AzureAutomation – Hybrid worker – Create AD user

In this post, I would like to share a scenario on how we can run powershell scripts on the on-prem enviorment using azure automation. Runbooks that run on a Hybrid Runbook Worker typically manage resources on the targeted local computer or against resources in the local environment where the worker is deploye

Here is an example of how to create AD user in on-prem active directory using Azure Automation Hybrid worker.

Step 1: Install the “New-OnPremiseHybridWorker” module on the targeted machine.

Install-Script -Name New-OnPremiseHybridWorker


Step 2: Deploy hybrid worker on the targeted on-prem machine. in this example I have deployed it on ADDC server.

Pre-requisite before running the below command

  • Azure Automation Account
  • Log workspace ( if not passing the value while running the command it will automatically creates one)
  • Run as account, you can create run as account under azure automation credentials and use it while running the scripts.
  • After installing the script, goto this location C:\Program Files\WindowsPowerShell\Scripts and run the below
.\New-OnPremiseHybridWorker.ps1 -AutomationAccountName "AzureAutomation" -AAResourceGroupName "AzAutomation" -OMSResourceGroupName "AzAutomation" -HybridGroupName "HYB-AzVm" -SubscriptionID "******************" -WorkspaceName "hybridWorkspace98459"


Step 3 After completing the step 2, you will see microsoft monitoring agent installed on the targeted machine.

also from the Azure portal, you will see the Hybrid worker is added like shown in the below image

Step 4: Create Run as account

Step 5: Here is the script to create new user in on-prem active directory

    [Parameter(Mandatory=$True)] $User,
    [Parameter(Mandatory=$True)] $Firstname,
    [Parameter(Mandatory=$True)] $Lastname,
    [Parameter(Mandatory=$True)] $OU,
    [Parameter(Mandatory=$True)] $city,
    [Parameter(Mandatory=$True)] $company,
    [Parameter(Mandatory=$True)] $state,
    [Parameter(Mandatory=$True)] $streetaddress,
    [Parameter(Mandatory=$True)] $telephone,
    [Parameter(Mandatory=$True)] $jobtitle,
    [Parameter(Mandatory=$True)] $department

# Import active directory module for running AD cmdlets
#Import-Module activedirectory

#Store the data from ADUsers.csv in the $ADUsers variable

# Function

function Get-RandomCharacters($length, $characters) {
    $random = 1..$length | ForEach-Object { Get-Random -Maximum $characters.length }
    return [String]$characters[$random]
function Scramble-String([string]$inputString){     
    $characterArray = $inputString.ToCharArray()   
    $scrambledStringArray = $characterArray | Get-Random -Count $characterArray.Length     
    $outputString = -join $scrambledStringArray
    return $outputString 
# Generate Password
$password = Get-RandomCharacters -length 5 -characters 'abcdefghiklmnoprstuvwxyz'
$password += Get-RandomCharacters -length 4 -characters 'ABCDEFGHKLMNOPRSTUVWXYZ'
$password += Get-RandomCharacters -length 3 -characters '1234567890'
$password += Get-RandomCharacters -length 3 -characters '!"§$%&/()=?}][{@#*+'
$password = Scramble-String $password
$secureString = convertto-securestring $password -asplaintext -force

	#Check to see if the user already exists in AD
	if (Get-ADUser -F {SamAccountName -eq $User})
		 #If user does exist, give a warning
		 Write-Warning "A user account with username $User already exist in Active Directory."
		#User does not exist then proceed to create the new user account
        #Account will be created in the OU provided by the $OU variable read from the CSV file
	New-ADUser `
            -SamAccountName $User `
            -UserPrincipalName "$" `
            -Name "$Firstname $Lastname" `
            -GivenName $Firstname `
            -Surname $Lastname `
            -Enabled $True `
            -DisplayName "$Lastname, $Firstname" `
            -Path $OU `
            -City $city `
            -Company $company `
            -State $state `
            -StreetAddress $streetaddress `
            -OfficePhone $telephone `
            -EmailAddress "$" `
            -Title $jobtitle `
            -Department $department `
            -AccountPassword $secureString -ChangePasswordAtLogon $True
            #If user is created, show message.
            Write-Host "The user account $Username is created." -ForegroundColor Cyan
            #If user is created, show message.
            Write-Host "The user account $User is created." -ForegroundColor Cyan


Step 5: Lets check out the behavior

if there is a possibility to choose “RUNON” would have been much better so that you can create a work flow using powerautomate and forms like explained in the previous post. on the other hand, you can also schedule the runbook to run by choosing run on “Hybrid worker” as deafult. May be there is another way I may not be aware of. if you like this post please share your feedback in the comment section and i would be happy to reply.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: