Category list

Recipe 6.1 Creating a User

6.1.1 Problem

You want to create a user object.

6.1.2 Solution

6.1.2.1 Using a graphical user interface

Open the Active Directory Users and Computers (ADUC) snap-in.
If you need to change domains, right-click on "Active Directory Users and Computers" in the left pane, select Connect to Domain, enter the domain name , and click OK.
In the left pane, browse to the parent container of the new user, right-click on it, and select New User.
Enter the values for the first name, last name, full name, and user logon name fields as appropriate and click Next.
Enter and confirm password, set any of the password flags, and click Next.
Click Finish.

6.1.2.2 Using a command-line interface

> dsadd user "<


UserDN


>" -upn <


UserUPN


> -fn "<


UserFirstName


>" -ln "<


UserLastName


>"

[RETURN]

-display "<


UserDisplayName


>" -pwd <


UserPasswd


>

6.1.2.3 Using VBScript

' Taken from ADS_USER_FLAG_ENUM
Const ADS_UF_NORMAL_ACCOUNT = 512  

set objParent = GetObject("LDAP://<


ParentDN


>") 
set objUser   = objParent.Create("user", "cn=<


UserName


>") ' e.g. joes
objUser.Put "sAMAccountName", "<


UserName


>"   ' e.g. joes
objUser.Put "userPrincipalName", "<


UserUPN


>" ' e.g. joes@rallencorp.com
objUser.Put "givenName", "<


UserFirstName


>"   ' e.g. Joe
objUser.Put "sn", "<


UserLastName


>"           ' e.g. Smith
objUser.Put "displayName", "<


UserFirstName


> <


UserLastName


>" ' e.g. Joe Smith
objUser.Put "userAccountControl", ADS_UF_NORMAL_ACCOUNT
objUser.SetInfo
objUser.SetPassword("<


Password


>")
objUser.AccountDisabled = FALSE
objUser.SetInfo

6.1.3 Discussion

The only mandatory attribute that must be set when creating a user is sAMAccountName , which is the account name that is used to interoperate with down-level domains. To make the account immediately available for a user to use, you'll need to make sure the account is enabled, which is accomplished by setting userAccountControl to 512, and setting a password (see Recipe 6.17). If you allow UPN logons , you'll want to make sure the userPrincipalName attribute is set.

With Windows Server 2003, you can also create user accounts using the inetOrgPerson class, which is described in Recipe 6.3. inetOrgPerson objects can be used for user authentication and restricting access to resources in much the same way as user objects.

6.1.3.1 Using a graphical user interface

To set additional attributes, double-click on the user account after it has been created. There are several tabs to choose from that contain attributes that are grouped together based on function (e.g., Profile).

6.1.3.2 Using a command-line interface

Several additional attributes can be set with the dsadd user command. Run dsadd user /? for the complete list.

6.1.3.3 Using VBScript

Take a look at Recipe 6.24 for more information on the userAccountControl attribute and the various flags that can be set for it.

6.1.4 See Also

Recipe 6.2 for creating users in bulk, Recipe 6.3 for creating an inetOrgPerson user, and MSDN: ADS_USER_FLAG_ENUM

Recipe 6.2 Creating a Large Number of Users

6.2.1 Problem

You want to create a large number of user objects, either for testing purposes or to initially populate Active Directory with your employee, customer, or student user accounts.

6.2.2 Solution

The following examples will create 1,000 users in the rallencorp.com domain under the Bulk OU. The password is set, but no other attributes are configured. You can modify the examples to populate whatever attributes you need.

6.2.2.1 Using a command-line interface

> for /L %i in (1,1,1000) do dsadd user cn=User%i,ou=bulk,dc=rallencorp,dc=com -pwd

[RETURN]

User%i

6.2.2.2 Using VBScript

' This code creates a large number of users with incremented user names
' e.g. User1, User2, User3, ....
' ------ SCRIPT CONFIGURATION ------
intNumUsers = 1000         ' Number of users to create
strParentDN = "


<ParentDN>


" ' e.g. ou=bulk,dc=emea,dc=rallencorp,dc=com
' ------ END CONFIGURATION ---------

' Taken from ADS_USER_FLAG_ENUM
Const ADS_UF_NORMAL_ACCOUNT = 512

set objParent = GetObject("LDAP://" & strParentDN)
for i = 1 to intNumUsers
   strUser = "User" & i
   Set objUser = objParent.Create("user", "cn=" & strUser)
   objUser.Put "sAMAccountName", strUser
   objUser.Put "userAccountControl", ADS_UF_NORMAL_ACCOUNT
   objUser.SetInfo
   objUser.SetPassword(strUser)
   objUser.AccountDisabled=FALSE
   objUser.SetInfo
   WScript.Echo "Created " & strUser
next
WScript.Echo ""
WScript.Echo "Created " & intNumUsers & " users"

6.2.3 Discussion

Using ADSI and even the new DS command line utilities on Windows Server 2003, you can create hundreds and even thousands of users easily and quickly. I ran both the CLI and VBScript solutions in a test domain, which create 1,000 user objects, on a single processor machine. The VBScript solution took less than 1.5 minutes and the CLI solution took less than 5 minutes. Admittedly, they are not populating very many attributes, but it shows that you can quickly populate Active Directory with user accounts very easily. You can also modify the examples to pull from a data source, such as an employee database, and use real data.