After the Organizational Units have been created, we populate the Active Directory with user accounts and security groups. Group membership for users is based on both the Organizational Unit (or ‘team’) they belong to, and their function in the team (team leader, coordinator, clerk). Each user will be member of 1 group only (eg: team leader of the Production Team, clerk in the Communications team, …).
By making each global group member of a number of local groups, users acquire membership of several local groups which then can be used to manage file and directory access, group policy filtering, and so on.
The script obviously assumes a certain design in the Active Directory : an Organizational Unit logical structure, users with membership to groups, therefore also a logical structure of somain local and global groups, etc. This is described in Active Directory Design and Implementation.
Furthermore, user profiles, user home directory and user special folders are located on the server, so we use this script to create the relevant directorys and set the correct NTFS permissions. Please refer to and Group Policy : Roaming User Profiles and Folder Redirection
This script takes input from a text file (eg. ‘users.txt’) that lists user names, the team they belong to, and their role or function in the team. The user name will provide the user account name, the team name will indicate the OU and a part of the group names, the function or role will provide the name of the group that the user will be made member of. Because of the repetitive structure of the groups in the Organizational Units, the script can be built around a number of FOR statements.
input file : users.txt
User Role -> Group Team
—————————————–
Christine Coordinators PT
Koen Clerks PT
Kaat Teamleiders FT
Brigitte Clerks FT
Elsk Clerks ST
Ina Teamleiders CT
Kristel Clerks CT
Anne Teamleiders ND
< ...>
This file can be made manually, or we can use scripts that generate the desired output
batch file
@echo OFF
set theDomain=dc=kicks, dc=local
set input=users.txt
IF NOT EXIST .%input% GOTO ERR1
REM create users and user home directory (including NTFS Permissions)
REM Profile will later be complemented with
REM group policy user configuration (Folder Redirection, Logon scripts e.a.)
FOR /F “tokens=1-3 skip=3” %%i in (%input%) do (
REM create user home and profile directory in advance
md F:home%%i
md F:users%%i
REM create user account
dsadd user “cn=%%i, ou=%%k, ou=theOffice, %theDomain%”
-pwd aaaAAA111 -mustchpwd yes -canchpwd yes
-profile \SRV01users$dsadd user “cn=%%i, ou=%%k, ou=theOffice, %theDomain%”
-hmdir \SRV01home$%%i -hmdrv P:
-loscr logon.bat
REM while we’re at it, set NTFS security for user home and profile folder
REM User : Read/Write Administrators : Full Control,
xcacls F:home%%i /c /y /t /e /g “%%i”:rcd;ew Administrators:f;f
xcacls F:users%%i /c /y /t /e /g “%%i”:rcd;ew Administrators:f;f
)
REM create groups in each OU
dsadd group “cn=lTeam, ou=theOffice, %theDomain%” -secgrp yes -scope L -samid lTeam
for %%i in (Teamleiders, Administratie, Coordinators, Stagiairs) do (
dsadd group “cn=l%%i, ou=theOffice, %theDomain%” -secgrp yes -scope L -samid l%%i
)
for %%j in (PT,CT,VT,FT,ND) do (
dsadd group “cn=lTeam, ou=%%j, ou=theOffice, %theDomain%” -secgrp yes -scope L -samid lTeam_%%j
for %%i in (Teamleiders, Administratie, Coordinators, Stagiairs) do (
dsadd group “cn=%%i, ou=%%j, ou=theOffice, %theDomain%” -secgrp yes -scope G -samid %%i_%%j
echo make GLOBAL GROUPS member of LOCAL GROUPS
dsmod group “cn=lTeam, ou=theOffice, %theDomain%” -addmbr “cn=%%i, ou=%%j, ou=theOffice, %theDomain%”
dsmod group “cn=lTeam, ou=%%j, ou=theOffice, %theDomain%” -addmbr “cn=%%i, ou=%%j, ou=theOffice, %theDomain%”
dsmod group “cn=l%%i, ou=theOffice, %theDomain%” -addmbr “cn=%%i, ou=%%j, ou=theOffice, %theDomain%”
)
)
REM make users member of group according to listing in inputfile
for /F “tokens=1-3 skip=3” %%i in (%input%) do (
dsmod group “cn=%%j, ou=%%k, ou=theOffice, %theDomain%” -addmbr “cn=%%i, ou=%%k, ou=theOffice, %theDomain%”
)
REM remove groups that we don’t want (if any)
REM remove groups (Administratie, Coordinators, Stagiairs) from ou ND,
REM dsrm ObjectDN … [-subtree] -noprompt ;;removes objects
REM dsmod group GroupDN -rmmbr MemberDN ;;removes members from a group
dsrm “cn=Administratie, ou=ND, ou=theOffice, %theDomain%” -noprompt
dsrm “cn=Coordinators, ou=ND, ou=theOffice, %theDomain%” -noprompt
dsrm “cn=Stagiairs, ou=ND, ou=theOffice, %theDomain%” -noprompt
REM custom modifications : for exeptions eg. for users in more than 1 group
REM add statements here
REM FINISH
GOTO BATCHEND
:ERR1
ECHO %0 requires input from %input%. inputfile %input% not found.
EXIT /B 1
:BATCHEND
ECHO %0 done.
When the list of user accounts has the user distinguished name, it makes sense to use the distinguished name to create the account. Using the distinguished name to create the account automatically puts the user in the correct Organizational unit, as OU’s and domain are part of the name. Distinghuished names can be retrieved by scripts. The dsadd user statement used in the above script can be used to create accounts based in distinguished names.
(…)
CN=Leen,OU=ST,OU=kantoor,DC=KICKS,DC=LOCAL Leen
CN=Elsk,OU=ST,OU=kantoor,DC=KICKS,DC=LOCAL Elsk
CN=Ina,OU=CT,OU=kantoor,DC=KICKS,DC=LOCAL Ina
(…)
REM (line breaks added for readibility)
FOR /L “tokens=1-2” %%x in (users.txt) do (
Dsadd user “%%x” -samid %%y
-pwd aaaAAA111
-mustchpwd yes
-canchpwd yes
-profile \SRV01users$%%y
-hmdir \SRV01home$%%y
-hmdrv P :
-loscr logon.bat
)
On earlier Windows systems (eg. Windows 2000), ADSI scripts can be used to create a user in a given Organizational unit :
Set objOU = GetObject(“LDAP://ou=PT,dc=kicks,dc=local”)
Set objUser = objOU.Create(“User”, “cn=Lennart”)
objUser.Put “sAMAccountName”, “Lennart”
objUser.SetInfo
By default, there is no assigned password for this user account, and the account is disabled, so the following statementys may be added :
objUser.SetPassword “AA123456”
objUser.AccountDisabled = True
objUser.SetInfo
Comments are closed