PowerShell Ezine, Logon Scripts

Guy's Scripting Ezine 103 - Creating Users with sAMAccountName

Guy recommends this:
Free - WMI Monitor

WMI Monitor

Guy's Top 10 Free Tools

1) FreePing
2) Network Monitor
3) Xobni
4) PuTTY (UNIX)
5) WMI Monitor
6) BgInfo
7) Net-SNMP
8) Engineer's Toolset
9) Exchange Monitor
10) WinDiff

Contents for Ezine 103 - Create Users

This Week's Secret

When you use VBScript to create major objects such as Users, Computer or Groups, your script must set a value for the LDAP property sAMAccountName.  Imagine, if you were creating a user manually, then sAMAccountName equates to 'User logon name'.  Also keep in mind Active Directory enforces that each sAMAccountName is unique in the domain, hence you get an error when you run the script for a second time (unless you change the value of strUser).

sAMAccountName tip for username.   You can also employ sAMAccountName when you want to control the username attribute.  For example, suppose you want to map: profilePath \\ server \ users\ username; it is often easier to use the sAMAccountName, for example: profilePath \\ server \ users\ sAMAccountName.

This Week's Mission

Last week we modified the computer object.  This week we are going to create a user object.  My rationale for this learning sequence is that it's easier to modify than to create.  When we create an object, we must specify a minimum of three properties, whereas modify focuses only on one property.

These are three mandatory properties needed to create a user:
a) The type of object, for example user, and not computer, group or contact.
b) CN= Set the common name. (N.B. not to be confused with CN = container.)
c) sAMAccountName, the logon name.  Often set to the same value as CN.

In the case of Users, it's optional, but helpful, if we give them a password and then enable their account by setting userAccountControl = 512.  As a finishing touch, we will set the account so that the user must change their password at first logon (PwdLastSet = 0).

There are zillions more properties that we could configure, for example sn (Last Name), however that would get us side tracked from the main objective, which is just to create a user object.  I say just create, but it still gives me a thrill when VBScript delivers a user to the correct container.

I have to also confess that normally, you create not one but lots of users.  To achieve this, you would persuade the script to loop through the cells of a spreadsheet extracting the relevant values.  However, opening files is a whole different lesson and I want to concentrate on one topic at a time.  Also, remember that last week we learned how to modify objects, so if the worst came to the worst, we could always run another script to add values to our users' property sheets.

If you are looking for handy network utilities, try some of the free downloads at Tools4Ever

Example 1 Script: To Create a Basic User Object

Pre-requisites

You need an OU called Accounts, else change my value for strContainer.

This script is designed for Windows Active Directory.  You really need to run this script on a domain controller rather than an XP workstation.

Instructions for modifying the properties of computer objects.

  1. Copy and paste the example script below into notepad or use a VBScript editor.

  2. One advantage of a good script editor such as OnScript is that you can see the line numbers, which helps when you have to troubleshoot error messages.

  3. Save the file with a .vbs extension, for example: NewUser.vbs 

  4. Double click NewUser.vbs, the check Active Directory Users and Computers for new values for your computer's properties.

  5. N.B. It may be necessary to right click the OU and select 'Refresh' from the drop down menu.  F5 is only works the first time then goes silent.

 

 

' NewUser.vbs
' Sample VBScript to create a User in Users (or strOU).
' Author Guy Thomas http://Computerperformance.co.uk/
' Version 1.2 - February 2006
' ------------------------------------------------------'
Option Explicit
Dim strUser, strOU
Dim objRoot, objContainer, objUser

'strOU = "cn=users,"
strOU = "OU=Accounts,"
strUser = "DomGuy97"

' Bind to Active Directory, note: 'Set' and 'Get'
Set objRoot = GetObject("LDAP://rootDSE")
Set objContainer = GetObject("LDAP://" & strOU & _
objRoot.Get("defaultNamingContext"))

' Build the actual "User". Note cn=
' Observe the .Create method
Set objUser = objContainer.Create("User", "cn=" & strUser)
objUser.Put "sAMAccountName", strUser
objUser.SetInfo

WScript.Echo "Check " & strOU & " for " & strUser
WScript.Quit

' End of Sample Create Users VBScript.

