Powershell Script: Import-CSV | New-ADUser Users unable to log onto domain

My goal is to add approximately 80 users to an AD 2008 OU using a powershell script (attached).
The script successfully adds all the users contained within a CSV file, however the users are unable to log onto the domain due to bad username and password.
I want to emphasize that the script does work for adding the user accounts.
It's just that the users are denied access until I perform a Reset Password... in ADUC.
After that, they can log on.
Any assistance would be greatly appreciated.
The password in the code is not "*****..." It is a password which does meet the complexity requirements for the domain.
Import-Module ActiveDirectory
Import-CSV  C:\scripts\newusers.csv | foreach { New-ADUser -SamAccountName $_.samaccountname -UserPrincipalName $_.userprincipalname -GivenName $_.givenname -SurName $_.surname -Name $_.name -Path $_.path -DisplayName $_.displayname -AccountPassword (ConvertTo-SecureString -AsPlainText "************" -Force) -ChangePasswordAtLogon $True -Enabled $True }

Open in new window

codefisherAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Jason WatkinsIT Project LeaderCommented:
Are the accounts disabled, or have their passwords expired? Change the script to require the user to change the password upon first login.
0
GusGallowsCommented:
Have you considered setting the password to a variable outside of the import statement. I think it is having issue with your command running between the parenthesis. Try the following:
 
Import-Module ActiveDirectory
$pswd = ConvertTo-SecureString -AsPlainText "************" -force
Import-CSV  C:\scripts\newusers.csv | foreach { New-ADUser -SamAccountName $_.samaccountname -UserPrincipalName $_.userprincipalname -GivenName $_.givenname -SurName $_.surname -Name $_.name -Path $_.path -DisplayName $_.displayname -AccountPassword $pswd -ChangePasswordAtLogon $True -Enabled $True }

Open in new window

0
codefisherAuthor Commented:
Answer to Firebar: Accounts are not disabled. Don't know if the passwords are expired or not. There is no indication either way, from the behavior of Windows. As for requiring the user to change password at first login, that is supposed to be handled by the -ChangePasswordAtLogon $True parameter (I think).

Answer to GusGallows: I like your method. I will try it first thing when I get into the office. I'll post the result.

I'm immensely thankful to both of you for taking the time out of your schedules to help me out! Thanks.
0
Introducing the "443 Security Simplified" Podcast

This new podcast puts you inside the minds of leading white-hat hackers and security researchers. Hosts Marc Laliberte and Corey Nachreiner turn complex security concepts into easily understood and actionable insights on the latest cyber security headlines and trends.

codefisherAuthor Commented:
I used the suggestion of placing the password variable outside of the import statement. It worked identically to the previous method. All users were imported. User must change password was set appropriately. Accounts were all enabled. However, logon was still denied. For some reason, it's not bringing in the pasword I'm defining.
0
GusGallowsCommented:
I used the following code to test your logic and it looks good:
 
New-ADUser -SamAccountName "test1234user" -UserPrincipalName "test1234user@domain.com" -Path "CN=Users,DC=domain,DC=com" -name "test1234user" -AccountPassword (ConvertTo-SecureString -AsPlainText "New1User" -force) -ChangePasswordAtLogon $True -Enabled $True

Open in new window

Naturally I replaced the UPN and Domain names to the actual ones in my environment, but it worked. That leaves me thinking the issue may be a permissions issue on your account. What account are you using to create the new users? Is it a domain admin? If not, does it have enough delegated rights to create and reset passwords?

If your permissions are working, then perhaps it is the password itself that is a problem. Does it have any special characters in it which might not be meshing well with the code? Sometimes CSV files, if there is a comma in the field, will either break the field up, or append quotes around the text which would in turn make the password 2 characters longer than expected. So instead of New,User as the password, it would be 'New,User'.

Try using a different password that does not have any special characters in it. Most strict password policies require the password to only have 3 of the four different types of characters:
Upper Case
Lower Case
Number
Symbol

So if your password has to be 8 characters long, you could use something like New1User which would meet the requirement without putting a code breaking symbol in it. Give that a try.
0
codefisherAuthor Commented:
Thank you Mr. Gallows. I will try that.
0
codefisherAuthor Commented:
I've tried everything suggested. In addition, the account I'm using is a Domain Admin. I've removed commas from inside all quotes, to eliminate parsing errors, modifed the password to prevent complexity errors, and run the script several times. Each time, the AD accounts are created in the correct OU, they are enabled, but attempts to log onto a workstation using these accounts yields, "The system could not log you on. Make sure your User name and domain are correct, then type your password again. Letters in passwords must be typed using the correct case."
0
codefisherAuthor Commented:
Eureka. New1User worked. However, when it prompted me to change the password, the originally programmed password was accepted. Is there a different set of complexity rules for running powershell scripts than for entering in passwords at the winlogon box?
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
GusGallowsCommented:
None that I am aware of. It should error if you violate the complexity requirements in PowerShell. If you aren't getting an error, then it comes down to Powershell not setting the password to the phrase you are trying to set. Unfortunately, because of the purpose of encrypted strings, there is no way to see what the actual value is being saved as (without hacking AD). I would find a password that works since you will be changing them at initial logon and stick with that.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.