Creating User Accounts
Microsoft® Windows® 2000 Scripting Guide
Creating user accounts is a fundamental task for any organization supporting computer users. In most network environments, each employee is assigned a user account that must be used in order to access local and network computing resources.
As shown in the following code sample, it takes only a few lines of code to create a user account. To create a user account, the script needs only to contain a valid path to the Active Directory container where a user account should be created, as well as two mandatory attributes of the user class, the common name (cn attribute) and the SAM account name (sAMAccountName attribute). For example, this code creates a user account with the common name MyerKen:
Set objOU = GetObject("LDAP://ou=Management,dc=NA,dc=fabrikam,dc=com")
Set objUser = objOU.Create("User", "cn=MyerKen")
objUser.Put "sAMAccountName", "myerken"
objUser.SetInfo
The system automatically generates a GUID and a security identifier (SID) for the user account object, as well as the optional attributes listed in Table 7.1.
Table 7.1 Default Settings for User Account Object Optional Attributes
Attribute |
Default Setting |
---|---|
pwdLastSet |
User must change password at next logon |
userAccountControl |
Password Not Required |
userAccountControl |
Account Disabled |
The user account is a member of the Domain Users group by default. However, after the user account is created, no password is assigned and the account is disabled.
Note
- There are over forty attributes that contain values when a user account is created. To see the attributes that contain values for user accounts, you can use the ADSI Edit snap-in.
Choosing a container for user account creation
User account objects are typically created in an OU that was itself created after Active Directory has been installed. You can also create user account objects in built-in containers, such as the Users container or domain containers, but this approach is not recommended. The Users container is primarily designed and used for migrating user accounts from domains other than Active Directory domains, such as Windows NT® 4.0 domains. Creating user account objects in OUs provides for a more organized, and thus easier to manage, directory structure.
If you create user accounts in a built-in container, you must use a naming attribute for the parent container of cn. Conversely, if you create a user account in an OU, you must use a naming attribute for the parent container of ou. The following examples show the difference between the distinguishedName attributes of two user accounts created in the na.fabrikam.com domain.
distinguishedName attribute of the AkersKim user account in the Users built-in container:
"cn=AkersKim,cn=Users,dc=NA,dc=fabrikam,dc=com "
distinguishedName attribute of the MyerKen user account in the Management OU:
"cn=MyerKen,ou=Management,dc=NA,dc=fabrikam,dc=com "
Specifying a valid path for user account creation
When you create a user account object, you must specify both a path in Active Directory to the container where you want the object to be created and the cn for the user account object to give the user account object a unique identity in Active Directory.
The cn is the relative distinguished name of the user account object. The relative distinguished name is the unique name within the container where the object is created.
The combination of the path and the cn is the distinguishedName attribute of a user account object. The distinguishedName attribute is a unique name in Active Directory.
Verifying a unique name when creating a user account in the domain
The sAMAccountName attribute for a user account object must be unique throughout the domain. Thus, a script used to create user accounts should check that the sAMAccountName is unique before attempting to create the account. There are many ways to verify that a sAMAccountName is unique. For example, you can query Active Directory to verify the uniqueness of a sAMAccountName, or, without querying Active Directory, you can trap certain script errors that indicate an attempt to create a duplicate sAMAccountName. For information about verifying user account uniqueness, see "Searching Active Directory for User Accounts" later in this chapter.
The relative distinguished name must also be unique but only in the target container where the user account is created. For example, if a user account object with the cn MyerKen is in the Management OU, you cannot create another user account in the Management OU with the cn MyerKen. However, you can create another user account with the cn MyerKen in a different OU, proved this user has a unique sAMAccountName.
To create a user account object in Active Directory, use the Create method of the IADsContainer interface. Table 7.2 shows the arguments of this method.
Table 7.2 Arguments of the Create Method
Argument |
Type |
Required |
Default |
Description |
---|---|---|---|---|
Class |
string |
Yes |
None |
The class type. In this case, "User". |
cn |
string (specified as cn = string) |
Yes |
None |
The cn of the object to create. In this case, the object is a user account. |
Scripting Steps
Listing 7.1 contains a script that creates an Active Directory user account object but does not check whether a user account name is unique before attempting to create the account. To carry out this task, the script performs the following steps:
Bind to the OU (Management) by using the GetObject function and the LDAP provider.
A reference (objOU) to the OU is created in local memory. Because an OU is a container, the objOU reference exposes the ADSI IADsContainer interface. IADsContainer is the ADSI interface that provides the Create method. As its name implies, the Create method is used to create objects in Active Directory.
Create the object, and set the objects mandatory attributes in the local property cache.
The first mandatory attribute, the objects relative distinguished name, is listed as the second parameter of the Create method on line 2. (The first parameter User specifies the type of object being created by the method.) The mandatory user attribute, sAMAccountName, is then added to the user account object on line 3.
Commit the new object to Active Directory.
The SetInfo method commits the new user account object to Active Directory.
Listing 7.1 Creating a User Account in Active Directory
1 2 3 4 |
|
The user account MyerKen is created in the Management OU of the na.fabrikam.com domain. The name and cn attribute of the user account object is MyerKen; the sAMAccountName of the user account is MyerKen. There is no assigned password for this user account, and the account is disabled.