Create Team Admin Account in Active Directory (AD)
Task Create Team Admin Account in Active Directory
Conditions
Given a target Domain, a Domain Controller (DC), a user account with appropriate rights and privileges to modify user accounts, and a workstation with the Windows Remote Server Administration Tools (RSAT) installed.
Operator Note: Creating a temporary or team admin account is often necessary to secure the environment during incident response. This should only be done with proper approvals and logged actions.
Standards
- Team member coordinates the requirement to modify the Administrator Group on the Domain
- Team member creates User Account in Active Directory on target Domain
- Team member opens Active Directory Users and Computers (ADUC) or uses PowerShell to create the user account
- Team member assigns Domain Admins group membership to the account
- Team member resets the password and secures the credentials in accordance with incident response SOPs
Operator Note: Always consult enclave or business owner prior to creating privileged accounts during an incident.
End State
New user account is created in Active Directory with Domain Admin credentials that the Team can utilize to carry out protection tasks.
Notes
- Team admin accounts should be temporary and removed after incident resolution.
- Strong, complex passwords should be used.
- Account creation and group membership assignment should be logged.
Manual Steps
Create Active Directory User (GUI Method)
- Open Active Directory Users and Computers (ADUC):
- Click Start → Administrative Tools → Active Directory Users and Computers
- Navigate to the domain node (example.com)
-
Right-click the folder or OU where you want to create the user → New → User
- Fill out the user creation form:
- First name, Initials, Last name
- User logon name (username) → Click Next
- Enter password and select appropriate options:
- Recommended: User must change password at next logon (can be unchecked during IR)
- Click Next → Click Finish
Assign Group Membership (GUI Method)
- Open Active Directory Users and Computers (ADUC)
- Navigate to Domain Admins group
- Right-click → Properties
- Go to Members tab → Click Add
- Enter the new user’s username → Click OK → User is now a Domain Admin
PowerShell Method (Preferred for repeatability)
Create new user:
New-ADUser -Name "IR Team Admin" -SamAccountName "iradmin" -AccountPassword (Read-Host -AsSecureString "Enter Password") -Enabled $true -Path "OU=Incident Response,DC=example,DC=com"
Add user to Domain Admins:
Add-ADGroupMember -Identity "Domain Admins" -Members "iradmin"
Operator Note: Replace “OU=Incident Response,DC=example,DC=com” with the correct OU path if needed.
Running Script
New-ADUser -Name "IR Team Admin" -SamAccountName "iradmin" -AccountPassword (Read-Host -AsSecureString "Enter Password") -Enabled $true -Path "OU=Incident Response,DC=example,DC=com"
Add-ADGroupMember -Identity "Domain Admins" -Members "iradmin"
Store these commands securely and remove or disable the account after incident remediation.
Dependencies
- RSAT with Active Directory Module (PowerShell)
- Domain Admin credentials or delegated permissions
- Organizational approval (business owner or enclave owner authorization)
| Tool |
Platform |
Use Case |
| PowerShell AD Module |
Windows |
Preferred scripted method |
| ADUC (dsa.msc) |
Windows |
GUI-based user creation |
| dsadd (legacy) |
Windows |
CLI-based user creation (optional) |
| LAPS / Password Vaulting Tools |
Windows/Enterprise |
Secure storage of credentials |
Operator Checklist
Best Practices
- Use PowerShell for speed, repeatability, and logging.
- Document all elevated account creation during incident.
- Disable and remove temporary accounts immediately after use.
- Securely share passwords (LAPS, encrypted vaults).
- Avoid generic names like “admin” or “incident” that may persist post-incident.
References
Create user in Active Directory
Assign Group Membership
Revision History
| Date |
Version |
Description |
Author |
| 2025-05-02 |
1.9 |
Full original + enriched PowerShell method, operator checklist, alternate tooling and best practices |
Leo |