none
New-ADUser : The server is unwilling to process the request RRS feed

  • Question

  • Thank you in advance for your assistance.

    I have been working on this test code for work. Some of the values (The IP address and the OU setup) have been changed in the script but the formatting is the same as my original script. When I run this as Admin through ISE and straight Powershell I get the following error.  

    New-ADUser : The server is unwilling to process the request
    At line:1 char:13
    +             New-ADUser -Name "TestLogan" -AccountPassword (ConvertTo-SecureStrin ...
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : NotSpecified: (CN=TestLogan,OU...DC=Company,DC=com:String) [New-ADUser], ADException
        + FullyQualifiedErrorId : The server is unwilling to process the request,Microsoft.ActiveDirectory.Management.Comman 
       ds.NewADUser

    Below is the test PS1, let me know if you see anything I havn't that could be causing the issue.

     [CmdletBinding()]

        Param(

            [parameter(mandatory=$true)]

            [String]$Password

        )

        $User = Import-csv C:\BulkUser.csv

        foreach ($UserName in $User)

            {

                [string]$Name = $User.LastName + $User.FirstName

                [String]$DisplayName = $User.LastName + " " + $User.FirstName

                [String]$Email = $User.UserName + "@Domain.com"

                [String]$Surname = $User.LastName

                New-ADUser -Name $Name -AccountPassword (ConvertTo-SecureString $Password -AsPlainText -Force) -City Wichita -Company "ABC Company" -Confirm -Country US -Department "Sales" -DisplayName $DisplayName -EmailAddress $Email -PassThru -Path "OU=New Hire,OU=Users,DC=Company,DC=Com" -ScriptPath "kix32 \\1.5.1.3\kix$\Test.kix" -Surname $Surname

            }

    I have also reviewed "New-ADUser with Import-Csv..." and followed their recommendations to no avail. The link is https://social.technet.microsoft.com/Forums/scriptcenter/en-US/81b3b2d8-b73f-4232-82cd-c383e171274b/newaduser-with-importcsv

    Please bare in mind this is my first time for public review of my code. I am also open to any constructive feedback on formatting and whatnot.

    Best regards,

    Logan

    Tuesday, December 22, 2015 8:41 PM

Answers

  • Have you tried just one new user?

    New-ADUser -Name 'someusername' -Path 'OU=New Hire,OU=Users,DC=Company,DC=Com'

    If this does not work then yu have server problems.


    \_(ツ)_/

    • Marked as answer by Rumisglass Thursday, December 24, 2015 5:15 PM
    Thursday, December 24, 2015 5:09 PM

All replies

  • Look closely at these  lines:

    $User = Import-csv C:\BulkUser.csv
    foreach ($UserName in $User) {
         [string]$Name = $User.LastName + $User.FirstName


    \_(ツ)_/

    Tuesday, December 22, 2015 9:38 PM
  • Try this. Remove arguments until you find the bad arg. You cannot pass nulls.

    Param (	
    	[parameter(mandatory = $true)]
    	[String]$Password
    )
    
    $pswrd=ConvertTo-SecureString $Password -AsPlainText -Force
    $Users = Import-csv C:\BulkUser.csv
    
    foreach ($User in $Users) {
    	
    	$props=@{
    		Name = $User.LastName + $User.FirstName
    		DisplayName = $User.LastName + ' ' + $User.FirstName
    		EmailAddress = $User.UserName+'@Domain.com'
    		Surname = $User.LastName
    		PassWord=$pswrd
    		City = 'Wichita'
    		Company = 'ABC Company'
    		Country = 'US'
    		Department = 'Sales'
    		Path = 'OU=New Hire,OU=Users,DC=Company,DC=Com'
    		ScriptPath = '\\1.5.1.3\kix$\Test.kix'
        }
    	
    	New-ADUser @props -PassThru
    }
    

    You can easily block sections of the splat using comments

    <#
       some srgs
       some args
    #>

    That comments what is in the middle.


    \_(ツ)_/

    Tuesday, December 22, 2015 9:49 PM
  • You cannot use Kix32 in the scriptpath

    ScriptPath

    Specifies a path to the user's log on script. This value can be a local absolute path or a Universal Naming Convention (UNC) path. This parameter sets the ScriptPath property of the user. The LDAP display name (ldapDisplayName) for this property is "scriptPath".

    The following example shows how to set this parameter.
    -ScriptPath "\\logonScripts\saradavisLogin"


    \_(ツ)_/

    Tuesday, December 22, 2015 9:52 PM
  • Thank you for the assistance. I have done the requested edits (I love the $Props options it makes it so much easier to read).

    I have commented out everything except for the Name = and the Path =. I need to keep the path as I am not allowed access to other sites's AD OUs.