Learning Points

Note 1:  Observe how the first part of the VBScript gets a handle on the OU and thus set the location where the user will be born.  Specifically, trace the role of: Set objRoot and GetObject.

Note 2:  Examine how VBScript creates the type of object, "User" (not computer).  See how VBScript then names the new user with cn=strUser.  Finally, the script adds the mandatory, sAMAccountName.

Note 3:  Remember that .SetInfo is like pressing the OK button in the Active Directory Users and Computers dialog box.

Note 4:  The WScript.Echo is not strictly necessary, however, my scripts are littered with echo commands which add indications that, a) Something has happened!  b) To remind us where to look for the new object.

ˆ

Example 2 Script: To Create a 'Live' User

Did you notice that big red X next to the first user we created?   A red X indicates the account is disabled and could not logon. This script adds a password and then enables the user account.  As a final touch, objUser.Put "PwdLastSet", 0 means that the user must change the password at first logon.

 

' CreateUsersAdv.vbs
' Sample VBScript to create, and enable a User in strOU.
' Author Guy Thomas http://Computerperformance.co.uk/
' Version 2.4 - February 2006
' ------------------------------------------------------'
Option Explicit
Dim strUser, strOU, strPassword
Dim objRoot, objContainer, objUser, objShell, objMMC

'strOU = "cn=users,"
strOU = "OU=Accounts,"
strUser = "DomAdvGuy30"
strPassword = "P@ssw0rd"

' Bind to Active Directory.
Set objRoot = GetObject("LDAP://rootDSE")
Set objContainer = GetObject("LDAP://" & strOU & _
objRoot.Get("defaultNamingContext"))

' Build the actual User.
Set objUser = objContainer.Create("User", "cn=" & strUser)
objUser.Put "sAMAccountName", strUser
objUser.SetInfo

' Section to set the password. Note second SetInfo
objUser.SetPassword strPassword
objUser.Put "userAccountControl", 512
objUser.Put "PwdLastSet", 0
objUser.SetInfo

' Optional Subroutine to open ADUC
Call MMC

WScript.Quit

sub MMC()
set objMMC = CreateObject("WScript.Shell")
objMMC.Run "%systemroot%\system32\dsa.msc"
End Sub

' End of Advanced Create Users VBScript.

Learning Points

Note 0:  Once a script gets to 20 lines, you really do benefit from a script editor such as OnScript.

Note 1:  While 'SetPassword' is self evident, 'userAccountControl' is a topic in its own right.  Suffice to say that a vale of 512 means enable the account, while 514 means disable.  (However there are other values.)

Note 2:  A value of zero for PwdLastSet, tells the user to reset their password at next logon.

Note 3:  You may have noticed my recent penchant for sub routines, for example sub MMC().  Strategically, this fits with the modular design of my scripts; in this instance, 'call MMC' launches the Active Directory Users and Computers snap-in.  My hidden agenda is that .Run dsa.msc is a change from my usual WScript.echo.

Challenges

Research other LDAP properties, for example, sn and givenName, then add extra lines of script when you create a User object.

Summary - Create Users

A basic User only requires us to script three properties, the common name, (CN), the type of object, "User" and the sAMAccountName.  A more useful User object also has a password and is enabled ready for logon.

Computer Training Software - Recommended Training VideosGuy Thomas recommends Computer Training Software

Their topics and material are ideal for getting you started with VBScript.  The videos are easy to follow and you can control the pace.  Try their free demo material and then see if you want to buy the full package. See more about VB Script Training CD.

 *

Google

Web  This website

Review of Orion NPMGuy Recommends: Orion's NPM - Network Performance Monitor

Orion's performance monitor is designed for detecting network outages. A network-centric view make it easy to see what's working, and what needs your attention.

This utility guides you through troubleshooting by indicating whether the root cause is faulty equipment or resource overload.

Download a free trial of the Network Performance Monitor

 

Home Copyright © 1999-2010 Computer Performance LTD All rights reserved

Please report a broken link, or an error.