Create a new AD computer. (use Add-Computer to join a computer to a domain.)
Syntax
New-ADComputer [-Name] string [-AccountExpirationDate [System.DateTime]]
[-AccountNotDelegated [bool]] [-AccountPassword SecureString]
[-AllowReversiblePasswordEncryption [bool]] [-AuthType {Negotiate | Basic}]
[-CannotChangePassword [bool]] [-Certificates X509Certificate[]]
[-ChangePasswordAtLogon [bool]] [-Credential PSCredential]
[-Description string] [-DisplayName string] [-DNSHostName string]
[-Enabled [bool]] [-HomePage string] [-Instance ADComputer]
[-Location string] [-ManagedBy ADPrincipal]
[-OperatingSystem string] [-OperatingSystemHotfix string]
[-OperatingSystemServicePack string] [-OperatingSystemVersion string]
[-OtherAttributes hashtable] [-PassThru] [-PasswordNeverExpires [bool]]
[-PasswordNotRequired [bool]] [-Path string] [-SAMAccountName string]
[-Server string] [-ServicePrincipalNames string[]]
[-TrustedForDelegation [bool]] [-UserPrincipalName string]
[-Confirm] [-WhatIf] [CommonParameters]
Key
-AccountExpirationDate [System.DateTime]
The expiry date for the account. (0=never expires)
Use PowerShell DateTime syntax
Time is assumed to be local time unless otherwise specified.
The default time is 12:00 (Midday) local time.
The default date is the current date.
Examples using GMT, UTC and local time:
-AccountExpirationDate "Mon, 17 Apr 2011 21:22:48 GMT"
-AccountExpirationDate "2011-04-17T14:22:48.0000000"
-AccountExpirationDate "04/17/2011 2:22:48 PM"
The LDAP Display name (ldapDisplayName) for this property is accountExpires.
-AccountNotDelegated bool
Security delegation. When True, the security context of the account is not
delegated to a service even when the service account is set as trusted for
Kerberos delegation. Sets the AccountNotDelegated property for an AD account.
This parameter also sets the ADS_UF_NOT_DELEGATED flag of the AD User Account
Control (UAC) attribute.
Values for this parameter: $false or 0, $true or 1
-AccountPassword SecureString
A new password value for an account.
This value is stored as an encrypted string.
If an empty or $null password is specified a Random password will be set.
If the password does not meet password policy the account will be disabled
Computer accounts, by default, are created with a 240-character random password.
A valid computer account password may also be specified manually.
Computer accounts will never be enabled unless a valid password is set
(either randomly-generated or user-provided) or 'PasswordNotRequired' is True.
The following example will prompt for a password.
-AccountPassword (Read-Host -AsSecureString "AccountPassword")
-AllowReversiblePasswordEncryption bool
Whether reversible password encryption is allowed for the account.
This parameter sets the AllowReversiblePasswordEncryption property of the account.
This also sets the ADS_UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED flag of
the AD User Account Control (UAC) attribute.
Values for this parameter: $false or 0, $true or 1
-AuthType {Negotiate | Basic}
The authentication method to use: Negotiate (or 0), Basic (or 1)
A Secure Sockets Layer (SSL) connection is required for Basic authentication.
-CannotChangePassword bool
Whether the account password can be changed.
Sets the 'CannotChangePassword' property of an account.
Values for this parameter: $false or 0, $true or 1
-Certificates X509Certificate[]
Modifies the DER-encoded X.509v3 certificates of the account.
These certificates include the public key certificates issued to
this account by the Microsoft Certificate Service.
Sets the Certificates property of the account object.
The LDAP Display Name for this property is "userCertificate".
Syntax to add/remove/replace/clear:
-Certificates @{Add=value1,value2,...}
-Certificates @{Remove=value3,value4,...}
-Certificates @{Replace=value1,value2,...}
-Certificates $null
Multiple operations may be specified by using a list separated by semicolons.
-Certificates @{Add=value1,value2,...};@{Remove=value3,value4,...}
Example - creating a certificate:
$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate cert1.cer certPassword
Set-ADUser saradavis -Certificates @{Add=$cert}
-ChangePasswordAtLogon bool
Whether a password must be changed during the next logon attempt.
Values for this parameter: $false or 0, $true or 1
This cannot be set to $true for an account that also has PasswordNeverExpires set.
-Credential PSCredential
A user account that has permission to perform this action.
