Windows Server 2003 Create and Modify User Accounts by Using Automation

  • Print Article |
  • Send to a Friend |
  • |
  • Add to Google |

Create and modify user accounts by using automation: We already covered the basics of automation in section 2.3.5-Create and modify groups by using automation. Let's just take a quick look at how automation can be used to create and modify user accounts.

The following simple script segment demonstrates how you could modify the script previously described to create a user, rather than a group.

We are working with two variables:
? objOU, which is the OU in which the group will be contained; and
? objUser, which is the new user.
We are also using Name Properties to specify the path in the binding string for Active Directory. A few of the name properties with which you should be familiar are:
? CN - common name
? DC - domain component
? OU - organizational unit.
For example, in the ADsPath in the script sample below, we are using OU to specify that the organizational unit is named "management", and that the domain components are "totalrecallpublications" and "com". The common name for the user is "TimmonsD".
Set objOU = GetObject("LDAP://OU=management,dc=totalrecallpublications,dc=com")
Set objUser = objOU.Create("User", "cn=TimmonsD")
objUser.Put "sAMAccountName", "timmonsd"

Script: Creating a New User by Script.
Please note that this script will only create the user account in Active Directory. It will NOT enable it. In order to enable the account, an additional step must be taken.
Set objUser = GetObject _
objUser.AccountDisabled = FALSE
Enabling a User, by Script.

Now that we have created the user TimmonsD and enabled the account, let's add the account to two different security groups-ITAdmins and ITExecs.
Set objGroup = GetObject _
("LDAP://cn=ITAdmins,cn=IT, dc=totalrecallpress,dc=com")
"member", Array("cn=TimmonsD,ou=Management,dc=totalrecallpress,dc=com")

Set objGroup = GetObject _
"member", Array("cn= TimmonsD,ou=Management,dc=totalrecallpress,dc=com ")

Script Adding a user account to two different security groups.
There are a number of other things you can do with user accounts, using scripting. For example, let's say that the password for TimmonsD has been "hacked". You can change the password by using a piece of script. (Note that this particular script requires you know the original password.)
Set objUser = GetObject _
objUser.ChangePassword "wh0Ru?", "V4ni114"
Script Changing a user's password.

Finally, let's delete the TimmonsD user account. (Remember that deleting an account is permanent. In order to reactivate the account, the account will need to be recreated and all group memberships, rights and permissions reassigned to the account.)
Set objOU = GetObject("LDAP://ou=management,dc=totalrecallpress,dc=com")
objOU.Delete "User", "cn=timmonsd"
Script Deleting a user account.

This section has merely scratched the surface of what can be done using ADSI and automation. With Windows 2003, many of these tasks can be automated and placed on an internal Web site that network administrators could access. With a simple click, and the addition of the necessary arguments, users and groups can be created, deleted, and moved across a distributed network. As well, users can be added or removed from groups, groups and membership can be enumerated, and membership lists for each group produced.
It is well worth your time to spend a little time on the MSDN site, learning more about scripting in VBScript, C#, WMI, WSH and ADSI.

Import user accounts: The LDAP Data Interchange Format Directory Exchange or ldifde command line utility allows Administrators to create, modify, and delete directory objects on Window Server 2003 and Windows XP Professional machines. This utility also allows administrators to extend their Active Directory schema, populate, import and export user and/or group information from within Active Directory to additional applications and services.

below shows some general import parameters that can be used with the ldifde command utility.
Switch Definition Switches
Replace occurrence of FromDN to ToDN -c From DN ToDN
Input or Output filename -f
Turn on Import Mode (Export mode is the default mode) -i
Log File location -j
Server to bind to -s
Port Number if you wish to change from default of 389 -t
Use Unicode Format -u
Turn on Verbose Mode -v
-? Help
 Syntax to use with the LDIFDE utility.

To import user accounts from one Active Directory controller to another, you must be logged in as the Administrator. If you log on using an account that does not have administrative privileges, you may not be able to perform export and import operations against the Active Directory. In the following steps we will import a user account named John Doe using the ldifde command.
a. Click on Start | Run and type Notepad
b. Name the blank notepad file myimport.ldf

On the first line of the Notepad file type the following exactly.
Myimport.ldf using Notepad.
Creating the import file to use with ldifde.
1. Click on the Start button, click Run and type cmd
2. Once at the command prompt use the following command:
ldifde -v -i -s 2003svr -f myimport.ldf
To break it down bit by bit, look at the command closely. The -v displays the output in the verbose mode, -i is the import mode (you must use this to import because the command uses export by default), the -s command is the name of the server we are importing from and the -f is the name of the import file we created with notepad.

CSVDE: The CSVDE utility is much like the ldifde command but it uses a comma-separated format (CSV). This means that applications such as Microsoft Excel can read the output of the file. This is a great tool to use if you have a large number of accounts to import and you would like to view the output of the import file. However, this utility does has its limitations - it can only be used to import and export from Active Directory, not to create and delete objects like the ldifde command.
The command switches are just like the ones that were used in the ldifde command in the previous section so we are not going to list those here. An example of how to use this function is listed below. We will use this utility to create an LDAP search filter to import users with the surname smith. The import will be viewable in a filename we create called myimport.csv.

1. Click on Start | Run | type cmd
2. Type in the following command
Csvde -r -f -v -i -s 2003svr (and(objectClass=User)(sn=smith))

The -r command creates an LDAP search filter for the data export. The -f command identifies the name of the import file. The -v command displays the information in verbose mode. The -i command must be used for importing (exporting is also used by default). The -s command specifies the server name. The object class specifies the type of object, which in this case is the user, and the sn syntax represents the surname we are importing. These are a few of the many tools that are available for use with the Windows Server 2003 network operating server. Enhancements to this network operating system allow administrators much more flexibility and control over their environment using command line utilities such as the ones listed in this section.

Jada Brock-Soldavini is author of book InsideScoop to Windows Server 2003 Certification Examination 70-290 Managing and Maintaining a Microsoft Windows ServerTM 2003 Environment. Jada works for the State of Georgia as a Network Services Administrator. She has co-authored or contributed to other numerous works pertaining to Microsoft Windows technologies. In her spare time she enjoys cooking, writing and reading anything that pertains to Network and Security technology. To buy my book, please visit

Article Rating (2 stars):
  • article full star
  • article full star
  • article no star
  • article no star
  • article no star
Rate this Article:
  • Article Word Count: 1158
  • |
  • Total Views: 18160
  • |
  • permalink
  • Print Article |
  • Send to a Friend |
  • |
  • Add to Google |