ShaneEP
(MM club member)
2004-09-30 12:18 AM
LDAP User Creation Question

Hopefully this question wont make me look too stupid. But Ive looked around and havent been able to find the answer anywhere. Not saying that its not out there...just havent been able to find it yet and I figure it would be faster to just ask here. Im using the below code to read the contents of an excel spreadsheet, using lonk's readexcel2 udf. Im then using this info to create new AD user accounts accordingly. Im pretty stupid when it comes to LDAP, so here comes my question. The ID's are being created with no problem...But when I look at them in AD, on the account tab, the 'User logon name' is blank and the domain drop down just to the right of that has nothing selected. Only the (pre-windows 2000) login name fields are filled in. Is this normal? If I manually create a user account it does not allow me to finish creating it unless I specify this info so I would think it is important. Am I missing a .Put or something to insert this info?

Here is the code Im trying...

Code:

$users = ReadExcel2(@ScriptDir+'\users.xls',,-1,6)

For $counter=1 to ubound($users,1)
   $user = $users[$counter,0]
   $domainstring = $users[$counter,5]
   $objOU = GetObject($domainstring)
   $objUser = $objOU.Create("User", "cn="+$user)
   $objUser.Put("sAMAccountName", $user)
   $objUser.fullname = $users[$counter,1]
   $objUser.firstname = $users[$counter,2]
   $objUser.lastname = $users[$counter,3]
   $objUser.description = $users[$counter,4]
   $objUser.SetInfo
   $userpath = Split($domainstring,'//')
   $userpath = $userpath[0]+"//cn="+$user+","+$userpath[1]
   $objuser2 = getobject($userpath)
   $objUser2.AccountLocked=0
   $objUser2.AccountDisabled=0
   $objuser2.SetInfo
Next

ShaneEP
(MM club member)
2004-10-01 07:08 AM
Re: LDAP User Creation Question

Wow, I never thought I would be the one to stump the korg members. Or am I just getting the cold shoulder here.

Howard Bullock
(KiX Supporter)
2004-10-01 07:18 AM
Re: LDAP User Creation Question

I have Perl code somewhere that I can translate. I wanted to get back here before this, but have been very busy. I think you should start by using $user.PUT("property") for each item you want to set and check @error @serror after each PUT and setinfo.

jpeachman
(Fresh Scripter)
2004-10-02 10:19 AM
Re: LDAP User Creation Question

The missing 'User logon name' value is set through sAMAccountName. Try changing
Code:
$objUser.Put("sAMAccountName", $user)

to
Code:
$objUser.Put "sAMAccountName", $user


Joe

Howard Bullock
(KiX Supporter)
2004-10-02 02:42 PM
Re: LDAP User Creation Question

Quote:

$objUser.Put "sAMAccountName", $user



Is VBS syntax. The original code is correct for KiXtart.

Sealeopard
(KiX Master)
2004-10-02 04:09 PM
Re: LDAP User Creation Question

I'd really try a .SetInfo after the .Put and before making other changes to the user object.

pvds
(Hey THIS is FUN)
2004-10-02 06:51 PM
Re: LDAP User Creation Question

Hi,

Here is some Italian food code but it works for me.

Every year I have to put +1400 Students to AD and this is the part of my script for the creation of the user accounts.

Code:
 		$adsDomain = GetObject("LDAP://$userOU,dc=$DomainName,dc=$Toplevel")
		$adsGroup = GetObject("LDAP://cn=$Group,$GroupOU,dc=$DomainName,dc=$Toplevel")

		; Gebruiker met gegevens aanmaken

		$adsUser = $adsDomain.Create("user","cn=$UserName")
		$adsUser.Put("SamAccountName",$UserName)
		$adsUser.Put("UserPrincipalName",$UserName + "@@" + $DomainName + "." + $TopLevel)
		$adsUser.SetInfo

		$adsUser.AccountDisabled = False
		$adsUser.IsAccountLocked = False
		$adsUser.PasswordRequired = True
		$adsUser.SetPassword("$PassWrd")

		If $changepasswrd = 1
			$adsUser.put("pwdLastSet", 0)
		EndIf

		$adsUser.scriptPath = "wkix32 -i " + $scriptname
		
		If $profilename <> ""
			$adsUser.profilePath = "\\" + $homeserver + "\profielen$\" + $profilename
			Shell "c:\windows\system32\tsprof /update /local /profile://l01s01s02/profielen$/terminalserver $UserName"
		EndIf
		
		$adsUser.HomeDirectory = "\\" + $homeserver + "\home$\$username"
		$adsUser.Put("homeDrive", $homedrive)

