the properties already there, add the "-DisplayName $_.DisplayName" property set, without the double quotes. Pay attention to put the above stuff before the final curly bracket.

    That should work, if no, give me the error you get.



  3. Anonymous says:

    Unfortunately there is no fix for that. The only workaround is to type the New-ADUser commandlet using all the commandlet properties like this :

    import-csv .BulkAddADUsers.csv | % {New-ADUser -Name $_.Name -SamAccountName $_.SamAccountName -Description $_.Description -Department $_.Department -EmployeeID $_.EmployeeID -Path $_.Path -Enabled $True -AccountPassword (ConvertTo-SecureString $_.Password -AsPlainText -force) -PasswordNeverExpires $True}

  4. Latham says:

    So how do you fix it?

  5. Fernando says:

    Thanks a lot for this, helped a lot!

  6. Mahesh says:

    Whats the command for adding display name.. i tried. but end up with some errors.

  7. Tom says:

    I wanted to point out that it seems the only "required" field is Description.  I say "required" because it should really not be required at all.  The only way we were able to get accounts to work was to include description.

    new-aduser -name test -SamAccountName "test" -Description "test of description" -AccountPassword (read-host -AsSecureString)

    Further, you don't seem to need "SamAccountName" either.


  8. jimil says:

    Hey SammyKrosoft
    Is -PassThru parameter require?

  9. Me says:

    Little help? I’m getting an error as follows.

    ConvertTo-SecureString : Cannot bind argument to parameter ‘String’ because it
    is null.
    At line:1 char:139
    + … o-SecureString $_.Password -AsPlainText -force) -ChangePasswordAtLogon
    $False -C …
    + ~~~~~~~~~~~
    + CategoryInfo : InvalidData: (:) [ConvertTo-SecureString], Param
    + FullyQualifiedErrorId : ParameterArgumentValidationErrorNullNotAllowed,M

  10. Me says:

    Never mind. Figured it out. Thanks for this blog!

  11. SammyKrosoft says:

    Hey guys, sorry for answering late, I just figured how to be notified when I receive comments … my bad !

    @Jimil: Nope, the -PassThru parameter is usually used to tell the Powershell commandlet to "pass" the returned objects over the next pipe – if there is no next pipe, then it’s usually printed on the console

    @Me: cool :) I think the $_.Password might have been blank or a number … welcome, appreciate your comments !

  12. bluuf says:

    What I do to circumvent this is create a function, set parameters that accept pipeline input, script the password part in there (I usually call system.web to create a random password actually, but by using a switch parameter you can have both) and then
    i just pipe the csv to the function

  13. SammyKrosoft says:

    @bluuf: that’s another good idea to workaround this encrypted string requirement, thanks bluuf !