Active Directory: Creating a New User with MSP Standards

5 min. read

The Ticket: The New Hire Onboarding

As always... a client just realized they have a new employee starting in twenty minutes, and they haven't provisioned an account yet. In the MSP world, consistency is everything. If you just dump users into the default container, you break GPO application and make a mess of the directory. We need to get this user created, secured, and placed in the correct OU immediately.

Pre-Flight Check

• Permissions: Domain Admin or Account Operator rights.
• Tools: Active Directory Users and Computers (ADUC) or AD Administrative Center.
• Impact: Low - New object creation. No impact on existing users.

The Solution

1. Access Administrative Tools Log in to your Domain Controller or a management jump-box with RSAT (Remote Server Administration Tools) installed.

2. Navigate to ADUC Open Active Directory Users and Computers.

3. Choose the Correct Location Right-click the specific Organizational Unit (OU) where the user belongs (e.g., Clients > [ClientName] > Users > Staff).

[!IMPORTANT] Avoid the default "Users" container. Objects in the "Users" container cannot have Group Policy Objects (GPOs) linked directly to them.

4. Create the User Click the Create User icon in the toolbar (or Right-click > New > User).

5. Enter Details

• Name: Enter First and Last name.
• User Logon Name (UPN): Ensure this matches the client’s specific naming convention (e.g., first.last vs. flast). Verify the suffix matches their primary email domain.

6. Security Standards

• Set a complex temporary password.
• Check: User must change password at next logon. This ensures the technician never knows the user's permanent password, maintaining a clean chain of custody.

7. Finalize Click Next, verify the summary, and click Finish.

The "Why" (Root Cause)

Why do we care so much about the OU location? Active Directory uses a hierarchy for Group Policy Processing. If you create a user in the default CN=Users container, they will only receive policies applied at the Domain level. They will miss out on your MSP-standard drive mappings, printer deployments, and security restrictions that are linked to the Staff or Standard Users OU.

Furthermore, enforcing the "Change password at next logon" flag is a non-negotiable security standard. It fulfills the Principle of Least Knowledge. By forcing the user to set their own secret immediately, the MSP is shielded from liability if that account is ever used for unauthorized internal access.

Under the Hood (Technical Deep Dive)

When you click Finish, the ADUC console sends an LDAP (Lightweight Directory Access Protocol) request to the Domain Controller. The DC creates a new object of the user class in the NTDS.DIT database.

Crucially, every user is assigned a unique SID (Security Identifier), which is a long string starting with S-1-5-21-.... This SID is what Windows uses to grant permissions, not the username. If you delete a user and recreate them with the exact same name, the SID changes, and they will lose access to every folder and file they previously owned. This is why we Disable accounts for offboarding instead of deleting them immediately.

RMM & Automation Tips

• PowerShell Onboarding: If you have to create 50 users for a new office, don't use the GUI. Use a CSV and a PowerShell loop: New-ADUser -Name "John Doe" -SamAccountName "jdoe" -UserPrincipalName "[email protected]" -Path "OU=Staff,OU=Users,DC=company,DC=com" -AccountPassword(Read-Host -AsSecureString) -ChangePasswordAtLogon $true -Enabled $true
• AD Audit: Set your RMM to alert you if any new user objects appear in the default CN=Users container. This allows you to catch Tier 1 techs who are skipping the OU placement step.

Troubleshooting & Edge Cases

• Edge Case 1: UPN Suffix Missing: If the dropdown only shows .local instead of the client's .com domain, you need to add the UPN Suffix in AD Domains and Trusts.
• Edge Case 2: "Password does not meet requirements": This means your temporary password failed the Domain Password Policy. Ensure you are using at least 12 characters with three of the four standard categories (Uppercase, Lowercase, Numbers, Symbols).

Found this useful? Check out the video version on the 404 & More YouTube channel.