    I still get the same error. Is it possible that the server settings are preventing me from running new-aduser on our DC? It seems unlikely as I am able to move users across OUs, and I am able to disable users through Powershell. It is obvious that PS commands are allowed.

    Tuesday, December 22, 2015 10:14 PM
  • you need to comment lines out one at a time.  Be sure you do not have any nulls.

    \_(ツ)_/

    Tuesday, December 22, 2015 10:53 PM
  • Per the help for New-ADUser, the -sAMAccountName is required. The -Name specifies the Relative Distinguished Name, which is the common name.

    Richard Mueller - MVP Enterprise Mobility (Directory Services)

    Tuesday, December 22, 2015 11:02 PM
    Moderator
  • Technically the pre-w2k name is not required and is supposed to be copied from the name when not supplied.  I always supply it so I have not tested  to see if that is the same with New-AdUser.


    \_(ツ)_/

    Tuesday, December 22, 2015 11:15 PM
  • Nope.  We don't need samaccountname

    See:

    PS C:\scripts> new-aduser -name testme3
    PS C:\scripts> get-aduser testme3
    
    
    DistinguishedName : CN=testme3,OU=SBSUsers,OU=Users,OU=MyBusiness,DC=TESTNET,DC=local
    Enabled           : False
    GivenName         :
    Name              : testme3
    ObjectClass       : user
    ObjectGUID        : 99b828f8-0456-45db-9e74-a7bbb2df1461
    SamAccountName    : testme3
    SID               : S-1-5-21-1997746983-321388823-153608166-2226
    Surname           :
    UserPrincipalName :
    
    
    
    PS C:\scripts>
    

    Notice how it is automatically copid from "name"


    \_(ツ)_/


    • Edited by jrv Tuesday, December 22, 2015 11:19 PM
    Tuesday, December 22, 2015 11:18 PM
  • The help for New-ADUser does not explain that, but it makes sense. I wonder if it assigns just the first 20 characters of Name (which can be 64 characters) and strips out characters not allowed in sAMAccountName, like the comma.

    Richard Mueller - MVP Enterprise Mobility (Directory Services)

    Tuesday, December 22, 2015 11:49 PM
    Moderator
  • The help for New-ADUser does not explain that, but it makes sense. I wonder if it assigns just the first 20 characters of Name (which can be 64 characters) and strips out characters not allowed in sAMAccountName, like the comma.

    Richard Mueller - MVP Enterprise Mobility (Directory Services)

    Here's some random tests:

    PS C:\> New-ADUser -Name 'Some Really Long Name, With Stuff In IT!'
    New-ADUser : The name provided is not a properly formed account name
    At line:1 char:1
    + New-ADUser -Name 'Some Really Long Name, With Stuff In IT!'
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : NotSpecified: (CN=Some Really ...dymion,DC=local:String) [New-ADUser], ADException
        + FullyQualifiedErrorId : The name provided is not a properly formed account name,Microsoft.ActiveDirectory.Management.Commands.NewADUser
     
    
    PS C:\> New-ADUser -Name 'Some Really Long Name, With Stuff In IT'
    New-ADUser : The name provided is not a properly formed account name
    At line:1 char:1
    + New-ADUser -Name 'Some Really Long Name, With Stuff In IT'
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : NotSpecified: (CN=Some Really ...dymion,DC=local:String) [New-ADUser], ADException
        + FullyQualifiedErrorId : The name provided is not a properly formed account name,Microsoft.ActiveDirectory.Management.Commands.NewADUser
     
    
    PS C:\> New-ADUser -Name 'Some Really Long Name'
    New-ADUser : The name provided is not a properly formed account name
    At line:1 char:1
    + New-ADUser -Name 'Some Really Long Name'
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : NotSpecified: (CN=Some Really ...dymion,DC=local:String) [New-ADUser], ADException
        + FullyQualifiedErrorId : The name provided is not a properly formed account name,Microsoft.ActiveDirectory.Management.Commands.NewADUser
     
    
    PS C:\> New-ADUser -Name 'SomeReallyLongName,GoesHere'
    New-ADUser : The name provided is not a properly formed account name
    At line:1 char:1
    + New-ADUser -Name 'SomeReallyLongName,GoesHere'
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : NotSpecified: (CN=SomeReallyLo...dymion,DC=local:String) [New-ADUser], ADException
        + FullyQualifiedErrorId : The name provided is not a properly formed account name,Microsoft.ActiveDirectory.Management.Commands.NewADUser
     
    
    PS C:\> New-ADUser -Name 'SomeReallyLongNameGoesHere'
    New-ADUser : The name provided is not a properly formed account name
    At line:1 char:1
    + New-ADUser -Name 'SomeReallyLongNameGoesHere'
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : NotSpecified: (CN=SomeReallyLo...dymion,DC=local:String) [New-ADUser], ADException
        + FullyQualifiedErrorId : The name provided is not a properly formed account name,Microsoft.ActiveDirectory.Management.Commands.NewADUser
     
    
    PS C:\> New-ADUser -Name 'testac9'

    Only the last one succeeded.


