Users are one of the most popular objects in AD. They are used for authentication and authorization on workstations. Also in many services which are integrated with AD. User management is the main routine for sysadmins and helpdesk specialists. This guide helps to manage such objects in multiple ways. For managing users there is a need to install RSAT tools or manage them from your DC. You have to be signed under domain admin or an Account Operators user or with delegation rights to create objects in the current OU.
Creating a User Account
There are many ways to create a user account in AD, lets consider several of them.
Creating User Account Using Active Directory Users and Computers(ADUC)
Run ADUC (dsa.msc).
Go to OU where new users should be located. In the taskbar, click the "New User" icon, or right-click on a white space in the main window and then click on "New -> User". Another way is rightclicking the needed Org Unit and select "New -> User".
"New Object — User" appears, specify parameters for your user:
- Full name, by either typing the full name into Full Name field or typing it in the First and Last name fields.
- User logon name, this field creates the userPrincipalName and the sAMAccountName attributes.
Click Next and specify strong password and then retype it in the next field and check the needed parameters, usually for regular user you should check “User must change password at next logon”.
Click Next and Finish. Congratulations new user was successfully created!
Creating User Account Using Command Prompt
To make the same thing in cmd we need to use dsadd.exe utility. The following parameters will help to create a user in “Users” container in AD and set default password for it:
Creating User Account Using Windows PowerShell
Run the following PowerShell code under Administrator privileges:
New-ADUser -Name FRobinson -Path "CN=Users,DC=office,DC=local" -GivenName "Frank" -Surname "Robinson" -sAMAccountName FRobinson
How to Delete a User Account
Lets delete a user from AD environment, follow these easy methods. Note that this action will not completely delete a user account with enabled AD Recycle Bin, it will change its token attributes and move it to deleted objects.
Deleting User Account in Active Directory Users and Computers(ADUC)
Lets delete one user, to achieve that open Active Directory Users and Computers (dsa.msc).
Go to the OU or container where the user that you need to delete resides. Click on the Action menu or rightclick the OU and select Find.
Type in the name or last name of the user you want to delete into the name field and click “Find Now”. The results will be displayed to you, select the object you need to delete, rightclick it and then click on Delete and confirm your decision.
Deleting User Account Using Command Prompt
The following cmd string will delete a user “GSoul” from office.local domain:
Deleting User Account Using PowerShell
Execute the following PowerShell code to delete a user GSoul from AD:
Remove-ADUser -Identity "CN=GSoul,CN=Users,DC=office,DC=local
Conclusion
User account management is a fundamental task for system administrators and helpdesk professionals working with Active Directory. This guide has covered multiple methods to create and delete user accounts using graphical tools like Active Directory Users and Computers (ADUC), as well as command-line utilities such as dsadd and PowerShell cmdlets. Proper permissions and appropriate tools, like RSAT, are essential to efficiently manage user objects in your domain. Mastering these techniques helps maintain a secure and well-organized directory environment.
FAQ
- Q: What permissions do I need to create or delete user accounts in AD?
A: You must be signed in as a Domain Admin, Account Operators user, or have delegated permissions for the specific Organizational Unit (OU) where the user object resides. - Q: What tools can I use to manage user accounts in Active Directory?
A: User accounts can be managed via the Active Directory Users and Computers (ADUC) console, command-line tools like dsadd and dsrm, or PowerShell cmdlets such as New-ADUser and Remove-ADUser. - Q: Does deleting a user in AD permanently remove their account?
A: If the AD Recycle Bin feature is enabled, deleting a user moves the account to the Deleted Objects container instead of permanently removing it immediately, allowing for recovery if needed. - Q: Can I create and delete user accounts remotely?
A: Yes, by installing Remote Server Administration Tools (RSAT) on your workstation, you can manage AD user accounts remotely. - Q: How do I ensure password security when creating user accounts?
A: Use strong, complex passwords and enable options like “User must change password at next logon” to enforce password updates.