IT tutorials
 
Applications Server
 

Active Directory 2008 : Automating the Creation of User Accounts (part 1)

5/4/2013 9:08:16 PM
- Free product key for windows 10
- Free Product Key for Microsoft office 365
- Malwarebytes Premium 3.7.1 Serial Keys (LifeTime) 2019
1. Creating Users with Templates

Users in a domain often share many similar properties. For example, all sales representatives can belong to the same security groups, log on to the network during similar hours, and have home folders and roaming profiles stored on the same server. When you create a new user, you can simply copy an existing user account rather than create a blank account and populate each property.

Since the days of Microsoft Windows NT 4.0, Windows has supported the concept of user account templates. A user account template is a generic user account prepopulated with common properties. For example, you can create a template account for sales representatives that is preconfigured with group memberships, logon hours, a home folder, and a roaming profile path.

To create a user account template, simply create a user account and prepopulate appropriate attributes. We recommend that you use a naming standard that makes templates easy to find. For example, configure the full name of the user with an underscore (_) as the first character, such as _Sales User. The underscore prefix will cause all templates to appear at the top of the list of users in an organizational unit (OU).

Note

DISABLE TEMPLATE USER ACCOUNTS

The template account should not be used to log on to the network, so be sure to disable the account.

To create a user based on the template, perform the following steps:

  1. Right-click the template user account, and then click Copy.

    The Copy Object – User Wizard appears.

  2. In the First Name box, type the user’s first name.

  3. In the Last Name box, type the user’s last name.

  4. Modify the Full Name value if necessary.

  5. In the User Logon Name box, type the user logon name, and then select the appropriate user principal name (UPN) suffix in the drop-down list.

  6. In the User Logon Name (Pre-Windows 2000) box, type the user’s pre–Windows 2000 user name, and then click Next.

  7. In Password and Confirm Password, type the user’s password.

  8. Select the appropriate password options.

  9. If the user account from which the new user account was copied was disabled, clear the Account Is Disabled check box to enable the new account.

  10. Click Next, and then click Finish.

After a user is created by copying the template, you can view and modify its attributes in the Properties dialog box of the new account. It’s important to realize that not all attributes are copied from the template. The list below summarizes the attributes that are copied from the template, grouped by the tabs in the Properties dialog box.

  • General tab No properties are copied from the General tab.

  • Address tab P.O. box, city, state or province, ZIP or postal code, and country or region are copied. Note that the street address itself is not copied.

  • Account tab Logon hours, logon workstations, account options, and account expiration are copied.

  • Profile tab Profile path, logon script, home drive, and home folder path are copied.

  • Organization tab Department, company, and manager are copied.

  • Member Of tab Group membership and primary group are copied.

Tip

EXAM TIP

Memorize the list of attributes that are copied from a template.

It is not useful to configure any other attributes in the template, as they will not be copied to new accounts.

Note

WHAT YOU SEE ISN’T ALL YOU GET

User accounts have additional properties that are not visible on the standard tabs in the Active Directory Users And Computers snap-in. These hidden attributes include useful properties such as assistant, division, employee type, and employee ID. To view these properties, click the View menu in the Active Directory Users And Computers snap-in and select the Advanced Features option. Then open the properties of a user account and click the Attribute Editor tab. Several of these attributes, including assistant, division, and employee type, are also copied from a template to a new account.

What Is Copied Is Not Enough

Many administrators consider the list of copied attributes to be somewhat limited. For example, you might want the job title and street address attributes to be copied. You can actually modify the Active Directory schema to include additional attributes when duplicating a user. See Knowledge Base article 827832 at http://support.microsoft.com/kb/827832 for instructions.

However, you will be well served to use more advanced methods for automating the creation of user accounts.

2. Using Active Directory Command-Line Tools

One of a suite of Active Directory command-line tools collectively called DS commands. The following DS commands are supported in Windows Server 2008 R2:

  • DSAdd Creates an object in the directory.

  • DSGet Returns specified attributes of an object.

  • DSMod Modifies specified attributes of an object.

  • DSMove Moves an object to a new container or OU or rename and object.

  • DSRm Removes an object, all objects in the subtree beneath a container object, or both.

  • DSQuery Performs a query based on parameters provided at the command line and returns a list of matching objects. By default, the result set is presented as the distinguished names (DNs) of each object, but you can use the –o parameter with modifiers such as dn, rdn, upn, or samid to receive the results as DNs, relative DNs, user principal names (UPNs), or pre–Windows 2000 logon names (security accounts manager [SAM] IDs).

Most of the DS commands take two modifiers after the command itself: the object type and the object’s DN. For example, the following command adds a user account for Mike Fitzmaurice:

dsadd user "cn=Mike Fitzmaurice,ou=User Accounts,dc=contoso,dc=com"

The object type, user, immediately follows the command. After the object type is the object’s DN. When the object’s DN includes a space, surround the DN with quotes. The following command removes the same user:

dsrm "cn=Mike Fitzmaurice,ou=User Accounts,dc=contoso,dc=com"

DS commands that read or manipulate attributes of objects include Dsquery.exe, Dsget.exe, and Dsmod.exe. To specify an attribute, include it as a parameter after the object’s DN. For example, the following command retrieves the home folder path for Mike Fitzmaurice:

dsget user "cn=Mike Fitzmaurice,ou=User Accounts,dc=contoso,dc=com" -hmdir

The parameter of a DS command that represents an attribute, for example, hmdir, is not always the same as the name of the attribute in the Active Directory Users And Computers snap-in or in the schema.

