I'm currently making ADUser accounts on a server, and one of the standards here is that the accounts must have a password, even if it is a default password that all new accounts share.
I'm a bit confused by the -AccountPassword parameter on New-ADUser cmdlet, and its relation to SecureString. At the moment, I managed to squeeze out a suitable script-testing-password, but I realise that it is probably nowhere near a suitable password for an account, considering the strange parameters I've put on it to get it to work:
$password = ConvertTo-SecureString "Password1" -AsPlainText -Force
I then use this with New-ADUser: -AccountPassword $password.
Could anyone advise on how to deal with a situation like this? Is my approach suitable for a default password, or am I messing up somehow here? I haven't implemented this so it is difficult to tell if it will work effectively.
In case you have the "User must change password at next logon" set when you set a default password, this approach is pretty normal. If your task is also to not make the default password visible in plaintext, you can use save/load technique on a SecureString which is readable as 100+ hex-symbols, and can be stored as a file. You write a secure string into a file once, then read it from the file and use as a valid secure string in New-ADUser. The primary restriction of a file-based approach is that the string is encrypted by the user's data, using the user that generated the string, so you can't save a SecureString as user A then read it as user B and succeed at decryption.