The default is the current user unless the cmdlet is run from an AD PowerShell provider drive
in which case the account associated with the drive is the default.
"User64" or "Domain01\User64" or a PSCredential object.
-Description string
A description of the object.
-DisplayName string
The display name of the object.
-DNSHostName string
The fully qualified domain name (FQDN) of the computer.
This parameter sets the DNSHostName property for a computer object.
The LDAP Display Name for this property is "dNSHostName".
-Enabled bool
Is the account enabled.
An enabled account requires a password.
This parameter sets the Enabled property for an account object.
Also sets the ADS_UF_ACCOUNTDISABLE flag of the AD User Account Control (UAC) attribute.
Values for this parameter: $false or 0, $true or 1
-HomePage string
The URL of the home page of the object.
-Instance ADComputer
An instance of a computer object to use as a template for a new computer object.
Method 1: Use an existing computer object as a template for a new object. Retrieve an
instance of an existing computer object with Get-ADcomputer. Then provide this object
to the -Instance parameter of New-ADcomputer to create a new computer object.
property values may also be overridden for the new object by setting the appropriate parameters.
$computerInstance = Get-ADcomputer -Identity PC001
New-ADcomputer -Name "PC002" -Instance $computerInstance -AccountPassword "ChangeMe2" -samAccountName "PC002"
Method 2: Create a new ADcomputer object and pass this object to the -Instance parameter
of the New-ADcomputer cmdlet to create the new AD computer object.
$computerInstance = new-object Microsoft.ActiveDirectory.Management.ADcomputer
New-ADcomputer -Name "PC003" -Instance $computerInstance
-Location string
The location of the computer, such as an office number.
-ManagedBy ADPrincipal
The user or group that manages the object.
Set this by providing one of the following property values.
Examples:
Distinguished Name: CN=JohnDoe,OU=Europe,CN=Users,DC=corp,DC=ss64,DC=com
GUID (objectGUID) : 599c3d2e-f72d-4d20-8a88-030d99495f20
Security Identifier (objectSid) : S-1-5-21-3165297888-301567370-576410423-1103
SAM Account Name (sAMAccountName): JDoe
This parameter sets the AD attribute with an LDAP Display Name of "managedBy".
-Name string
The name of the object.
-OperatingSystem string
An operating system name. e.g. "Windows Server 2008 Enterprise"
-OperatingSystemHotfix string
An operating system hotfix name.
-OperatingSystemServicePack string
The name of an operating system service pack.
-OperatingSystemVersion string
An operating system version.
-OtherAttributes hashtable
Specifies object attribute values for attributes that are not represented by cmdlet parameters.
Syntax:
To specify a single value:
-OtherAttributes @{'AttributeLDAPDisplayName'=value}
To specify multiple values
-OtherAttributes @{'AttributeLDAPDisplayName'=value1,value2,...}
e.g.:
-OtherAttributes @{'ItemPrice'=123; 'favColors'="red","blue"}
-PassThru
Returns the new or modified object.
By default (i.e. if -PassThru is not specified), this cmdlet does not generate any output.
-PasswordNeverExpires bool
Whether the password of an account can expire.
This parameter also sets the ADS_UF_DONT_EXPIRE_PASSWD flag of the AD UAC attribute.
Values for this parameter: $false or 0, $true or 1
Note: This parameter cannot be set to $true for an account that also has the ChangePasswordAtLogon property set.
-PasswordNotRequired bool
Whether the account requires a password.
This parameter also sets the ADS_UF_PASSWD_NOTREQD flag of the AD UAC attribute.
Values for this parameter: $false or 0, $true or 1
-Path string
The X.500 path of the OU or container where the new object is created.
In many cases, a default value will be used for -Path.
Example:
-Path "ou=test1,dc=demo,dc=ss64,dc=com"
Note: PowerShell cmdlets, such New-Item, Remove-Item, Remove-ItemProperty, Rename-Item and
Set-ItemProperty also contain a -Path property. However, for the AD provider cmdlets, -Path
identifies the path of the actual object and not the container.
-SAMAccountName string
The Security Account Manager (SAM) account name of the user, group, computer, or service account.
The maximum length of the description is 256 characters.
To be compatible with older operating systems use 20 characters or less.
Note: If the SAMAccountName string provided, does not end with a '$', one will be appended if needed.
