Microsoft DS Tools – part 4
Today, I would like to introduce DSADD tool. This is the first tool, from those we got to know, which makes changes in Active Directory database. Its role is new object creation – only (as its name suggest DSADD). Using it, we can create non-existing object(s) in Active Directory but we cannot modify them.
When you have one new user to create then it’s much more simple and faster to do that in Active Directory Users and Computers console. But what if, you have to create many users in short time or new user needs to be added into many groups in Active Directory? Then you may use for that DSADD. That’s really good tool to add many users in very short time. You can also use it to prepare user template for departments in your company as simple script. We will go through both cases in this article.
DSADD like previous tools require appropriate syntax to start working. What parameters we can use with this tool, we can see after reading its help. Some parameters can be ommited because they are not important for new object creation or they are used with default values but some are required to create the object properly. So, first of all, let’s see what parameters are available for DSADD in user context
dsadd user /?
OK, now we will try to create John Doe, new user in wroc/users/it OU in testenv.local domain
for that, we will use the minimum of required parameters in DSADD syntax
dsadd user “CN=John Doe,OU=it,OU=users,OU=wroc,DC=testenv,DC=local” -samid jdoe -upn email@example.com -fn John -ln Doe -display “John Doe” -pwd InitialPassword -memberof “CN=gg-it-common,OU=groups,OU=wroc,DC=testenv,DC=local” “CN=gg-it-wroc-common,OU=groups,OU=wroc,DC=testenv,DC=local” -hmdrv P: -hmdir \FS01Privatejdoe -loscr logon.vbs -mustchpwd yes
and we can see that John Doe was created under specified path in Active Directory with predefined attributes
OK, let’s see what these parameters do, step-by-step
- dsadd user – add new user object in AD
- “CN=John Doe,OU=it,OU=users,OU=wroc,DC=testenv,DC=local” – Distinguished Name of new user object (Remember! Each DS Tool always require DN to start working!), DN points what and where must be created.
- -samid jdoe – create user login jdoe
- -upn firstname.lastname@example.org – create User Principle Name
- -fn John – set First Name to John
- -ln Doe – set Last Name (surname) to Doe
- -display “John Doe” – set Display Name to First Name and Last Name
- -pwd InitialPassword – set initial password for user (by default Domain Password Policy doesn’t allow for user creation with blank password)
- -memberof – all groups to which the new user should be added (all groups must be given in Distinguished Name format; you may place as many groups as you need, separate them using <space>)
- -hmdrv P: – set up user’s home drive to P-Drive in AD profile
- -hmdir \FS01Privatejdoe – specify user’s home folder location
- -loscr logon.vbs – assign logon script to user
- -mustchpwd yes – force password change during first logon
That was simple for one user. What if we want to create in the same department many users or what if, we want to have a template for new user, i.e. for IT department? This is also simple but requires from us few changes in a syntax.
Let’s see what we have to do to prepare IT department template for new user:
dsadd user “CN=%1 %2,OU=it,OU=users,OU=wroc,DC=testenv,DC=local” -samid %3 -upn %email@example.com -fn %1 -ln %2 -display “%1 %2” -pwd InitialPassword -memberof “CN=gg-it-common,OU=groups,OU=wroc,DC=testenv,DC=local” “CN=gg-it-wroc-common,OU=groups,OU=wroc,DC=testenv,DC=local” -hmdrv P: -hmdir \FS01Private%3 -loscr logon.vbs -mustchpwd yes
save this syntax as batch file with cmd or bat extension (i.e. IT-dept.cmd) and check below explanation how to use that
In command-line type batch file name and put after that three parameters:
- %1 – First Name
- %2 – Last Name
- %3 – user login
that’s all what you need to specify, if you want to create new use for IT department
IT-dept.cmd Ann Smith asmith
and you will see that new user (Ann Smith) was created in wroc/users/it OU
Prepare as many templates as you need for departments in your organization. I know that’s much work to do but this is only one time action, after that you can simply and in short time create new users in your environment.
Now, it’s time for bulk user creation in a domain. That’s also simple. It requires only small changes in previous script (template) and some input file. Let’s see what we can do for that
First of all, we need to prepare a text file with necessary data. It must be flat text file because DS Tools don’t support CSV or other file formats. There are also three arguments necessary
- First Name
- Last Name (surname)
- User login
OK, put these necessary information into notepad and save it on a C-Drive as new-users.txt
after that create new file wher you need to put this modified script content
for /f “tokens=1-3” %%i in (c:new-users.txt) do dsadd user “CN=%%i %%j,OU=it,OU=users,OU=wroc,DC=testenv,DC=local” -samid %%k -upn %%firstname.lastname@example.org -fn %%i -ln %%j -display “%%i %%j” -pwd InitialPassword -memberof “CN=gg-it-common,OU=groups,OU=wroc,DC=testenv,DC=local” “CN=gg-it-wroc-common,OU=groups,OU=wroc,DC=testenv,DC=local” -hmdrv P: -hmdir \FS01Private%%k -loscr logon.vbs -mustchpwd yes
and save it with the same place as new-users.txt file (i.e. bulk-it.cmd)
Now, you need to only run this batch file in command-line, all attributes will be pull from text file. You can use other variables convetion in your script. I started using i as the first variable in a syntax but you can simply start using them as you wish even beginning from a. Next letters are in the alphabet order.
and just for verification, let’s see Active Directory Users and Computers console, if these users were created in wroc/users/it OU
Author: Krzysztof Pytko