Get-ADUser + New-ADUser : Access denied error

Marc 631 Reputation points
2022-10-18T06:54:49.937+00:00

If I have to create in active directory a new user using New-ADUser code ,example below, everything works fine.

New-ADUser -Name "User Test" -GivenName User -Surname Test -SamAccountName usertest -UserPrincipalName usertest@test .it -path "OU=Users, DC=test, DC=it"

When instead I have to create a new users by copying the profile of another user I am receiving the error " Access is denied".

New-ADUser : Access is denied
At line:2 char:1

  • New-ADUser -Name "User test " -GivenName User " ...

As I am able to create a new user I should have the permission to run also the script to create a new user by copying the profile of an existing one....

$newuserattributes = Get-ADUser -Identity 111111 -Properties StreetAddress,City,Title,PostalCode,Office,Department,Manager  
New-ADUser -Name "User test " -GivenName User -Surname test -SamAccountName usertest -UserPrincipalName usertest@domain.it -Instance $newuserattributes -AccountPassword (ConvertTo-SecureString Pas$W0rd!!12 -AsPlainText -Force) -ChangePasswordAtLogon $true -Enabled $false -EmployeeID 101010  

Why am I receiving this error then?

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,075 questions
Windows Server PowerShell
Windows Server PowerShell
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.PowerShell: A family of Microsoft task automation and configuration management frameworks consisting of a command-line shell and associated scripting language.
5,432 questions
0 comments No comments
{count} votes

7 answers

Sort by: Most helpful
  1. SChalakov 10,371 Reputation points MVP
    2022-10-18T08:21:02.163+00:00

    Hi @Marc ,

    can you please post the full (verbose) error message...? There should be an additional error string, something like:

    [New-ADUser], UnauthorizedAccessException  
    

    Can you please do me a favor and test the same without:

    -ChangePasswordAtLogon $true  
    

    do you still get the Access Denied error?

    ----------

    (If the reply was helpful please don't forget to upvote and/or accept as answer, thank you)
    Regards
    Stoyan Chalakov

    0 comments No comments

  2. Gary Reynolds 9,396 Reputation points
    2022-10-18T08:24:40.73+00:00

    Hi @Marc

    In your script you haven't specified the -path parameter in the new-aduser cmdlet and it will default to the CN=Users container, check you have an permissions on the cn=Users container.

    Gary.

    0 comments No comments

  3. Marc 631 Reputation points
    2022-10-18T08:47:29.907+00:00

    I am receving the error below also without -ChangePasswordAtLogon $true

    New-ADUser : Access is denied
    At line:2 char:1

    • New-ADUser -Name "User test " -GivenName User " ... ...
      +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    • CategoryInfo : PermissionDenied: (CN=user tes...,DC=domain,DC=it:String) [New-ADUser], Unauthorize
      dAccessException
    • FullyQualifiedErrorId : ActiveDirectoryCmdlet:System.UnauthorizedAccessException,Microsoft.ActiveDirectory.Man
      agement.Commands.NewADUser

    I haven't specified the -path parameter because I would like the new user be part of the OU where the exixting user (copied) is part of.

    As I am able to create a new user I believe i have permisison, however How can I check if i have the permissions on the cn=Users container?

    0 comments No comments

  4. Gary Reynolds 9,396 Reputation points
    2022-10-18T09:29:59.33+00:00

    Have a look at this post on how to determine your effective rights in AD - https://nettools.net/how-to-find-active-directory-effective-rights/

    Gary.

    0 comments No comments

  5. Marc 631 Reputation points
    2022-10-18T10:35:57.427+00:00

    According with nettools there are 2 group with the same name where I belong.
    One with the full access the other has only enabled: create and delete users