I have gone through many versions of this user creation script as time has gone by, and so far this particular one is really hitting the mark. It doesn’t do everything, but it takes care of 98% of everything so that I don’t need to rely on my help desk always setting things up appropriately (yay for scripting making everything consistent!!). Anywho, this version of the script will do the following with PowerShell: Create the AD account with all the properties I need and a random password, set the account to require password change, populate proxy address attribute on the account, create the user accounts “home” folder (doc redirect), share and set both ntfs and share permissions on the folder, create a DFS link for the “home” folder, and add the account to necessary groups.
Phew that’s a mouthful. Before I drop the code, there is one disclaimer. The script will prompt for credentials at the beginning. These credentials MUST be able to create/edit AD accounts, have administrator access to file server, and be delegated in DFS. Also, PS-Remoting must be available on the File Server/Server that hosts ADFS as I invoke commands remotely, and these two servers need to be in your local machines WinRM Trusted Hosts list.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 |
################## #Config Variables# ################## $strDomainName = "@domain.com" #Suffix for all AD users "@domain.local" $strFileServer = "FILESERVER" #The server that hosts the files for DFS (Hostname) $strFileServerIP = "x.x.x.x" #IP Address of the server that hosts the files for DFS $strFileServerRootPath = "C:\...\" #The local folder on the file server that contains the user folders $strDFSRootPath = "\\domain.com\Home\" #The root of the home folder path for DFS \\server\root or domain based \\domain.local\root $strDomainController = "DOMAINCONTROLLER" #Name of the Domain Controller server $arrSiteMultiArray = @("OU=Users,OU=NewYork,OU=Sites,OU=Company,DC=domain,DC=com", "New York"), @("OU=Users,OU=Chicago,OU=Sites,OU=Company,DC=domain,DC=com", "Chicago"), @("OU=Users,OU=Cleveland,OU=Sites,OU=Company,DC=domain,DC=com", "Cleveland"), @("OU=Users,OU=Orlando,OU=Sites,OU=Company,DC=domain,DC=com", "Orlando") #Multi-Dimensional Array [0] = DN of User OU for selected site [1] = Site Friendly Names ################################# #Get Credentials for WinRM tasks# ################################# Write-Host "Please Input Admin Credentials (Domain\Username)..." -ForegroundColor Cyan $objCredential = Get-Credential ############################# #Prompt for User Information# ############################# $strUserFirst = read-host "Please enter the first name: " $strUserLast = read-host "Please enter the last name: " Write-Host "Usernames = <FirstInitial><LastName>" -ForegroundColor Cyan $strUserName = read-host "Please enter the username: " ################################ #Create Friendly Name Site List# ################################ $intX = 1 foreach($tmpSite in $arrSiteMultiArray) { Write-Host $intX "=" $tmpSite[1] $intX++ } ################# #Select the Site# ################# $strSiteSelection = Read-Host "Select $strUserFirst $strUserLast's Site" $intSiteSelection = $strSiteSelection -as [int] $intSiteSelection-- ################################ #Create Site Specific Variables# ################################ $strUserPath = $arrSiteMultiArray[$intSiteSelection][0] $strSiteFriendlyName = $arrSiteMultiArray[$intSiteSelection][1] ################# #Random Password# ################# Write-Host "Generating random password for new account..." -ForegroundColor Yellow $objRandom = New-Object System.Random $NewPassword=[char]$objRandom.next(65,72) #random capitol letter A through G 1..6 | ForEach { $NewPassword = $NewPassword + [char]$objRandom.next(97,122) } #random lowercase a through z $NewPassword = $NewPassword + [char]$objRandom.next(48,57) #Random number 0 throu 9 $SecurePassword = ConvertTo-SecureString $NewPassword -AsPlainText -Force ############################# #Set Up Some Other Variables# ############################# $strUPN = ($strUserName.ToLower() + $strDomainName) $strHomeFolder = ($strFileServerRootPath + $strUserName.ToLower()) $strShare = ($strUserName.ToLower() + "$") $strFileServerShareRootPath = ("\\" + $strFileServer + "\") ################### #Create AD Account# ################### Write-Host "Creating $strUserFirst $strUserLast's AD account and setting Password..." -ForegroundColor Yellow New-ADUser -Server $strDomainController -Company "Company" -Name ($strUserFirst + " " + $strUserLast) -GivenName $strUserFirst -Surname $strUserLast -DisplayName ($strUserFirst + " " + $strUserLast) -EmailAddress $strUPN -SamAccountName $strUserName.ToLower() -UserPrincipalName $strUPN -AccountPassword $SecurePassword -Path $strUserPath -Credential $objCredential -PassThru | Enable-ADAccount ############################################### #Set Proxy Address(es) and Password Expiration# ############################################### Write-Host "Setting Proxy Address(es) and password expiration..." -ForegroundColor Yellow $objCurrentUser = Get-ADUser -Server $strDomainController $strUserName -Properties ProxyAddresses -Credential $objCredential $objCurrentUser.ProxyAddresses = "SMTP:" + $strUPN Set-ADUser -Instance $objCurrentUser Set-ADUser -ChangePasswordAtLogon:$true -Identity $objCurrentUser ###################### #Add User to Group(s)# ###################### Write-Host "Adding $strUserFirst $strUserLast to Group" -ForegroundColor Yellow Add-ADGroupMember -Server $strDomainController -Identity "Group" -Members $strUserName -Credential $objCredential ###################################################### #Create Home Folder, Share Folder and Set Permissions# ###################################################### Write-Host "Creating Home Folder, Sharing Folder, and setting permissions..." -ForegroundColor Yellow Invoke-Command -ComputerName $strFileServerIP -Credential $objCredential -Scriptblock { #Create the Folder New-Item $Using:strHomeFolder -ItemType directory -Force > $null #Set the ACL $objACL = Get-Acl $Using:strHomeFolder $objPermission = $Using:strUPN,"Modify",”ContainerInherit,ObjectInherit”,”None”,”Allow” $objAccessRule = new-object System.Security.AccessControl.FileSystemAccessRule $objPermission $objACL.SetAccessRule($objAccessRule) $objACL | Set-Acl $Using:strHomeFolder > $null #Share the Folder New-SmbShare -name $Using:strShare -path $Using:strHomeFolder -FullAccess Everyone > $null } ##################### #Create the DFS Link# ##################### Write-Host "Creating DFS Link..." -ForegroundColor Yellow New-DfsnFolder -Path ($strDFSRootPath + $strUserName.ToLower()) -TargetPath ($strFileServerShareRootPath + $strShare) > $null ###################################### #Start Delta Sync between AD and O365# ###################################### Write-Host "Beginning Delta sync between AD and O365..." -ForegroundColor Yellow Invoke-Command -ComputerName $strADSyncServerIP -Credential $objCredential -Scriptblock { Start-ADSyncSyncCycle -PolicyType Delta } ############################### #Output User's random password# ############################### Write-Host "$strUserFirst $strUserLast's username/password are $strUserName/$NewPassword" -ForegroundColor Green Write-Host "REMINDER: You still need to apply an O365 license!!!" -ForegroundColor Red PAUSE |
You can add more to the multi-array and reference it as needed (for example group names), this is just a more basic example of how to get things done.
Enjoy!
