Creating Users


One interesting technique you can use with ADSI is create users. Although using the Graphical User Interface (GUI) to create a single user is easy, using the GUI to create a dozen or more users would certainly not be. In addition, as you’ll see, because there is a lot of similarity among ADSI scripts, deleting a dozen or more users is just as simple as creating them. And because you can use the same input text file for all the scripts, ADSI makes creating temporary accounts for use in a lab or school a real snap.

Just the Steps 

To create users

  1. Use the appropriate provider for your network.

  2. Connect to the container for your users.

  3. Specify the domain.

  4. Specify the User class of the object.

  5. Bind to Active Directory.

  6. Use the Create method to create the user.

  7. Use the Put method to at least specify the sAMAccountName attribute.

  8. Use SetInfo() to commit the user to Active Directory.

The image from book CreateUser.ps1 script, which follows, is very similar to the image from book CreateOU.ps1 script. In fact, image from book CreateUser.ps1 was created from image from book CreateOU.ps1, so a detailed analysis of the script is unnecessary. The only difference is that oClass is equal to the “User” class instead of to an “organizationalUnit” class.

Tip 

These scripts use a Windows PowerShell trick. When using VBScript to create a user or a group, you must supply a value for the sAMAccountName attribute. When using Windows PowerShell on Windows 2000, this is also the case. With Windows PowerShell on Windows Server 2003, however, the sAMAccountName attribute will be automatically created for you. In the image from book CreateUser.ps1 script, I have included the $objUser.Put command, which would be required for Windows 2000, but it is not required in Windows Server 2003.

image from book CreateUser.ps1

 $strCLass = "User" $StrName = "CN=MyNewUser" $objADSI = [ADSI]"LDAP://ou=myTestOU,dc=nwtraders,dc=msft" $objUser = $objADSI.create($strCLass, $StrName) $objUser.Put("sAMAccountName", "MyNewUser") $objUser.setInfo()

image from book
Quick Check

Q. To create a user, which class must be specified?

A. You need to specify the User class to create a user.

Q. What is the Put method used for?

A. The Put method is used to write additional property data to the object that it is bound to.

image from book

Creating groups

  1. Open the image from book CreateUser.ps1script in Notepad, and save it as yournameimage from book CreateGroup.ps1.

  2. Declare a variable called $intGroupType. This variable will be used to control the type of group to create. Assign the number 2 to the variable. When used as the group type, a type 2 will be a distribution group. This line of code is shown here:

     $intGroupType = 2

  3. Change the value of $strClass from user to group. This variable will be used to control the type of object that gets created in Active Directory. This is shown here:

     $strGroup = "Group"

  4. Change the name of the $objUser variable to $objGroup (less confusing that way). This will need to be done in two places, as shown here:

     $objGroup = $objADSI.create($strCLass, $StrName) $objGroup.setInfo()

  5. Above the $objGroup.setInfo() line, use the Put method to create a distribution group. The distribution group is grouptype of 2, and we can use the value held in the $intGroupType variable. This line of code is shown here:

     $ObjGroup.put("GroupType",$intGroupType)

  6. Save and run the script. It should create a group called MyNewGroup in the MyTestOU in Active Directory. If the script does not perform as expected, compare you script with the image from book CreateGroup.ps1 script.

  7. This concludes the creating groups procedure.

Creating a computer account

  1. Open image from book CreateUser.ps1 script in Notepad, and save it as yournameimage from book CreateComputer.ps1.

  2. Change the $strClass from “user” to “Computer”. The revised command is shown here:

     $strCLass = "computer"

  3. Change the $strName from “CN=MyNewUser” to “CN=MyComputer”. This command is shown here:

     $StrName = "CN=MyComputer"

  4. The [ADSI] accelerator connection string is already connecting to ou=myTestOU and should not need modification.

  5. Change the name of the $objUser variable used to hold the object that is returned from the Create method to $objComputer. This revised line of code is shown here:

     $objComputer = $objADSI.create($strCLass, $StrName)

  6. Use the Put method from the DirectoryEntry object created in the previous line to put the value “MyComputer” in the sAMAccountName attribute. This line of code is shown here:

     $objComputer.put("sAMAccountName", "MyComputer")

  7. Use the SetInfo() method to write the changes to Active Directory. This line of code is shown here:

     $objComputer.setInfo()

  8. After the Computer object has been created in Active Directory, you can modify the UserAccountControl attribute. The value 4128 in UserAccountControl means the workstation is a trusted account and does not need to change the password. This line of code is shown here:

     $objComputer.put("UserAccountControl",4128)

  9. Use the SetInfo() method to write the change back to Active Directory. This line of code is shown here:

     $objComputer.setinfo()

  10. Save and run the script. You should see a computer account appear in Active Directory Users and Computers. If your script does not product the expected results, compare it with image from book CreateComputer.ps1.

  11. This concludes the creating a computer account procedure.

    What Is User Account Control? 

    User account control is an attribute stored in Active Directory that is used to enable or disable a User Account, Computer Account, or other object defined in Active Directory. It is not a single string attribute; rather, it is a series of flags that get computed from the values listed in Table 7-3. Because of the way the UserAccountControl attribute is created, simply examining the numeric value is of little help, unless you can decipher the individual numbers that make up the large number. These flags, when added together, control the behavior of the user account on the system. In the script image from book CreateComputer.ps1, we set two user account control flags: the ADS_UF_PASSWD_NOTREQD flag and the ADS_UF_WORKSTATION_TRUST_ACCOUNT flag. The password not required flag has a hex value of 0x20, and the the trusted workstation flag has a hex value of 0x1000. When added together, and turned into decimal value, they equal 4128, which is the value actually shown in ADSI Edit.

Table 7-3: User Account Control Values
Open table as spreadsheet

Ads Constant

Value

ADS_UF_SCRIPT

0X0001

ADS_UF_ACCOUNTDISABLE

0X0002

ADS_UF_HOMEDIR_REQUIRED

0X0008

ADS_UF_LOCKOUT

0X0010

ADS_UF_PASSWD_NOTREQD

0X0020

ADS_UF_PASSWD_CANT_CHANGE

0X0040

ADS_UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED

0X0080

ADS_UF_TEMP_DUPLICATE_ACCOUNT

0X0100

ADS_UF_NORMAL_ACCOUNT

0X0200

ADS_UF_INTERDOMAIN_TRUST_ACCOUNT

0X0800

ADS_UF_WORKSTATION_TRUST_ACCOUNT

0X1000

ADS_UF_SERVER_TRUST_ACCOUNT

0X2000

ADS_UF_DONT_EXPIRE_PASSWD

0X10000

ADS_UF_MNS_LOGON_ACCOUNT

0X20000

ADS_UF_SMARTCARD_REQUIRED

0X40000

ADS_UF_TRUSTED_FOR_DELEGATION

0X80000

ADS_UF_NOT_DELEGATED

0X100000

ADS_UF_USE_DES_KEY_ONLY

0x200000

ADS_UF_DONT_REQUIRE_PREAUTH

0x400000

ADS_UF_PASSWORD_EXPIRED

0x800000

ADS_UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION

0x1000000




Microsoft Press - Microsoft Windows PowerShell Step by Step
MicrosoftВ® Windows PowerShell(TM) Step By Step (Step By Step (Microsoft))
ISBN: 0735623953
EAN: 2147483647
Year: 2007
Pages: 128
Authors: Ed Wilson

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net