Creating Users | MicrosoftВ® Windows PowerShell(TM) Step By Step (Step By Step (Microsoft))

One interesting technique you can use with ADSI is create users. Although using the Graphical User Interface (GUI) to create a single user is easy, using the GUI to create a dozen or more users would certainly not be. In addition, as you’ll see, because there is a lot of similarity among ADSI scripts, deleting a dozen or more users is just as simple as creating them. And because you can use the same input text file for all the scripts, ADSI makes creating temporary accounts for use in a lab or school a real snap.

Just the Steps

To create users

Use the appropriate provider for your network.
Connect to the container for your users.
Specify the domain.
Specify the User class of the object.
Bind to Active Directory.
Use the Create method to create the user.
Use the Put method to at least specify the sAMAccountName attribute.
Use SetInfo() to commit the user to Active Directory.

The CreateUser.ps1 script, which follows, is very similar to the CreateOU.ps1 script. In fact, CreateUser.ps1 was created from CreateOU.ps1, so a detailed analysis of the script is unnecessary. The only difference is that oClass is equal to the “User” class instead of to an “organizationalUnit” class.

Tip

These scripts use a Windows PowerShell trick. When using VBScript to create a user or a group, you must supply a value for the sAMAccountName attribute. When using Windows PowerShell on Windows 2000, this is also the case. With Windows PowerShell on Windows Server 2003, however, the sAMAccountName attribute will be automatically created for you. In the CreateUser.ps1 script, I have included the $objUser.Put command, which would be required for Windows 2000, but it is not required in Windows Server 2003.

CreateUser.ps1

 $strCLass = "User" $StrName = "CN=MyNewUser" $objADSI = [ADSI]"LDAP://ou=myTestOU,dc=nwtraders,dc=msft" $objUser = $objADSI.create($strCLass, $StrName) $objUser.Put("sAMAccountName", "MyNewUser") $objUser.setInfo()

Quick Check

Q. To create a user, which class must be specified?

A. You need to specify the User class to create a user.

Q. What is the Put method used for?

A. The Put method is used to write additional property data to the object that it is bound to.

Creating groups

Open the CreateUser.ps1script in Notepad, and save it as yourname CreateGroup.ps1.
Declare a variable called $intGroupType. This variable will be used to control the type of group to create. Assign the number 2 to the variable. When used as the group type, a type 2 will be a distribution group. This line of code is shown here:
```
 $intGroupType = 2
```
Change the value of $strClass from user to group. This variable will be used to control the type of object that gets created in Active Directory. This is shown here:
```
 $strGroup = "Group"
```
Change the name of the $objUser variable to $objGroup (less confusing that way). This will need to be done in two places, as shown here:
```
 $objGroup = $objADSI.create($strCLass, $StrName) $objGroup.setInfo()
```
Above the $objGroup.setInfo() line, use the Put method to create a distribution group. The distribution group is grouptype of 2, and we can use the value held in the $intGroupType variable. This line of code is shown here:
```
 $ObjGroup.put("GroupType",$intGroupType)
```
Save and run the script. It should create a group called MyNewGroup in the MyTestOU in Active Directory. If the script does not perform as expected, compare you script with the CreateGroup.ps1 script.
This concludes the creating groups procedure.

Creating a computer account

Open CreateUser.ps1 script in Notepad, and save it as yourname CreateComputer.ps1.
Change the $strClass from “user” to “Computer”. The revised command is shown here:
```
 $strCLass = "computer"
```
Change the $strName from “CN=MyNewUser” to “CN=MyComputer”. This command is shown here:
```
 $StrName = "CN=MyComputer"
```
The [ADSI] accelerator connection string is already connecting to ou=myTestOU and should not need modification.
Change the name of the $objUser variable used to hold the object that is returned from the Create method to $objComputer. This revised line of code is shown here:
```
 $objComputer = $objADSI.create($strCLass, $StrName)
```
Use the Put method from the DirectoryEntry object created in the previous line to put the value “MyComputer” in the sAMAccountName attribute. This line of code is shown here:
```
 $objComputer.put("sAMAccountName", "MyComputer")
```
Use the SetInfo() method to write the changes to Active Directory. This line of code is shown here:
```
 $objComputer.setInfo()
```
After the Computer object has been created in Active Directory, you can modify the UserAccountControl attribute. The value 4128 in UserAccountControl means the workstation is a trusted account and does not need to change the password. This line of code is shown here:
```
 $objComputer.put("UserAccountControl",4128)
```
Use the SetInfo() method to write the change back to Active Directory. This line of code is shown here:
```
 $objComputer.setinfo()
```
Save and run the script. You should see a computer account appear in Active Directory Users and Computers. If your script does not product the expected results, compare it with CreateComputer.ps1.

This concludes the creating a computer account procedure.

What Is User Account Control?

User account control is an attribute stored in Active Directory that is used to enable or disable a User Account, Computer Account, or other object defined in Active Directory. It is not a single string attribute; rather, it is a series of flags that get computed from the values listed in Table 7-3. Because of the way the UserAccountControl attribute is created, simply examining the numeric value is of little help, unless you can decipher the individual numbers that make up the large number. These flags, when added together, control the behavior of the user account on the system. In the script CreateComputer.ps1, we set two user account control flags: the ADS_UF_PASSWD_NOTREQD flag and the ADS_UF_WORKSTATION_TRUST_ACCOUNT flag. The password not required flag has a hex value of 0x20, and the the trusted workstation flag has a hex value of 0x1000. When added together, and turned into decimal value, they equal 4128, which is the value actually shown in ADSI Edit.

Table 7-3: User Account Control Values
Open table as spreadsheet
Ads Constant	Value
ADS_UF_SCRIPT	0X0001
ADS_UF_ACCOUNTDISABLE	0X0002
ADS_UF_HOMEDIR_REQUIRED	0X0008
ADS_UF_LOCKOUT	0X0010
ADS_UF_PASSWD_NOTREQD	0X0020
ADS_UF_PASSWD_CANT_CHANGE	0X0040
ADS_UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED	0X0080
ADS_UF_TEMP_DUPLICATE_ACCOUNT	0X0100
ADS_UF_NORMAL_ACCOUNT	0X0200
ADS_UF_INTERDOMAIN_TRUST_ACCOUNT	0X0800
ADS_UF_WORKSTATION_TRUST_ACCOUNT	0X1000
ADS_UF_SERVER_TRUST_ACCOUNT	0X2000
ADS_UF_DONT_EXPIRE_PASSWD	0X10000
ADS_UF_MNS_LOGON_ACCOUNT	0X20000
ADS_UF_SMARTCARD_REQUIRED	0X40000
ADS_UF_TRUSTED_FOR_DELEGATION	0X80000
ADS_UF_NOT_DELEGATED	0X100000
ADS_UF_USE_DES_KEY_ONLY	0x200000
ADS_UF_DONT_REQUIRE_PREAUTH	0x400000
ADS_UF_PASSWORD_EXPIRED	0x800000
ADS_UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION	0x1000000