ConvertTo-Secure String Error

1
votes

I'm receiving the following error in my create user script.

ConvertTo-SecureString : Cannot bind argument to parameter 'String' because it is an empty string. At C:\AD_Scripts\psscripts\user_create.ps1:59 char:54 + -AccountPassword (convertto-securestring "$Password" -AsPlainText -F ... + ~~~~~~~~~~~ + CategoryInfo : InvalidData: (:) [ConvertTo-SecureString], ParameterBindingValidationException + FullyQualifiedErrorId : ParameterArgumentValidationErrorEmptyStringNotAllowed,Microsoft.PowerShell.Commands.ConvertToSecureStringCommand

# Import active directory module for running AD cmdlets
Import-Module activedirectory

#Store the data from ADUsers.csv in the $ADUsers variable
$ADUsers = Import-csv userimport.csv
#Store report in log file in the $log variable
$log = "log.txt"

#Loop through each row containing user details in the CSV file 

foreach ($User in $ADUsers)
{
 #Read user data from each field in each row and assign the data to a  variable as below

$Username   = $User.ID
$Password   = $User.BDATE
$Firstname  = $User.FNAME
$Lastname   = $User.LNAME
$Department = $User.GRD
$Company    = $User.SCHID #This field refers to the OU the user account is to be moved to

# Choose OU
Switch ($Company)
{
    "1480" {$OU = 'OU=students,OU=users,ou=hs,dc=clasd,dc=net'}
    "1479" {$OU = 'OU=students,OU=users,ou=elem,dc=clasd,dc=net'}
    "1480" {$Folder = '\\hs-ss\students\hs'}
    "1479" {$Folder = '\\hs-ss\students\elem'}
}

#Check to see if the user already exists in AD
if (Get-ADUser -LDAPFilter {$Username=$user.$SamAccountName})
{
     #If user does exist, give a warning
     Write-Warning "A user account with username $Username already exist in Active Directory."
}
else
{
    #User does not exist then proceed to create the new user account
    "Processing started (on " + $date + "): " | Out-File $log -append
    "--------------------------------------------" | Out-File $log -append

    #Account will be created in the OU provided by the $OU variable read from the CSV file
    New-ADUser `
        -SamAccountName $Username `
        -UserPrincipalName "[email protected]" `
        -Name "$Firstname $Lastname" `
        -GivenName $Firstname `
        -Department "$Department" `
        -Company "$Company" `
        -EmailAddress "[email protected]" `
        -Surname $Lastname `
        -Enabled $True `
        -Scriptpath "login.vbs" `
        -DisplayName "$Firstname $Lastname" `
        -Path $OU `
        -Homedrive "Z" `
        -homedirectory "$Folder\$username" `
        -AccountPassword (convertto-securestring "$Password" -AsPlainText -Force) `
        -ChangePasswordAtLogon $true   

}

}

I never received the error before I changed this line from 

if (Get-ADUser -F {SamAccountName -eq $Username})

to

if (Get-ADUser -LDAPFilter {$Username=$user.$SamAccountName})

the cvs file I'm importing looks like this:

"ID","FNAME","LNAME","BDATE","GRD","SCHID" "111111","Test","student1","20001225","2016","1480" "333333","test","Student3","2001225","2025","1479"

I'm using the Bdate as the users password

1
powershellactive-directory
Suggestion to debug this. Move the $Username=$user.$SamAccountName assignment to above the if and you can verify values in the ISE. Also, use splatting for your parameters to New-ADUser, then you can set a breakpoint in the ISE and inspect $Password and/or put in a if with a breakpoint when it is blank. Then you can also put the convertto-securestring call outside of the spatting for the params and assign to another variable like $securePassword, etc.Kory Gill
Being that I'm new to Powershell I'll have to look up what your talking about :-). Your the second person that says to use splattingJustin Merwin

1 Answers

0
votes

So there are two problems here, first you never declare $Password which explains the error your getting, since your passing a null value to the convertto-securestring, you also want to drop the quotes around the variable, they won't break anything but they do not meet convention. So change

-AccountPassword (convertto-securestring "$Password" -AsPlainText -Force)

to 

-AccountPassword (convertto-securestring $User.BDATE -AsPlainText -Force)

You should also take a look at your If statement designed to prevent your script from trying to create a user which already exists, your LDAP filter {$Username=$user.$SamAccountName} will always return false since it is not in a valid format, you should really not have a variable on both sides of the comparison operator and $user.$SamAccountName does not exist in your script. not that any of that really matters as new-aduser will error out on it's own anyway if a user already exists.