Scripting user creation in Windows
Server is something we’ve long done using LDIF files; however, when building a
system that creates users in more of a one-off capacity it’s pretty easy to
script the creation process using PowerShell, piping information in from other
solutions. To create a user, use the New-ADUser cmdlet.
I’ve found that we usually need to
populate this with a few pieces of information, including the account name
(SamAccountName), the password (AccountPassword), the full name (name) enabling
the account (enabled), setting the password not to expire
(PasswordNeverExpires) and forcing the user to change their password when they
log on (ChangePasswordAtLogon). Respectively, the following example would
create user cedge with a password of mypassword, a name of Charles Edge,
enabling the account, allowing the password to expire and forcing me to change
my password the first time I log in:
New-ADUser
-SamAccountName cedge -AccountPassword (read-host "Set user password"
-mypassword) -name "Shankar Sahu" -enabled $true
-PasswordNeverExpires $false -ChangePasswordAtLogon $true
Once created, the account likely
needs to be made a member of some groups. At this point, we’ll need to identify
the user by cn (so if the user is in a specific OU, that would need to be included
in the -Identity parameter. Because namespace collisions can happen, you’ll
need to provide the full CN of both the user (using the Identity parameter) and
the group (using the MemberOf parameter). Let’s say I’m going to add that
account that I just created, which is in Users of krypted.com to the Enterprise
Admins group of the same domain, that would look like this:
Add-ADPrincipalGroupMembership
-Identity "CN=Mumbai BR,CN=Users,DC=Shanky,DC=com" -MemberOf
"CN=Enterprise Admins,CN=Users,DC=Shanky,DC=com","CN=Domain
Admins,CN=Users,DC=Shanky,DC=com"
No comments:
Post a Comment