    Tuesday, December 22, 2015 11:56 PM
  • But the error is explicit.


    \_(ツ)_/

    Wednesday, December 23, 2015 12:15 AM
  • What is interesting to me, is that in all cases the -Name is valid as the RDN of a user (the Name property), just not valid as the sAMAccountName.

    I just tried the following and it worked fine:

    New-ADUser -Name "SomeReallyReallyLongName, Goes Here" -sAMAccountName "ShortName"


    Richard Mueller - MVP Enterprise Mobility (Directory Services)


    Wednesday, December 23, 2015 12:23 AM
    Moderator
  • It I the old NetBIOS "rule of fours"

    PS C:\scripts> new-aduser -Name 12345678901234567890 # 20 chars
    PS C:\scripts> new-aduser -Name 123456789012345678901 # 21 chars
    new-aduser : The name provided is not a properly formed account name
    At line:1 char:1
    + new-aduser -Name 123456789012345678901

    What a difference a one makes.

    That is why it is called the "Per-Windows2000" compatible name.  "SAM" is the "Security Accounts Manager" in Windows NT.  Local accounts use SAM.  AD uses the CN or "Common Name" place the path to isolate and identify.  THe fundamental that doesn't change is the GUID and to some degree the SID although SIDs can change.

    I always generate a SamAccountName from the user name (f)lastnnn.  In large networks a different scheme may be needed.  It is always a pain.


    \_(ツ)_/

    Wednesday, December 23, 2015 12:35 AM
  • Thank you again for the assistance.

    My new code reads as follows:

    Param (
    [parameter(mandatory = $true)]
    [String]$Password
    )

    $pswrd=ConvertTo-SecureString $Password -AsPlainText -Force
    $Users = Import-csv C:\BulkUser.csv

    foreach ($User in $Users) {

    $props=@{
    Name = $User.LastName + $User.FirstName
    Path = 'OU=New Hire,OU=Users,DC=Company,DC=Com'
    <#DisplayName = $User.LastName + ' ' + $User.FirstName
    EmailAddress = $User.UserName+'@Domain.com'
    Surname = $User.LastName
    PassWord=$pswrd
    City = 'Wichita'
    Company = 'ABC Company'
    Country = 'US'
    Department = 'Sales'
    ScriptPath = '\\1.5.1.3\kix$\Test.kix'#>
        }

    New-ADUser @props -PassThru
    }

    I did comment out each line one by one and ended with just the Path and the Name values. Again I know Path is not required but due to my access in AD I need to specify it or the server will kick it back as access denied.

    Any additional thoughts before I turn to server side support and see why the command might be blocked?

    Thursday, December 24, 2015 4:57 PM
  • A side note - I am able to move things to and from the OU so I know the pathing is correct and it does accept Powershell commands. I am not sure if that helps at all.
    Thursday, December 24, 2015 4:58 PM
  • Have you tried just one new user?

    New-ADUser -Name 'someusername' -Path 'OU=New Hire,OU=Users,DC=Company,DC=Com'

    If this does not work then yu have server problems.


    \_(ツ)_/

    • Marked as answer by Rumisglass Thursday, December 24, 2015 5:15 PM
    Thursday, December 24, 2015 5:09 PM
  • Just did. Same issue as before. I will check with the server team. At least my code looks good.

    Thanks for all your help. Have a wonderful Holiday!

    Thursday, December 24, 2015 5:11 PM
  • Good luck


    \_(ツ)_/

    Thursday, December 24, 2015 5:12 PM
  • Just look out, because te start of the .properties("distinguished Name") can be different than the .properties("cn"). If the user is created with a "," or ";" in the .properties("cn") the start of the .properties("distinguished Name") will be the username with "\," or "\;".

    This can give an error "

    The server is unwilling to process the request

    " if u are trying to add a user you found by use of .properties("cn") to a Group. 
    Friday, June 14, 2019 12:15 PM
  • Just look out, because te start of the .properties("distinguished Name") can be different than the .properties("cn"). If the user is created with a "," or ";" in the .properties("cn") the start of the .properties("distinguished Name") will be the username with "\," or "\;".

    This can give an error "

    The server is unwilling to process the request

    " if u are trying to add a user you found by use of .properties("cn") to a Group. 

    Which has absolutely nothing to do with this issue.  Please don't post in 5 year old answered topics.

    \_(ツ)_/


    • Edited by jrv Friday, June 14, 2019 12:20 PM
    Friday, June 14, 2019 12:20 PM