1

I'm receiving the following error in my create user script.

ConvertTo-SecureString : Cannot bind argument to parameter 'String' because it is an empty string. At C:\AD_Scripts\psscripts\user_create.ps1:59 char:54 + -AccountPassword (convertto-securestring "$Password" -AsPlainText -F ... + ~~~~~~~~~~~ + CategoryInfo : InvalidData: (:) [ConvertTo-SecureString], ParameterBindingValidationException + FullyQualifiedErrorId : ParameterArgumentValidationErrorEmptyStringNotAllowed,Microsoft.PowerShell.Commands.ConvertToSecureStringCommand

# Import active directory module for running AD cmdlets
Import-Module activedirectory

#Store the data from ADUsers.csv in the $ADUsers variable
$ADUsers = Import-csv userimport.csv
#Store report in log file in the $log variable
$log = "log.txt"

#Loop through each row containing user details in the CSV file 

foreach ($User in $ADUsers)
{
 #Read user data from each field in each row and assign the data to a  variable as below

$Username   = $User.ID
$Password   = $User.BDATE
$Firstname  = $User.FNAME
$Lastname   = $User.LNAME
$Department = $User.GRD
$Company    = $User.SCHID #This field refers to the OU the user account is to be moved to

# Choose OU
Switch ($Company)
{
    "1480" {$OU = 'OU=students,OU=users,ou=hs,dc=clasd,dc=net'}
    "1479" {$OU = 'OU=students,OU=users,ou=elem,dc=clasd,dc=net'}
    "1480" {$Folder = '\\hs-ss\students\hs'}
    "1479" {$Folder = '\\hs-ss\students\elem'}
}

#Check to see if the user already exists in AD
if (Get-ADUser -LDAPFilter {$Username=$user.$SamAccountName})
{
     #If user does exist, give a warning
     Write-Warning "A user account with username $Username already exist in Active Directory."
}
else
{
    #User does not exist then proceed to create the new user account
    "Processing started (on " + $date + "): " | Out-File $log -append
    "--------------------------------------------" | Out-File $log -append

    #Account will be created in the OU provided by the $OU variable read from the CSV file
    New-ADUser `
        -SamAccountName $Username `
        -UserPrincipalName "[email protected]" `
        -Name "$Firstname $Lastname" `
        -GivenName $Firstname `
        -Department "$Department" `
        -Company "$Company" `
        -EmailAddress "[email protected]" `
        -Surname $Lastname `
        -Enabled $True `
        -Scriptpath "login.vbs" `
        -DisplayName "$Firstname $Lastname" `
        -Path $OU `
        -Homedrive "Z" `
        -homedirectory "$Folder\$username" `
        -AccountPassword (convertto-securestring "$Password" -AsPlainText -Force) `
        -ChangePasswordAtLogon $true   

}

}

I never received the error before I changed this line from 

if (Get-ADUser -F {SamAccountName -eq $Username})

to

if (Get-ADUser -LDAPFilter {$Username=$user.$SamAccountName})

the cvs file I'm importing looks like this:

"ID","FNAME","LNAME","BDATE","GRD","SCHID" "111111","Test","student1","20001225","2016","1480" "333333","test","Student3","2001225","2025","1479"

I'm using the Bdate as the users password

Improve this question
2
  • Suggestion to debug this. Move the $Username=$user.$SamAccountName assignment to above the if and you can verify values in the ISE. Also, use splatting for your parameters to New-ADUser, then you can set a breakpoint in the ISE and inspect $Password and/or put in a if with a breakpoint when it is blank. Then you can also put the convertto-securestring call outside of the spatting for the params and assign to another variable like $securePassword, etc. Commented Nov 16, 2016 at 19:42
  • Being that I'm new to Powershell I'll have to look up what your talking about :-). Your the second person that says to use splatting Commented Nov 16, 2016 at 19:58

1 Answer 1

Reset to default
1

So there are two problems here, first you never declare $Password which explains the error your getting, since your passing a null value to the convertto-securestring, you also want to drop the quotes around the variable, they won't break anything but they do not meet convention. So change

-AccountPassword (convertto-securestring "$Password" -AsPlainText -Force)

to 

-AccountPassword (convertto-securestring $User.BDATE -AsPlainText -Force)

You should also take a look at your If statement designed to prevent your script from trying to create a user which already exists, your LDAP filter {$Username=$user.$SamAccountName} will always return false since it is not in a valid format, you should really not have a variable on both sides of the comparison operator and $user.$SamAccountName does not exist in your script. not that any of that really matters as new-aduser will error out on it's own anyway if a user already exists.

Improve this answer
Sign up to request clarification or add additional context in comments.

6 Comments

So do you even need the script to look to see if the user exists first? If not then I could just remove that entire if else statement.
@JustinMerwin, Sometimes it is better to ask for forgiveness then permission. You could see if it throws an error (Try) and handle it (Catch), by doing nothing (Or giving an error).
So as it sits right now(assuming you fix the if statement to work correctly) if the user exists you'll get a warning about them existing and the script will continue. You could do it with a try catch as Nick suggests and you would get pretty much the same effect, with the added benefit of handling any error rather than just the user already existing. Oh and if you keep the if statement you can drop the LDAP filter and replace it with get-aduser -identity $Username
So Im thinking I don't even need to see if the user exists. Just run the script.
Correct, but if you don't catch the error somehow your loop will stop when it hits an error unless you change your $ErrorActionPreference
|

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.