		$adsUser.FirstName = $FirstName
		$adsUser.givenName = $FirstName
		$adsUser.LastName = $LastName
		$adsUser.sn = $LastName
		$adsUser.displayName = "$FirstName $LastName"
		$adsUser.Description = $UserDiscr
		$adsUser.mail = "$UserName@@$DomainName.$TopLevel"
		$adsUser.initials = $initial
		$adsUser.SetInfo

		$adsGroup.add("LDAP://cn=$UserName,$UserOU,dc=$DomainName,dc=$Toplevel")


Hop it helps

Regards

Peter

jpeachman
(Fresh Scripter)
2004-10-02 08:12 PM
Re: LDAP User Creation Question

Quote:

$objUser.Put "sAMAccountName", $user

Is VBS syntax. The original code is correct for KiXtart


Right you are . I guess it shows that I never quite got around to converting my working adduser VB scripts to KiX. Sorry!

I was drawn to that line because it does appear that the sAMAccountName is not being set. Jens' suggestion to try a .SetInfo after the .Put is certainly worth trying, but it isn't required there in my VB scripts, which do produce the correct results on Windows Server 2000, so I'm unsure if it will help (can't hurt, though!).

What is the format for $user? I understand some people have problems if there is a space in samAccountName (which is being set to $user), though others say it seems to work fine or that you may need to enclose it in quotes and then it should work.

However, I should have read the original problem more carefully. Shane also mentions "the domain drop down just to the right of that has nothing selected", which is because UserPrincipalName is not being set. See the example posted by Peter.

Joe

ShaneEP
(MM club member)
2004-10-02 09:36 PM
Re: LDAP User Creation Question

Very good, thanks for all of the suggestions. My guess is that the UserPrincipalName is indeed what I am missing. I wont be back in the office to try it until Monday. Will let you all know if that fixes it. Thanks again.

Howard Bullock
(KiX Supporter)
2004-10-02 09:44 PM
Re: LDAP User Creation Question

The code in the post contains an error. See a later post in this thread for the corrected code and an explanation of the problem. Can you spot it before reading the updated post?

Well I seem to be a little late to the party.
Code:

CreateUserAccount("my.domain.com",

                  "cn=Users",

                  "BullockTest",

                  "Howard",

                  "A",

                  "Bullock",

                  "Super Admin",

                  "Corner with a view",

                  "999-555-1212",

                  "habullock@@comcast.net",

                  "http://home.comcast.net/~habullock" )



Function CreateUserAccount($Domain,

                           $ContainerDN,

                           $Account,

                           optional $FirstName,

                           optional $MiddleInitial,

                           optional $LastName,

                           optional $Description,

                           optional $Office,

                           optional $Telephone,

                           optional $Email,

                           optional $WebPage,

                           optional $userPrincipalName )



    Dim $aDom, $sDNdom, $LDAPpath, $oContainer, $oUser



    if VarTypeName($userPrincipalName) = "Empty"

        $userPrincipalName = $Account + "@@" + $Domain

    endif



    $aDom = split($Domain,".")

    $sDNdom = ",dc=" + $aDom[0] + ",dc=" + $aDom[1] + ",dc=" + $aDom[2]



    $LDAPpath = "LDAP://" + $Domain + "/" + $ContainerDN + $sDNdom

    ;? $LDAPpath



    $oContainer = GetObject($LDAPpath)

    if @error

        ? "GetObject Error: " + @error +  " "  + @Serror

    endif



    $oUser = $oContainer.Create("User", "cn=" + $Account)

    if @error

        ? "Create Error: " + @error +  " "  + @Serror

    endif



    $oUser.Put("sAMAccountName", $Account)

    $oUser.Put("givenName", $FirstName)     ;First Name

    $oUser.Put("Initials", $MiddleInitial)  ;Initials

    $oUser.Put("sn", $LastName)             ;Last Name(Surname)

    $oUser.Put("displayName",$LastName  + iif($LastName, ", ","") +

                             $FirstName + iif($MiddleInitial, " ", "") +

                             $MiddleInitial) ;Display name

    $oUser.Put("description", $Description) ;Description

    $oUser.Put("physicalDeliveryOfficeName",$Office) ;Office

    $oUser.Put("telephoneNumber",$Telephone);Telephone

    $oUser.Put("mail",$Email)               ;E-mail

    $oUser.Put("wWWHomePage",$WebPage)      ;Web page

    $oUser.Put("userPrincipalName", $userPrincipalName) ;userPrincipalName



    $oUser.SetInfo

    $CreateUserAccount = @error

    if $CreateUserAccount

        ? "SetInfo Error: " + @error +  " "  + @Serror

    endif

Endfunction


ShaneEP
(MM club member)
2004-10-02 10:12 PM
Re: LDAP User Creation Question

Better late than never Howard. Very nice function none the less. I will give it a shot on Monday as well. Thanks again.

