CreateADUser

From Terminal23wiki

Jump to: navigation, search

This script creates an AD User given the user's name, container, and the systems they are allowed to log into. Some things are unique to my environment, such as NoRights and Service Accounts. This script is used to create service accounts for web applications, so we drop them in those groups to automatically limit their power. If the user already exists, we only evaluate their allowed logon systems and adjust accordingly. 

function CreateADUser ($strNewUser,$strLocation,$strAllowedLogonSystems)
{
   # First test to make sure the account does not already exist.
   $strUserCheck =  BuildLDAPObjectString $strNewUser $strLocation
   $objUserCheck = [ADSI]$strUserCheck
   if ($objUserCheck.distinguishedname)
      { # get here if the user already exists (has a DN)
         if ($strAllowedLogonSystems)
            { # if we have a list of allowedsystems we'll update it here
               $objUserCheck.UserWorkstations = $strAllowedLogonSystems
               $objUserCheck.SetInfo()
            }
      } # nothing else gets updated on existing users, so that's it!
   else 
      {
         # get here if user currently does not exist
         $ADSPath = BuildLDAPString $strLocation
         $container = [ADSI]$ADSPath
         $objNewUser = $container.Create("User","CN=$strNewUser")
         $objNewUser.SetInfo()
         $objNewUser.Description = "created by script"
         $strPassword = RandomPassword 36
         $objNewUser.SetPassword($strPassword)
         $objNewUser.psbase.InvokeSet('AccountDisabled',$false)
         $objNewUser.SetInfo()
         $objNoRightsGroup = "LDAP://CN=NoRights,OU=Services Accounts,DC=int,DC=hiddenp,DC=com"
         $objNoRightsGroup = [ADSI]$objNoRightsGroup
         $objNoRightsGroup.Add("LDAP://" + $objNewUser.distinguishedname)
         $objNoRightsGroup.SetInfo()
         $objNewUser.PrimaryGroupID = 13970 #13970 = NoRights
         $objNewUser.SetInfo()
         $objDomainUsersGroup = "LDAP://CN=Domain Users,CN=Users,DC=int,DC=hidden,DC=com"
         $objDomainUsersGroup = [ADSI]$objDomainUsersGroup
         $objDomainUsersGroup.Remove("LDAP://" + $objNewUser.distinguishedname)
         $objNoRightsGroup.SetInfo()
         $objNewUser.Description = "created by script"
         $objNewUser.GivenName = $strNewUser
         $objNewUser.sn = $strNewUser
         $objNewUser.Displayname = $strNewUser
         $objNewUser.UserPrincipalName = $strNewUser
         $objNewUser.UserAccountControl = 66080  #sets no password expiration
         if ($strAllowedLogonSystems){ $objNewUser.UserWorkstations = $strAllowedLogonSystems }
         $objNewUser.SetInfo()
         if ($strNewUser.length -gt 20)
            {  #pre-win2000 logins have a max of 20 chars, we need to catch that
               $strNewUser = $strNewUser.remove(20)
            }
         $objNewUser.sAMAccountName = "$strNewUser"
         $objNewUser.SetInfo()
         return $strPassword		
      }
}
Retrieved from "http://wiki.terminal23.net/index.php/CreateADUser"
Personal tools