Recipe5.1.Creating a User Account and Mailbox

Recipe 5.1. Creating a User Account and Mailbox

Problem

You need to create a user account and a mailbox.

Solution

Using a graphical user interface

Open the Exchange-enabled version of the Active Directory Users and Computers (ADUC) snap-in (Users and Computers.msc).
Ensure that you are connected to the correct domain for the new user object.
In the left pane, browse to the appropriate container for the new user account, right-click on it, and select New User.
Enter and confirm the password, set the password flags as appropriate, and click Next.
Ensure the Create an Exchange Mailbox checkbox is selected and that the alias, server, and mailbox stores are correct. Click Next.
Confirm the information and click Finish.

Using a command-line interface with dsadd

You can use the dsadd command to add new user accounts from the command line. Here's an example:

 > dsadd user "cn=DavidR,cn=Users,dc=robichaux,dc=net" -samid "david"  -fn "David" -mi "P" -ln "Robichaux" -display "David P. Robichaux"  -memberof "Family" -mustchpwd yes

This creates a new user account for David. The account's SAM ID is david@robichaux.net (which is also the UPN, since we didn't use the -upn switch); the other switches are self-explanatory. dsadd lets you specify a number of attribute values at creation time, including telephone and fax numbers, home directory and drive information, and password policy settings. In this case, the only significant attribute we added was to force David to change his password the first time he logs on with -mustchpwd yes.

Once the user object has been added, you can use exchmbx with the -me switch to mail-enable it, like this:

> exchmbx -b "cn=David Robichaux,cn=users,cn=robichaux,cn=net"     -me david@robichaux.net

Using a command-line interface with ldifde

Use your favorite text editor to create an LDIF file. The file should appear as below, customized for your environment:

# ------------------import-user.ldf--------------------- dn: cn=<userCN>,cn=Users, <ForestRootDN> changetype: add CN: <userCN> objectClass: user samAccountName: <userAccount> givenName: <firstName> sn: <lastName> userAccountControl: 514 userPrincipalName: <userAccount@domain>

Save the file with a .ldf extension.

Next, run the following command:

> ldifde -i -f <fileName>.ldf -s DCname -j c:\temp

Use exchmbx with the -cr switch to mail-enable the newly created user object. This requires you to know the user's DN, the address you want to assign, and the server, storage group, and mailbox database where you want to create the mailbox. For example:
```
> exchmbx -b "CN=paulr,CN=Users,DC=robichaux,DC=net"     -cr "batman:First Storage Group:Mailbox01"
```
This will create a new mailbox for the user named paulr in the Users container of the robichaux.net domain. The mailbox will be created in the Mailbox01 mailbox database of First Storage Group on the server named batman.

If you have a strong password policy on your domain, the LDIF import would fail because the file in the example doesn't specify a password. That's why the file specifies a userAccountControl value of 514: the account is created as disabled, so you can set a password on it.

Using VBScript

' This code creates a new user mailbox, then mail-enables ' it by creating a mailbox in the first MDB on the server. ' ------ SCRIPT CONFIGURATION ------ strDCName = "<DC>"             ' e.g., "batman" strUserName = "<userName>"     ' e.g., "jrandomuser" strFirstName = "<userFirst>"   ' e.g., "Joe" strLastName = "<userLast>"     ' e.g., "Blow" strPassword = "<password>"     ' "G0bbeldygook!#" ' ------ END CONFIGURATION ------ Set oIADS = GetObject("LDAP://RootDSE") strDefaultNC = oIADS.Get("defaultnamingcontext") strConfigNC = oIADS.Get("configurationNamingContext")  strContainer= "/CN=Users," & strDefaultNC Set objContainer = GetObject("LDAP://" & strDCName & strContainer) Set NewUser = objContainer.Create("User", "cn=" & strUserName) With NewUser   .firstName = strFirstName   .lastName = strLastName   .Put "sAMAccountName", strUserName    .SetInfo End With With NewUser    .AccountDisabled = False    .SetPassword strPassword    .SetInfo End With ' Open the connection. Set theConnection = CreateObject("ADODB.Connection") set theCommand = CreateObject("ADODB.Command") Set theRecordSet = CreateObject("ADODB.Recordset") theConnection.Provider = "ADsDSOObject" theConnection.Open "ADs Provider" ' Build the query to find the private MDBs. Use the first  ' one if any are found. strQuery = "<LDAP://" & strConfigNC & _     ">;(objectCategory=msExchPrivateMDB);name,adspath;subtree" theCommand.ActiveConnection = theConnection theCommand.CommandText = strQuery Set theRecordSet = theCommand.Execute If Not theRecordSet.EOF Then     theRecordSet.MoveFirst     firstMDB = CStr(theRecordSet.Fields("ADsPath").Value) Else     firstMDB = "" End If ' create the mailbox With NewUser   .CreateMailbox firstMDB   .SetInfo End With WScript.Echo "Mailbox created successfully"

Discussion

While you can create a mailbox using ldifde, we're not going to show you how to do it, because it doesn't really work properly, as the msExchMailboxSecurityDescriptor attribute can't be correctly set through ldifde. You can use the information included within this recipe to create the user object, but you then need to manually mailbox-enable the user object through ADUC (this was determined after a painful amount of testing the creation of a mailboxonce we determined that the mailbox looked right, but wasn't working right, we did a little more research and found out that Microsoft definitely doesn't recommend the creation of mailboxes through ldifde imports). However, the exchmbx tool fixes this problem by making it easy to mail-enable newly created mailboxes or contacts from the command line correctly, so feel free to use this method if it's appropriate for your environment.

The creation of a mailbox via a script is really a two-step process, and it's imperfect at best. Basically, what we've done is create a new user account in Active Directory, then used the script that is also used for Recipe 5.2 to mailbox-enable that user account. The discussion for Recipe 5.2 explains a lot of the process, so we're going to point you to that.