After the Organizational Units have been created, we populate the Active Directory with user accounts and security groups. Group membership for users is based on both the Organizational Unit (or 'team') they belong to, and their function in the team (team leader, coordinator, clerk). Each user will be member of 1 group only (eg: team leader of the Production Team, clerk in the Communications team, ...).

By making each global group member of a number of local groups, users acquire membership of several local groups which then can be used to manage file and directory access, group policy filtering, and so on.

The script obviously assumes a certain design in the Active Directory : an Organizational Unit logical structure, users with membership to groups, therefore also a logical structure of somain local and global groups, etc. This is described in Active Directory Design and Implementation.

Furthermore, user profiles, user home directory and user special folders are located on the server, so we use this script to create the relevant directorys and set the correct NTFS permissions. Please refer to and Group Policy : Roaming User Profiles and Folder Redirection

This script takes input from a text file (eg. 'users.txt') that lists user names, the team they belong to, and their role or function in the team. The user name will provide the user account name, the team name will indicate the OU and a part of the group names, the function or role will provide the name of the group that the user will be made member of. Because of the repetitive structure of the groups in the Organizational Units, the script can be built around a number of FOR statements.

input file : users.txt

	User		Role -> Group	Team

	Christine	Coordinators	PT
	Koen		Clerks		PT
	Kaat		Teamleiders	FT
	Brigitte	Clerks		FT
	Elsk		Clerks		ST
	Ina		Teamleiders	CT
	Kristel		Clerks		CT
	Anne		Teamleiders	ND


This file can be made manually, or we can use scripts that generate the desired output

batch file

@echo OFF
	set theDomain=dc=kicks, dc=local
	set input=users.txt

REM create users and user home directory (including NTFS Permissions)
REM Profile will later be complemented with 
REM group policy user configuration (Folder Redirection, Logon scripts e.a.)

FOR /F "tokens=1-3 skip=3" %%i in (%input%) do (
	REM create user home and profile directory in advance
	md F:\home\%%i
	md F:\users\%%i

	REM create user account
	dsadd user "cn=%%i, ou=%%k, ou=theOffice, %theDomain%" 
				-pwd aaaAAA111 -mustchpwd yes -canchpwd yes 
				-profile \\SRV01\users$\dsadd user "cn=%%i, ou=%%k, ou=theOffice, %theDomain%" 
				-hmdir \\SRV01\home$\%%i -hmdrv P: 
				-loscr logon.bat

	REM while we're at it, set NTFS security for user home and profile folder
	REM 	 User : Read/Write 	Administrators : Full Control,
	xcacls F:\home\%%i /c /y /t /e /g "%%i":rcd;ew Administrators:f;f
	xcacls F:\users\%%i /c /y /t /e /g "%%i":rcd;ew Administrators:f;f


REM create groups in each OU

dsadd group "cn=lTeam, ou=theOffice, %theDomain%" -secgrp yes -scope L -samid lTeam

for %%i in (Teamleiders, Administratie, Coordinators, Stagiairs) do (
	dsadd group "cn=l%%i, ou=theOffice, %theDomain%" -secgrp yes -scope L -samid l%%i

for %%j in (PT,CT,VT,FT,ND) do (
	dsadd group "cn=lTeam, ou=%%j, ou=theOffice, %theDomain%" -secgrp yes -scope L -samid lTeam_%%j

	for %%i in (Teamleiders, Administratie, Coordinators, Stagiairs) do (

		dsadd group "cn=%%i, ou=%%j, ou=theOffice, %theDomain%" -secgrp yes -scope G -samid %%i_%%j
		echo 	make GLOBAL GROUPS member of LOCAL GROUPS
		dsmod group "cn=lTeam, ou=theOffice, %theDomain%" -addmbr "cn=%%i, ou=%%j, ou=theOffice, %theDomain%"

		dsmod group "cn=lTeam, ou=%%j, ou=theOffice, %theDomain%" -addmbr "cn=%%i, ou=%%j, ou=theOffice, %theDomain%"

		dsmod group "cn=l%%i, ou=theOffice, %theDomain%" -addmbr "cn=%%i, ou=%%j, ou=theOffice, %theDomain%"

REM make users member of group according to listing in inputfile

for /F "tokens=1-3 skip=3" %%i in (%input%) do (
	dsmod group "cn=%%j, ou=%%k, ou=theOffice, %theDomain%"  -addmbr "cn=%%i, ou=%%k, ou=theOffice, %theDomain%"

REM remove groups that we don't want (if any)

REM remove groups (Administratie, Coordinators, Stagiairs) from ou ND,
REM dsrm ObjectDN ... [-subtree] -noprompt	;;removes objects
REM dsmod group GroupDN -rmmbr MemberDN	;;removes members from a group

dsrm "cn=Administratie, ou=ND, ou=theOffice, %theDomain%"  -noprompt
dsrm "cn=Coordinators, ou=ND, ou=theOffice, %theDomain%"  -noprompt
dsrm "cn=Stagiairs, ou=ND, ou=theOffice, %theDomain%"  -noprompt

REM custom modifications : for exeptions eg. for users in more than 1 group
REM add statements here


ECHO %0 requires input from %input%. inputfile %input% not found. 

ECHO %0 done.


When the list of user accounts has the user distinguished name, it makes sense to use the distinguished name to create the account. Using the distinguished name to create the account automatically puts the user in the correct Organizational unit, as OU's and domain are part of the name. Distinghuished names can be retrieved by scripts. The dsadd user statement used in the above script can be used to create accounts based in distinguished names.

  	CN=Leen,OU=ST,OU=kantoor,DC=KICKS,DC=LOCAL        Leen              
 	CN=Elsk,OU=ST,OU=kantoor,DC=KICKS,DC=LOCAL        Elsk              
  	CN=Ina,OU=CT,OU=kantoor,DC=KICKS,DC=LOCAL         Ina


	REM (line breaks added for readibility)

	FOR /L "tokens=1-2" %%x in (users.txt) do (

		Dsadd	user "%%x" 	-samid %%y
					-pwd aaaAAA111 
					-mustchpwd yes 
					-canchpwd yes 
					-profile \\SRV01\users$\%%y
					-hmdir \\SRV01\home$\%%y
					-hmdrv P :
					-loscr logon.bat

On earlier Windows systems (eg. Windows 2000), ADSI scripts can be used to create a user in a given Organizational unit :

		Set objOU = GetObject("LDAP://ou=PT,dc=kicks,dc=local")

		Set objUser = objOU.Create("User", "cn=Lennart")
		objUser.Put "sAMAccountName", "Lennart"



By default, there is no assigned password for this user account, and the account is disabled, so the following statementys may be added :

		objUser.SetPassword "AA123456"
		objUser.AccountDisabled = True



Alternatively, ...

You may want to create shared folders for user home directories or roaming profiles for a batch of users, and set user-specific NTFS security, on a systelm where user accounts already exist : setUserShares.vbs.

Koen Noens
june 7, 2005