{"id":1269,"date":"2011-10-29T19:51:49","date_gmt":"2011-10-29T19:51:49","guid":{"rendered":"http:\/\/www.obieta.com\/?p=1269"},"modified":"2011-10-29T19:51:49","modified_gmt":"2011-10-29T19:51:49","slug":"createusers-bat","status":"publish","type":"post","link":"https:\/\/obieta.com\/?p=1269","title":{"rendered":"createUsers.bat"},"content":{"rendered":"<p>After the Organizational Units have been created, we populate the Active Directory with user accounts and security groups. Group membership for users is based on both the Organizational Unit (or &#8216;team&#8217;) they belong to, and their function in the team (team leader, coordinator, clerk). Each user will be member of 1 group only (eg: team leader of the Production Team, clerk in the Communications team, &#8230;).<\/p>\n<p>By making each global group member of a number of local groups, users acquire membership of several local groups which then can be used to manage file and directory access, group policy filtering, and so on.<\/p>\n<p>The script obviously assumes a certain design in the Active Directory : an Organizational Unit logical structure, users with membership to groups, therefore also a logical structure of somain local and global groups, etc. This is described in Active Directory Design and Implementation.<\/p>\n<p>Furthermore, user profiles, user home directory and user special folders are located on the server, so we use this script to create the relevant directorys and set the correct NTFS permissions. Please refer to and Group Policy : Roaming User Profiles and Folder Redirection<\/p>\n<p>This script takes input from a text file (eg. &#8216;users.txt&#8217;) that lists user names, the team they belong to, and their role or function in the team. The user name will provide the user account name, the team name will indicate the OU and a part of the group names, the function or role will provide the name of the group that the user will be made member of. Because of the repetitive structure of the groups in the Organizational Units, the script can be built around a number of FOR statements.<\/p>\n<p>input file : users.txt<\/p>\n<p>\tUser\t\tRole -> Group\tTeam<\/p>\n<p>\t&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8211;<br \/>\n\tChristine\tCoordinators\tPT<br \/>\n\tKoen\t\tClerks\t\tPT<br \/>\n\tKaat\t\tTeamleiders\tFT<br \/>\n\tBrigitte\tClerks\t\tFT<br \/>\n\tElsk\t\tClerks\t\tST<br \/>\n\tIna\t\tTeamleiders\tCT<br \/>\n\tKristel\t\tClerks\t\tCT<br \/>\n\tAnne\t\tTeamleiders\tND<br \/>\n\t< ...><\/p>\n<p>This file can be made manually, or we can use scripts that generate the desired output<\/p>\n<p>batch file<\/p>\n<p>@echo OFF<br \/>\n\tset theDomain=dc=kicks, dc=local<br \/>\n\tset input=users.txt<br \/>\n\tIF NOT EXIST .%input% GOTO ERR1<\/p>\n<p>REM create users and user home directory (including NTFS Permissions)<br \/>\nREM Profile will later be complemented with<br \/>\nREM group policy user configuration (Folder Redirection, Logon scripts e.a.)<\/p>\n<p>FOR \/F &#8220;tokens=1-3 skip=3&#8221; %%i in (%input%) do (<br \/>\n\tREM create user home and profile directory in advance<br \/>\n\tmd F:home%%i<br \/>\n\tmd F:users%%i<\/p>\n<p>\tREM create user account<br \/>\n\tdsadd user &#8220;cn=%%i, ou=%%k, ou=theOffice, %theDomain%&#8221;<br \/>\n\t\t\t\t-pwd aaaAAA111 -mustchpwd yes -canchpwd yes<br \/>\n\t\t\t\t-profile \\SRV01users$dsadd user &#8220;cn=%%i, ou=%%k, ou=theOffice, %theDomain%&#8221;<br \/>\n\t\t\t\t-hmdir \\SRV01home$%%i -hmdrv P:<br \/>\n\t\t\t\t-loscr logon.bat<\/p>\n<p>\tREM while we&#8217;re at it, set NTFS security for user home and profile folder<br \/>\n\tREM \t User : Read\/Write \tAdministrators : Full Control,<\/p>\n<p>\txcacls F:home%%i \/c \/y \/t \/e \/g &#8220;%%i&#8221;:rcd;ew Administrators:f;f<br \/>\n\txcacls F:users%%i \/c \/y \/t \/e \/g &#8220;%%i&#8221;:rcd;ew Administrators:f;f<\/p>\n<p>)<\/p>\n<p>REM create groups in each OU<\/p>\n<p>dsadd group &#8220;cn=lTeam, ou=theOffice, %theDomain%&#8221; -secgrp yes -scope L -samid lTeam<\/p>\n<p>for %%i in (Teamleiders, Administratie, Coordinators, Stagiairs) do (<br \/>\n\tdsadd group &#8220;cn=l%%i, ou=theOffice, %theDomain%&#8221; -secgrp yes -scope L -samid l%%i<br \/>\n)<\/p>\n<p>for %%j in (PT,CT,VT,FT,ND) do (<br \/>\n\tdsadd group &#8220;cn=lTeam, ou=%%j, ou=theOffice, %theDomain%&#8221; -secgrp yes -scope L -samid lTeam_%%j<\/p>\n<p>\tfor %%i in (Teamleiders, Administratie, Coordinators, Stagiairs) do (<\/p>\n<p>\t\tdsadd group &#8220;cn=%%i, ou=%%j, ou=theOffice, %theDomain%&#8221; -secgrp yes -scope G -samid %%i_%%j<\/p>\n<p>\t\techo \tmake GLOBAL GROUPS member of LOCAL GROUPS<br \/>\n\t\tdsmod group &#8220;cn=lTeam, ou=theOffice, %theDomain%&#8221; -addmbr &#8220;cn=%%i, ou=%%j, ou=theOffice, %theDomain%&#8221;<\/p>\n<p>\t\tdsmod group &#8220;cn=lTeam, ou=%%j, ou=theOffice, %theDomain%&#8221; -addmbr &#8220;cn=%%i, ou=%%j, ou=theOffice, %theDomain%&#8221;<\/p>\n<p>\t\tdsmod group &#8220;cn=l%%i, ou=theOffice, %theDomain%&#8221; -addmbr &#8220;cn=%%i, ou=%%j, ou=theOffice, %theDomain%&#8221;<br \/>\n\t)<br \/>\n)<\/p>\n<p>REM make users member of group according to listing in inputfile<\/p>\n<p>for \/F &#8220;tokens=1-3 skip=3&#8221; %%i in (%input%) do (<br \/>\n\tdsmod group &#8220;cn=%%j, ou=%%k, ou=theOffice, %theDomain%&#8221;  -addmbr &#8220;cn=%%i, ou=%%k, ou=theOffice, %theDomain%&#8221;<br \/>\n)<\/p>\n<p>REM remove groups that we don&#8217;t want (if any)<\/p>\n<p>REM remove groups (Administratie, Coordinators, Stagiairs) from ou ND,<br \/>\nREM dsrm ObjectDN &#8230; [-subtree] -noprompt\t;;removes objects<br \/>\nREM dsmod group GroupDN -rmmbr MemberDN\t;;removes members from a group<\/p>\n<p>dsrm &#8220;cn=Administratie, ou=ND, ou=theOffice, %theDomain%&#8221;  -noprompt<br \/>\ndsrm &#8220;cn=Coordinators, ou=ND, ou=theOffice, %theDomain%&#8221;  -noprompt<br \/>\ndsrm &#8220;cn=Stagiairs, ou=ND, ou=theOffice, %theDomain%&#8221;  -noprompt<\/p>\n<p>REM custom modifications : for exeptions eg. for users in more than 1 group<br \/>\nREM add statements here<\/p>\n<p>REM FINISH<br \/>\nGOTO BATCHEND<\/p>\n<p>:ERR1<br \/>\nECHO %0 requires input from %input%. inputfile %input% not found.<br \/>\nEXIT \/B 1<\/p>\n<p>:BATCHEND<br \/>\nECHO %0 done.<\/p>\n<p>When the list of user accounts has the user distinguished name, it makes sense to use the distinguished name to create the account. Using the distinguished name to create the account automatically puts the user in the correct Organizational unit, as OU&#8217;s and domain are part of the name. Distinghuished names can be retrieved by scripts. The dsadd user statement used in the above script can be used to create accounts based in distinguished names.<\/p>\n<p>  \t(&#8230;)<br \/>\n  \tCN=Leen,OU=ST,OU=kantoor,DC=KICKS,DC=LOCAL        Leen<br \/>\n \tCN=Elsk,OU=ST,OU=kantoor,DC=KICKS,DC=LOCAL        Elsk<br \/>\n  \tCN=Ina,OU=CT,OU=kantoor,DC=KICKS,DC=LOCAL         Ina<br \/>\n  \t(&#8230;)<\/p>\n<p>\tREM (line breaks added for readibility)<\/p>\n<p>\tFOR \/L &#8220;tokens=1-2&#8221; %%x in (users.txt) do (<\/p>\n<p>\t\tDsadd\tuser &#8220;%%x&#8221; \t-samid %%y<br \/>\n\t\t\t\t\t-pwd aaaAAA111<br \/>\n\t\t\t\t\t-mustchpwd yes<br \/>\n\t\t\t\t\t-canchpwd yes<br \/>\n\t\t\t\t\t-profile \\SRV01users$%%y<br \/>\n\t\t\t\t\t-hmdir \\SRV01home$%%y<br \/>\n\t\t\t\t\t-hmdrv P :<br \/>\n\t\t\t\t\t-loscr logon.bat<br \/>\n\t)<\/p>\n<p>On earlier Windows systems (eg. Windows 2000), ADSI scripts can be used to create a user in a given Organizational unit :<\/p>\n<p>\t\tSet objOU = GetObject(&#8220;LDAP:\/\/ou=PT,dc=kicks,dc=local&#8221;)<\/p>\n<p>\t\tSet objUser = objOU.Create(&#8220;User&#8221;, &#8220;cn=Lennart&#8221;)<br \/>\n\t\tobjUser.Put &#8220;sAMAccountName&#8221;, &#8220;Lennart&#8221;<\/p>\n<p>\t\tobjUser.SetInfo<\/p>\n<p>By default, there is no assigned password for this user account, and the account is disabled, so the following statementys may be added :<\/p>\n<p>\t\tobjUser.SetPassword &#8220;AA123456&#8221;<br \/>\n\t\tobjUser.AccountDisabled = True<\/p>\n<p>\t\tobjUser.SetInfo<\/p>\n","protected":false},"excerpt":{"rendered":"<p>After the Organizational Units have been created, we populate the Active Directory with user accounts and security groups. Group membership for users is based on both the Organizational Unit (or &#8216;team&#8217;) they belong to, and their function in the team (team leader, coordinator, clerk). Each user will be member of 1 group only (eg: team [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[2,1],"tags":[],"_links":{"self":[{"href":"https:\/\/obieta.com\/index.php?rest_route=\/wp\/v2\/posts\/1269"}],"collection":[{"href":"https:\/\/obieta.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/obieta.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/obieta.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/obieta.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1269"}],"version-history":[{"count":0,"href":"https:\/\/obieta.com\/index.php?rest_route=\/wp\/v2\/posts\/1269\/revisions"}],"wp:attachment":[{"href":"https:\/\/obieta.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1269"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/obieta.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1269"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/obieta.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1269"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}