7,023 questions
Hi @Marc
Please try to elevate PowerShell by running as Administrator:
----------------------------
If this is helpful please accept answer.
New-ADUser : Access is denied
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(105.60000000000001, 41%, 20%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EM%3C/text%3E%3C/svg%3E)
Marc
631
Reputation points
I am trying to create a new AD users in Powershell from an Existing User.
I am using the command below:
$newuserattributes = Get-ADUser -Identity 111111 -Properties StreetAddress,City,Title,PostalCode,Office,Department,Manager
New-ADUser -UserPrincipalName "101010" -GivenName Jon -Surname Ford -SAMAccount Name "101010" -Instance $newuserattributes -DisplayName "Jon Ford" -AccountPassword (ConvertTo-SecureString Pas$W0rd!!12 -AsPlainText -Force) -ChangePasswordAtLogon $true -Enabled $false -EmployeeID 101010
Although I am part of the admin group I am getting the error " Access is denied" :
New-ADUser : Access is denied
At line:2 char:1
- New-ADUser -SAMAccountName "101010" -Instance $userInstance -Name " ...
What elevate credentials do i need to run this command? How can I double check them?
Thanks
Windows for business | Windows Client for IT Pros | Directory services | Active Directory
Windows for business | Windows Server | User experience | PowerShell
4 answers
Sort by: Most helpful
-
Dillon Silzer 57,831 Reputation points Volunteer Moderator2022-10-15T21:53:41.497+00:00 -
Andreas Baumgarten 123.7K Reputation points MVP Volunteer Moderator2022-10-15T23:23:03.723+00:00 Hi @Marc ,
if you use
New-AdUserthe user will be created in Active Directory (AD). For this the user who is executing the script needs the permissions in AD to create the user object.
For instance, the user needs the membership in theDomain AdminorAccount Operatorsgroup.
Delegating the permission to create users in AD is an option as well.----------
(If the reply was helpful please don't forget to upvote and/or accept as answer, thank you)
Regards
Andreas Baumgarten -
Marc 631 Reputation points
2022-10-16T10:16:07.74+00:00 I have realised (Get-ADPrincipalGroupMembership username) I am part of "user operators" and not "account operators".
-
Marc 631 Reputation points
2022-10-17T15:54:03.333+00:00 It seems the problem is related with the code: "$newuserattributes = Get-ADUser" because if I create a simple new user (below) the command works. So I have the permissions.
New-ADUser -Name "User Test" -GivenName User -Surname Test -SamAccountName usertest -UserPrincipalName usertest@test .it -path "OU=Users, DC=test, DC=it"
I am doing something wrong with the code this is why I am receiving the error " Access is denied".
How can I create a New AD Users from an Existing User?-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(230.39999999999998, 39%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERS%3C/text%3E%3C/svg%3E)
Robert Secord 0 Reputation points2023-10-11T22:22:20.14+00:00 Did you Ever get a resolution to this? I've created an elevated user's script to create users from template users that folks can right click and copy. However, with automation coming in we want to launch as soon as the final approval is sent on the admin accounts in multiple domains and sneaker netting is not going to cut it anymore. (Yes I Am a god of the domain...)
Thanks,
Sign in to comment -