5 Replies to “How to Create New Service Accounts in Active Directory from a CSV with Powershell”

  1. Hi,

    I got below error message. Would you be able to advise where is the problem?

    New-ServiceAccount : Cannot process argument transformation on parameter ‘password’. Cannot convert the “Ddgp,Bs1`![!OM’L*%i=” value of type “System.String” to type “System.Security.SecureString”.
    At C:\temp\PL_Wintel\New-Service-Accounts.ps1:33 char:98
    + … countname -description $sa.description -password $sa.password -destou …
    + ~~~~~~~~~~~~
    + CategoryInfo : InvalidData: (:) [New-ServiceAccount], ParameterBindingArgumentTransformationException
    + FullyQualifiedErrorId : ParameterArgumentTransformationError,New-ServiceAccount

  2. Hi Piotr,
    Thanks for your comment. It can be either an escape or a quote character or both that break/truncate the string variable. Try to avoid those and re-run the function.

    You can add some break points using a debugger and see what the actual value is at runtime or simply break the function into steps and run line-by-line and check the password (String) and SecureString value once converted.

    Please have also a look at this article on about SecureString objects: https://www.scriptinglibrary.com/languages/powershell/securestring-how-to-decode-it-with-powershell/

    I hope this answered your question.

  3. Hi Paolo –
    I got the script to work as a csv, but I had to take the “$psw = convertto-securestring” out of the function and put it into the loop. Could just be my environment. Maybe that will help someone. It worked great! thanks!

    1. Hi Gary,
      Thanks for your comment. As I’ve mentioned here if you use special characters such as “;” or “,” in your passwords you have few options to work around this if you are using a CSV File.

      The only note to keep in mind if you choose to use a SecureString format pay attention of how you generate that SecureString object, in other words, if you pass a key you need to use it also to convert from or if you use the DPAPI you should be able to convert it back just under your user context.

      If an encryption key is specified by using the Key or SecureKey parameters, the Advanced Encryption Standard (AES) encryption algorithm is used. The specified key must have a length of 128, 192, or 256 bits because those are the key lengths supported by the AES encryption algorithm. If no key is specified, the Windows Data Protection API (DPAPI) is used to encrypt the standard string representation.

      This is the official doc page as a reference

  4. Hey, just found this after trying to automate some AD credentials and had some major issues with the ConvertTo-SecureString.

    The problem was that in my test I had a simple plain-text password, but it was already defined as a SecureString in the parameters, simply changing the parameter to “string” instead of “SecureString” allowed me to then convert the plaint-text regular string of “password” to a secure-string in processing.

    Might help someone else out there running into the same problem!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.