-Server string
The AD Domain Services instance to connect to, this may be a Fully qualified domain name,
NetBIOS name, Fully qualified directory server name (with or without port number) or AD Snapshot instance.
Examples: demo.SS64.com demo demoDC02.demo.ss64.com demoDC02.demo.ss64.com:3268
-ServicePrincipalNames string[]
The service principal names for the account.
Use the following syntax to add remove, replace or clear service principal name values:
-ServicePrincipalNames @{Add=value1,value2,...}
-ServicePrincipalNames @{Remove=value3,value4,...}
-ServicePrincipalNames @{Replace=value1,value2,...}
-ServicePrincipalNames $null
Multiple operations may be specified by using a list separated by semicolons.
-ServicePrincipalNames @{Add=value1,value2,...};@{Remove=value3,value4,...}
Example:
-ServicePrincipalNames @{Add="SQLservice\NewService.ss64.com:1456"};{Remove="SQLservice\demo.ss64.com:1456"}
-TrustedForDelegation bool
Whether an account is trusted for Kerberos delegation.
A service that runs under an account that is trusted for Kerberos delegation can
assume the identity of a client requesting the service.
This value also sets the ADS_UF_TRUSTED_FOR_DELEGATION flag of the AD UAC attribute.
Values for this parameter: $false or 0, $true or 1
-UserPrincipalName string
Each user account has a user principal name (UPN) in the format
user@DNS-domain-name
A UPN is a friendly name assigned by an administrator that is shorter than the LDAP
distinguished name used by the system and easier to remember.
The UPN is independent of the user object's DN, so a user object can be moved or
renamed without affecting the user logon name. When logging on using a UPN, users
no longer have to choose a domain from a list on the logon dialog box.
-Confirm
Prompt for confirmation before executing the command.
-WhatIf
Describe what would happen if you executed the command, without actually executing the command.
CommonParameters:
-Verbose, -Debug, -ErrorAction, -ErrorVariable, -WarningAction, -WarningVariable,
-OutBuffer -OutVariable.
New-ADComputer creates a new AD computer object. This cmdlet does not join a computer to a domain. Set commonly used computer property values by using the cmdlet parameters. Property values that are not associated with cmdlet parameters can be modified by using the -OtherAttributes parameter.
Use this cmdlet to provision a computer account before the computer is added to the domain. These pre-created computer objects can be used with offline domain join, unsecure domain Join and RODC domain join scenarios.
The -Path parameter specifies the container or organizational unit (OU) for the new computer. If you do not specify the -Path parameter, the cmdlet creates a computer account in the default container for computer objects in the domain.
Three ways to create an object using this cmdlet:
Method 1: Use New-ADComputer, specify the required parameters, and set any additional property values by
using the cmdlet parameters.
Method 2: Use a template to create the new object. To do this, create or retrieve an existing computer object and set the -Instance parameter to this object. The object provided to the -Instance parameter is used as a template for the new object. You can override property values from the template by setting cmdlet
parameters.
Method 3: Use Import-CSV with Add-ADComputer to create multiple AD computer objects. To do this, use the Import-CSV cmdlet to create the custom objects from a comma-separated value (CSV) file that contains a list of object properties. Then pass these objects through the pipeline to New-ADComputer
to create the computer objects.
Examples
Create a new computer account:
PS C:\> New-ADComputer -Name "SRV251" -SamAccountName "SRV251" -Path "OU=AppServers,DC=ss64,DC=com"
Create a new computer account, which is enabled and located in "Stavanger, Norway":
PS C:\> New-ADComputer -Name "SRV252" -SamAccountName "SRV252" -Path "OU=AppServers,DC=ss64,DC=com" -Enabled $true -Location "Stavanger, Norway"
Create a new computer account from a template object:
PS C:\> $templateComp = get-adcomputer "SRV001" -properties "Location", "OperatingSystem", "OperatingSystemHotfix", "OperatingSystemServicePack", "OperatingSystemVersion"
PS C:\> New-ADComputer -Instance $templateComp -Name "SRV253"
“The really efficient laborer will be found not to crowd his day with work, but will saunter to his task surrounded by a wide halo of ease and leisure” ~ Henry David Thoreau
Related PowerShell Cmdlets:
Get-ADComputer - Get one or more AD computers.
Set-ADComputer - Modify an AD computer.
Remove-ADComputer - Remove an AD computer.
Add-Computer - Add a computer to the domain.