Copying Existing AD User to Create New User in Forest


I have a new AD User that I want to create from an existing User. We have several domains in our forest where his account already exists in one of those domains. I want to create his AD account individually in each domain, but I’m getting an error. Thanks for any help on this!

Here is my PS Script:

$userInstance = Get-ADUser -Identity “saraDavis”
New-ADUser -SAMAccountName “ellenAdams” -Instance $userInstance -DisplayName “EllenAdams”

Here is the error:

8648 21C8 ERROR_DS_UPN_VALUE_NOT_UNIQUE_IN_FOREST The operation failed because UPN value provided for addition/modification is not unique forest-wide.

Yep That’ll always happen because the UPN has to be unique in the forest

What you have to do is define the UPN for the new user so your second line becomes something like

New-ADUser -samaccountname blah - name ‘blah blah’ -userprincipalname ‘blah@blah’ -instance $userinstance

you might want to set the password for the new user and enable the account as well

You don’t actually need to recreate the user in each domain in the forest. You can grant rights across any or all domains in the forest - its what Universal groups are for

I’m just amazed on how many blogs just copy paste the original code from the get-help and claim it works (i’ve seen it on this website as well). While it doesn’t
This piece of code:

$userInstance = Get-ADUser -Identity "saraDavis" New-ADUser -SAMAccountName "ellenAdams" -Instance $userInstance -DisplayName "EllenAdams"

So is everyone just faking the hell out of it?

I’m not 100% certain but my understanding is that creating a new user in AD doesn’t set the user object’s UPN, but of course if you use an instance of another user object that does have a UPN set it will try to create the new user object with the same UPN, hence why you would need to override the UPN value of the reference instance with the userprincipalname parameter. I’m sure this is true for any other user object attribute that must be unique in AD but you may be able to set yourself.

Here’s what I do to copy a user. I use a form for the info and it generates the commands I need. I only filled in the basic fields, you’ll have to add the ones you need to define.

$m=get-aduser "olduser" -properties memberof
New-ADUser -path ($m.distinguishedname -replace '.+?,((?:DC|OU)=.+)','$1') -name "newuser1" -AccountPassword (ConvertTo-SecureString "password1" -AsPlainText -Force) -SamAccountName "newuser1" -ChangePasswordAtLogon $True -Enabled $True -CannotChangePassword $False -userprincipalname ("newuser1@" + (($m.userPrincipalName -split "@")[1])) -givenname "New" -surname "User" -displayname "New User"
$m.memberof | add-adgroupmember -members "newuser1"