Guy’s Scripting Ezine 103 – Creating Users with sAMAccountName

Contents for Ezine 103 – Create Users

• This Week’s Secret
• This Week’s Mission
• Example 1 Script: To Create a Basic User Object
• Example 2 Script: To Create a ‘Live’ User
• Exchange PowerShell New Mailbox
• Summary – Create User

 ♣

This Week’s Secret

When you use VBScript to create major objects such as Users, Computer or Groups, your script must set a value for the LDAP property sAMAccountName.  Imagine, if you were creating a user manually, then sAMAccountName equates to ‘User logon name’.  Also keep in mind Active Directory enforces that each sAMAccountName is unique in the domain, hence you get an error when you run the script for a second time (unless you change the value of strUser).

   You can also employ sAMAccountName when you want to control the username attribute.  For example, suppose you want to map: profilePath \\ server \ users\ username; it is often easier to use the sAMAccountName, for example: profilePath \\ server \ users\ sAMAccountName.

This Week’s Mission

Last week we modified the computer object.  This week we are going to create a user object.  My rationale for this learning sequence is that it’s easier to modify than to create.  When we create an object, we must specify a minimum of three properties, whereas modify focuses only on one property.

These are three mandatory properties needed to create a user:
a) The type of object, for example user, and not computer, group or contact.
b) CN= Set the common name. (N.B. not to be confused with CN = container.)
c) sAMAccountName, the logon name.  Often set to the same value as CN.

In the case of Users, it’s optional, but helpful, if we give them a password and then enable their account by setting userAccountControl = 512.  As a finishing touch, we will set the account so that the user must change their password at first logon (PwdLastSet = 0).

There are zillions more properties that we could configure, for example sn (Last Name), however that would get us side tracked from the main objective, which is just to create a user object.  I say just create, but it still gives me a thrill when VBScript delivers a user to the correct container.

I have to also confess that normally, you create not one but lots of users.  To achieve this, you would persuade the script to loop through the cells of a spreadsheet extracting the relevant values.  However, opening files is a whole different lesson and I want to concentrate on one topic at a time.  Also, remember that last week we learned how to modify objects, so if the worst came to the worst, we could always run another script to add values to our users’ property sheets.

Guy Recommends:  SolarWinds’ Free Bulk Import Tool

Import users from a spreadsheet.  Just provide a list of the users with their fields in the top row, and save as .csv file.  Then launch this FREE utility and match your fields with AD’s attributes, click and import the users.

Optionally, you can provide the name of the OU where the new accounts will be born. Download your FREE bulk import tool.

If you need more comprehensive software, download a free trial of SAM (Server & Application Monitor)

Example 1 Script: To Create a Basic User Object

Pre-requisites

You need an OU called Accounts, else change my value for strContainer.

This script is designed for Windows Active Directory.  You really need to run this script on a domain controller rather than an XP workstation.

Instructions for modifying the properties of computer objects.

1. Copy and paste the example script below into notepad or use a VBScript editor.

2. One advantage of a good script editor such as OnScript is that you can see the line numbers, which helps when you have to troubleshoot error messages.

3. Save the file with a .vbs extension, for example: NewUser.vbs 

4. Double click NewUser.vbs, the check Active Directory Users and Computers for new values for your computer’s properties.

5. N.B. It may be necessary to right-click the OU and select ‘Refresh’ from the drop down menu.  F5 is only works the first time then goes silent.

Learning Points

Note 1:  Observe how the first part of the VBScript gets a handle on the OU and thus set the location where the user will be born.  Specifically, trace the role of: Set objRoot and GetObject.

Note 2:  Examine how VBScript creates the type of object, "User" (not computer).  See how VBScript then names the new user with cn=strUser.  Finally, the script adds the mandatory, sAMAccountName.

Note 3:  Remember that .SetInfo is like pressing the OK button in the Active Directory Users and Computers dialog box.

Note 4:  The WScript.Echo is not strictly necessary, however, my scripts are littered with echo commands which add indications that, a) Something has happened!  b) To remind us where to look for the new object.

Guy Recommends:  A Free Trial of the Network Performance Monitor (NPM) v11.5

SolarWinds’ Orion performance monitor will help you discover what’s happening on your network.  This utility will also guide you through troubleshooting; the dashboard will indicate whether the root cause is a broken link, faulty equipment or resource overload.

What I like best is the way NPM suggests solutions to network problems.  Its also has the ability to monitor the health of individual VMware virtual machines.  If you are interested in troubleshooting, and creating network maps, then I recommend that you try NPM now.

Download a free trial of Solarwinds’ Network Performance Monitor

Example 2 Script: To Create a ‘Live’ User

Did you notice that big red X next to the first user we created?   A red X indicates the account is disabled and could not logon. This script adds a password and then enables the user account.  As a final touch, objUser.Put "PwdLastSet", 0 means that the user must change the password at first logon.

Learning Points

Note 0:  Once a script gets to 20 lines, you really do benefit from a script editor such as OnScript.

Note 1:  While ‘SetPassword’ is self evident, ‘userAccountControl’ is a topic in its own right.  Suffice to say that a vale of 512 means enable the account, while 514 means disable.  (However there are other values.)

Note 2:  A value of zero for PwdLastSet, tells the user to reset their password at next logon.

Note 3:  You may have noticed my recent penchant for sub routines, for example sub MMC().  Strategically, this fits with the modular design of my scripts; in this instance, ‘call MMC’ launches the Active Directory Users and Computers snap-in.  My hidden agenda is that .Run dsa.msc is a change from my usual WScript.echo.

Challenges

Research other LDAP properties, for example, sn and givenName, then add extra lines of script when you create a User object.

Guy Recommends: Tools4ever’s UMRA

Tired of writing scripts? The User Management Resource Administrator solution by Tools4ever offers an alternative to time-consuming manual processes.

It features 100% auto provisioning, Helpdesk Delegation, Connectors to more than 130 systems/applications, Workflow Management, Self Service and many other benefits. Click on the link for more information onUMRA.

Summary – Create Users

A basic User only requires us to script three properties, the common name, (CN), the type of object, "User" and the sAMAccountName.  A more useful User object also has a password and is enabled ready for logon.

See More Active Directory VBScripts to Create Users

• User Spreadsheet  • Ezines  •LDAP Properties  • Create Users  • Solarwinds User Import Tool

• Ezine 13 Create Users  • Ezine 21 Create Users  • Ezine 23 Enable Accounts

• Ezine 42 Modify Users  •Ezine 93 ADSIEdit  • Ezine 103 SamAccountName 

• Ezine 134 Delete Users  • PowerShell 3 Workflow  •PowerShell Get Users  •PowerShell Create Users