3. Creating Users with DSAdd

Use the DSAdd command to create objects in Active Directory. The DSAdd User command creates a user object and accepts parameters that specify properties of the user. The following command shows the basic parameters required to create a user account:

dsadd user "User DN" -samid "pre-Windows 2000 logon name" -pwd {Password | *}
   -mustchpwd yes

The -pwd parameter specifies the password. If it is set to an asterisk (*), you are prompted for a user password. The -mustchpwd parameter specifies that the user must change the password at next logon.

DSAdd User accepts several parameters that specify properties of the user object. The following command creates a user with some of the more important fields populated:

dsadd user "cn=Amy Strande,ou=User Accounts,dc=contoso,dc=com" -samid Amy.Strande
   -fn Amy -ln Strande -display "Strande, Amy" -pwd Pa$$w0rd -desc "Vice President, IT"

Most parameter names are self-explanatory: -email, -profile, and -company, for example. Type dsadd user /? or search the Windows Server 2008 R2 Help and Support Center for thorough documentation of the DSAdd User parameters.

4. Exporting Users with CSVDE

CSVDE is a command-line tool that imports or exports Active Directory objects from or to a comma-delimited text file (also known as a comma-separated value text file, or .csv file). Comma-delimited files can be created, modified, and opened with tools as familiar as Notepad and Microsoft Office Excel. If you have user information in existing Excel or Microsoft Office Access databases, you will find that CSVDE is a powerful way to take advantage of that information to automate user account creation.

The basic syntax of the CSVDE command for export is:

csvde -f filename

However, that command will export all objects in your Active Directory domain. You will want to limit the scope of the export, which you can do with the following four parameters:

  • -d RootDN Specifies the distinguished name of the container from which the export will begin. The default is the domain itself.

  • -p SearchScope Specifies the scope of the search relative to the container specified by -d. SearchScope can be either base (this object only), onelevel (objects within this container), or subtree (this container and all subcontainers). The default is subtree.

  • -r Filter Filters the objects returned within the scope configured by -d and -p. Filter is a Lightweight Directory Access Protocol (LDAP) query syntax.

  • -l ListOfAttributes Specifies the attributes that will be exported. Use the LDAP name for each attribute, separated by a comma, as in -l DN,objectClass,sAMAccountName,sn,givenName,userPrincipalName.

The output of a CSVDE export lists the selected, exported LDAP attribute names on the first line. Each object follows, one per line. Here’s a sample file:

DN,objectClass,sn,givenName,sAMAccountName,userPrincipalName
"CN=David Jones,OU=User Accounts,DC=contoso,DC=com",user,Jones,David,david.jones,
   [email protected]
"CN=Lisa Andrews,OU=User Accounts,DC=contoso,DC=com",user,Andrews,Lisa,lisa.andrews,
   [email protected]

5. Importing Users with CSVDE

CSVDE can also create user accounts by importing a .csv file. If you have user information in existing Excel or Access databases, you will find that CSVDE is a powerful way to take advantage of that information to automate user account creation.

The basic syntax of the CSVDE command for import is:

csvde -i -f Filename [-k]

The -i parameter specifies import mode; without it, the default mode of CSVDE is export. The -f parameter identifies the file name to import from or export to. The -k parameter is useful during import operations because it instructs CSVDE to ignore errors, including Object Already Exists errors.

The import file itself is a comma-delimited text file (.csv or .txt) in which the first line defines the imported attributes by their LDAP attribute names. Each object follows, one per line, and must contain exactly the attributes listed on the first line. Here’s a sample file:

DN,objectClass,sn,givenName,sAMAccountName,userPrincipalName
"CN=David Jones,OU=User Accounts,DC=contoso,DC=com",user,Jones,David,david.jones,
   [email protected]
"CN=Lisa Andrews,OU=User Accounts,DC=contoso,DC=com",user,Andrews,Lisa,lisa.andrews,
   [email protected]

This file, when imported by the CSVDE command, will create user objects for David Jones and Lisa Andrews in the User Accounts OU. The user logon names, last name and first name, are configured by the file. You cannot use CSVDE to import passwords, and without a password, the user account will be disabled initially. After you have reset the password, you can enable the object.
 
Others
 
- SharePoint 2010 : SharePoint Pages - Deploying Pages
- BizTalk Server 2009 : Advanced Orchestration Concepts - The Cost of Parallel Shapes
- BizTalk Server 2009 : Threading and Persistence
- Monitoring Microsoft Lync Server 2010 : How to Use OpsMgr
- Monitoring Microsoft Lync Server 2010 : OpsMgr Architecture
- Microsoft Dynamics Ax 2009 : Developing Role Centers - Role Center Web Parts
- Microsoft Dynamics Ax 2009 : Role Centers - Introduction
- Microsoft Dynamics Ax 2009 : Enterprise Portal - Securing Web Elements, Developing the Navigation
- Microsoft SharePoint 2010 : WebParts and SharePoint Pages - Writing Visual WebParts
- Microsoft SharePoint 2010 : WebParts and SharePoint Pages - Using SharePoint Designer with WebParts
 
 
Top 10
 
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 2) - Wireframes,Legends
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 1) - Swimlanes
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Formatting and sizing lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Adding shapes to lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Sizing containers
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 3) - The Other Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 2) - The Data Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 1) - The Format Properties of a Control
- Microsoft Access 2010 : Form Properties and Why Should You Use Them - Working with the Properties Window
- Microsoft Visio 2013 : Using the Organization Chart Wizard with new data
Technology FAQ
- Is possible to just to use a wireless router to extend wireless access to wireless access points?
- Ruby - Insert Struct to MySql
- how to find my Symantec pcAnywhere serial number
- About direct X / Open GL issue
- How to determine eclipse version?
- What SAN cert Exchange 2010 for UM, OA?
- How do I populate a SQL Express table from Excel file?
- code for express check out with Paypal.
- Problem with Templated User Control
- ShellExecute SW_HIDE
programming4us programming4us