Now we begin chapter 8 of our Windows Server 2012 tutorial, this time we’ll further discuss Active Directory’s Account Creation Automation. I’ll show you how to use DSADD and Powershell. I’ll also show you how to use CSVDE (Comma Separated Value Data Exchange) and LDIFDE (LDAP Data Interchange Format, Data/Directory Exchange). Although these 2 tools are not commonly used anymore.
So first we discuss important things about LDIFDE and CSVDE. The first thing I’m gonna show you is how to export using LDIFDE and CSVDE, so that you’ll have an idea on the structure of the export data, which is important for importing data. So here’s a sample export command structure that I’ve made here. Which will give you an output that looks like this: The only difference in exporting between LDIFDE and CSVDE is the export file name and the command name. So basically they’re just the same. Now I’m gonna show you how to do an import using CSVDE. I’ve already prepared a Comma Separated Value file or CSV file right here which I’ve created using Excel, so basically the parameters in the first line are the column headers and the succeeding lines are the values that corresponds to it. So, our objective is to place all those new users in an empty directory right here using this command. Now Csvde = command, -i = import, -f = file, next is the path, -j = log file location and then the directory without specifying any file. Now let me remind you that the accounts that it creates doesn’t have any passwords which maybe helpful if you’re just creating accounts in advance for future users.
Now we move to DSADD, I have here an existing structure and I want to create a better structure for this using DSADD. So we can use “OU” for Organizational Unit, or you could use “User” if you want to create a user or “group” if you want to create a group account. Now, I just created a bat file right here that would create the whole structure of “hoit”, that’s the name of my Organizational Unit. And inside it, it will have Trainees, hoitAdmin and inside Trainees is OJT. So we run the file as an Administrator and then it will create the organizational structure. Now I’m just gonna add a pause in the bat file for me to see if there are any errors in the creation of the Organizational structure. And we’re gonna need to refresh in order to see the created files. Note that in using DSADD command, the objects created are not protected from accidental deletion. But, you could change that by enabling advanced features, and then change property of the object.
Next, I’m gonna show you a spreadsheet that I’ve prepared which will allow us to create multiple accounts and automatically put them into a specific Organizational Unit. Notice that the DSADD statement appears differently in the formula. This is because I used the function CONCATENATE which combines multiple parameters together. The first parameter is a plain text value which you see here as “dsadd user cd =”, the second parameter came from the value of “A2”, then 2 more text values. I’ve also added parameters like User Principle Name (UPN), Display Name, Password, also you may want to take note that the password it creates are visible, then here requires them to change the password on their first login, then the home directory (hmdir); this is where you store your data files, so instead of storing it in the local computer, it will be stored in a central storage server. Here, it is matched to a drive letter which in this case is “E:”. This here points to a profile directory which is not really required. But this keeps a copy of all user settings to the server which may be helpful if you’ll log in from another computer. And lastly, the Member column which indicates the object the user belongs to.
Now to automate the account creation, what we’re going to do is use the auto-fill function of excel to fill out the other cells. In this case, I filled out “25” user accounts which then creates auto-incremented username values. After that, we need to combine all of them to a single statement using the auto-fill and the CONCATENATE function of excel. So here, I concatenated columns “B2” through “J2” then used the auto-fill function to fill out the rest. Then, we need to copy all these concatenated lines to a Notepad and save it as a batch (BAT) file. And I’m just gonna add the pause statement that I’ve said earlier. And the last thing we need to do is to run it as an Administrator again and wait for a few seconds for it to create the accounts. So it now created all those accounts in just a few seconds saving me time and effort. Now, if you want to put Real names instead of a default name. You can just change the values in column “A” and it will automatically change the values in the other columns.
You can also use other tools like DSQUERY together with DSMOD or DSGET using the pipe command. Let me show you an example, here I’m gonna show you DSQUERY when we’re looking for a user in an Organizational Unit (OU) = sampleUsers, with a domain components “sample” and “com”. And then you just gonna add the “-addmbr”. And then use the pipe command “|” (SHIFT + “”), which then takes the result of the dsquery and sends it to the next command which then modifies the group membership; puts them into a common name (cn), “sampleUsers” in the OU “sampleUsers”, and with the domain components “sample” and “com”, then –addmbr. Now we’ve added all the users to the “sampleUsers” security group. Now if you want to remove all those members, you can just replace –addmbr with –rmmbr. Another to take note is that what we’re doing now is potentially destructive! So be sure that you know what you’re doing before executing any commands. It would be advisable to test it in a lab environment first before in an office environment this is to avoid data loss.
You can also use DSQUERY together with DSGET, for example if you want to look for a user from a domain with any username that has sampleUser in it and I want to see what department they belong. This is the command I’ll use. After that it’ll show what department they belong. Now let’s try to move a portion of an Organizational structure. You could see “sampleUsers” right here but I want to put it inside the Data Entry organizational unit. So you gonna need to execute the command right here again as an Administrator. After that you can refresh and look at the data entry organizational unit and you can see there that sampleUsers is right there. But if you want to specify a new name for sampleUsers, you can just type the command right here which will change my current “sampleUsers” to “DEuser”. Now if want to remove the entire “DEuser” directory, you can just type this command right here. You could also add the –noprompt command if you want to say yes to everything. Then after you refresh you’ll gonna see that DEusers is gone from the DataEntry organizational unit.
And if you want to use powershell, what you really need are some Powershell Cmdlets and the CSV file which is the source data for the accounts that we’re gonna create. Now here’s a useful Powershell cmdlet, this will ALL the available tips for that specific cmdlet. Here, you see that you could use New-ADUser to enter all these types of attributes to a useraccount. Next, I’m gonna show you another csv file that I’ve created right here .You’ll notice that it’s like the one we created earlier, just with additional attributes.
Now we’re gonna use this script to look and extract the data inside the csv file. What the first line of the script does is that, it calls the Cmdlet Import-Csv and then calls for the data that we need, which is users.csv, and the “.” means that it will be executed in the same directory as the script. Then, we’ll pipe it together with foreach-object, which basically creates loops, like ones in programming; it executes the commands enclosed in braces, for every line in the csv file. What the rest of the script does is that, it’s going to create a “userprincipalname” which consists of the things inside the SamAccountName plus the domain component (dc). Then it will create a New Active Directory User –SamAccountName, with the following parameters:
- –SamAccountName will contain the contents of SamAccountName column in the csv file
- –Name which will contain all contents of the name column in the csv file
- And so on and so forth. The “$_.” here, work like in PHP. It means “WHATEVER IS IN” or “The Contents of”.
You should also note that Powershell doesn’t like an insecure string. So what I did here is that I converted it to a secure string, which is not exactly secure cause it’s in plain text right here, then force it to plain text using –force. This password creation method might not exactly recommended but this might come in handy for you. Now we just need to run the script in Powershell, and again run it as an Administrator, using this command and finish the account creation. Then you can now refresh and view the new users. Now that ends chapter 8 of our Windows Server 2012 tutorial.