Summary: Ed Wilson, Microsoft Scripting Guy, talks about creating users in Active Directory Domain Services without using a module.
Hey, Scripting Guy!
In my company, we do a lot of work with Active Directory, and my team is responsible for this. But not all of the administrators have the Active Directory module, so I cannot assume that it will be available when we need to run a script. I need to be able to create users from a script (like I did with VBScript) without having to do anything special. Can this still be done by using Windows PowerShell?
—GF
Hello GF,
Microsoft Scripting Guy, Ed Wilson, is here. The Windows PowerShell community is always amazing, and is also always active. We are going to be at the TechStravaganza in Atlanta this year, and we look forward to seeing a bunch of PowerShellers. This year, it will be in a different location, so stay tuned for that. The good news is that there will be more room available for us.
GF, Your question is a perfect lead-in for Active Directory Week. Yes, it can be a bit confusing when you do not have a standardized environment. Luckily, with Windows PowerShell, you can pretty much do whatever you need to do.
One fundamental technique you can use with Active Directory Service Interfaces (ADSI) is creating users. Although using the graphical user interface (GUI) to create a single user is easy, using the GUI to create a dozen or more users would certainly not be.
In addition, as you’ll see, because there is a lot of similarity among ADSI scripts, deleting a dozen or more users is as simple as creating them. And because you can use the same input text file for all the scripts, ADSI makes creating temporary accounts for use in a lab or school a real snap.
To create users, do the following:
- Use the appropriate provider for your network.
- Connect to the container for your users.
- Specify the domain.
- Specify the User class of the object.
- Bind to Active Directory.
- Use the Create method to create the user.
- Use the Put method to specify (at least) the sAMAccountNameattribute.
- Use SetInfo() to commit the user to Active Directory.
The CreateUser.ps1 script (which follows) can form the basis for all scripts that you create to work with Active Directory objects because they will all follow a set pattern. This is all there is to the script:
- Because the script can actually be used as a template, I break out the class of what I am creating. The class of object I call is User.
- I specify the name.
- I use the [ADSI] type accelerator to make my connection to Active Directory.
- I must specify that I am using the LDAP protocol to connect.
- I specify the organizational unit and the domain name.
- I store the returned connection in a variable I call $objAdsi.
- I call the Create method to actually create the user.
- I specify a value for the sAMAccountName property.
- I call SetInfo to write the information back to Active Directory.
Note
This script uses a Windows PowerShell trick. When using VBScript to create a user or a group, you must supply a value for the sAMAccountName attribute. When using Windows PowerShell on Windows 2000, this is also the case. With Windows PowerShell on Windows Server 2008 (or later), however, the sAMAccountName attribute is automatically created for you.
In the CreateUser.ps1 script, I have included the $objUser.Put command, which would be required for Windows 2000, but it is not required for Windows Server 2003 (or later). Remember that the sAMAccountName property, when autogenerated, is not very user friendly. Here is an example of such an autogenerated name: $441000-1A0UVA0MRB0T. Any legacy application that requires the sAMAccountName value would therefore require users to type a value that is difficult to use, at best.
Here is the complete CreateUser.PS1 script:
# CreateUser.ps1
$strCLass = "User"
$StrName = "CN=MyNewUser"
$objADSI = [ADSI]"LDAP://ou=myTestOU,dc=nwtraders,dc=msft"
$objUser = $objADSI.create($strCLass, $StrName)
$objUser.Put("sAMAccountName", "MyNewUser")
$objUser.setInfo()
That's all there is to using ADSI to create users. Active Directory Week will continue tomorrow.
I invite you to follow me on Twitter and Facebook. If you have any questions, send email to me at scripter@microsoft.com, or post your questions on the Official Scripting Guys Forum. See you tomorrow. Until then, peace.
Ed Wilson, Microsoft Scripting Guy