ShaneEP
(MM club member)
2004-10-04 10:12 PM
Re: LDAP User Creation Question

The UserPrincipalName did indeed do the trick as expected. Also taking into consideration some of the other suggestions about using Put rather than setting the fields directly, I came out with this. Seems to work great. Thanks for all the help as usual.

Code:

$users = ReadExcel2($usersheet,,-1,11)

For $counter=1 to ubound($users,1)
   $user = $users[$counter,0]
   $domainstring = $users[$counter,10]
   "Creating user account "+$user+" in "+$domainstring ?
   $objOU = GetObject($domainstring)
   $objUser = $objOU.Create("User", "cn="+$user)
   $objUser.Put("sAMAccountName", $user)
   $objUser.Put("displayName",$users[$counter,1])
   $objUser.Put("givenName",$users[$counter,2])
   $objUser.Put("Initials",$users[$counter,3])
   $objUser.Put("sn",$users[$counter,4])
   $objUser.Put("description",$users[$counter,5])
   $objUser.Put("physicalDeliveryOfficeName",$users[$counter,6])
   $objUser.Put("telephoneNumber",$users[$counter,7])
   $objUser.Put("mail",$users[$counter,8])
   $objUser.Put("WWWHomePage",$users[$counter,9])
   $domainname = Join(Split(Join(Split($domainstring,'dc='),'.'),','),'')
   $domainname = SubStr($domainname,InStr($domainname,'.')+1)
   $objUser.Put("UserPrincipalName",$user + "@@" + $domainname)
   $objUser.SetInfo
   $userpath = Split($domainstring,'//')
   $userpath = $userpath[0]+"//cn="+$user+","+$userpath[1]
   $objuser2 = getobject($userpath)
   $objUser2.AccountLocked=0
   $objUser2.AccountDisabled=0
   $objuser2.SetInfo
Next

Howard Bullock
(KiX Supporter)
2004-10-08 04:02 AM
Re: LDAP User Creation Question

Updated code.

A problem was pointed out to me. The lines:
Code:
$aDom = split($Domain,".")
$sDNdom = ",dc=" + $aDom[0] + ",dc=" + $aDom[1] + ",dc=" + $aDom[2]


will fail if the text for the first paramater ($Domain) does not contain two periods. The following code is more tolerance and will work with if there are any number of periods, including zero, in the domain name.
Code:
CreateUserAccount("my.domain.com",
                  "cn=Users",
                  "BullockTest",
                  "Howard",
                  "A",
                  "Bullock",
                  "Super Admin",
                  "Corner with a view",
                  "999-555-1212",
                  "habullock@@comcast.net",
                  "http://home.comcast.net/~habullock" )

Function CreateUserAccount($Domain,
                           $ContainerDN,
                           $Account,
                           optional $FirstName,
                           optional $MiddleInitial,
                           optional $LastName,
                           optional $Description,
                           optional $Office,
                           optional $Telephone,
                           optional $Email,
                           optional $WebPage,
                           optional $userPrincipalName )

    Dim $aDom, $part, $sDNdom, $LDAPpath, $oContainer, $oUser

    if VarTypeName($userPrincipalName) = "Empty"
        $userPrincipalName = $Account + "@@" + $Domain
    endif

    $aDom = split($Domain,".")
    for each $part in $aDom
	    $sDNdom = "" + $sDNdom + ",dc=" + $part
    next

    $LDAPpath = "LDAP://" + $Domain + "/" + $ContainerDN + $sDNdom
    ;? $LDAPpath

    $oContainer = GetObject($LDAPpath)
    if @error
        ? "GetObject Error: " + @error +  " "  + @Serror
    endif

    $oUser = $oContainer.Create("User", "cn=" + $Account)
    if @error
        ? "Create Error: " + @error +  " "  + @Serror
    endif

    $oUser.Put("sAMAccountName", $Account)
    $oUser.Put("givenName", $FirstName)     ;First Name
    $oUser.Put("Initials", $MiddleInitial)  ;Initials
    $oUser.Put("sn", $LastName)             ;Last Name(Surname)
    $oUser.Put("displayName",$LastName  + iif($LastName, ", ","") +
                             $FirstName + iif($MiddleInitial, " ", "") +
                             $MiddleInitial) ;Display name
    $oUser.Put("description", $Description) ;Description
    $oUser.Put("physicalDeliveryOfficeName",$Office) ;Office
    $oUser.Put("telephoneNumber",$Telephone);Telephone
    $oUser.Put("mail",$Email)               ;E-mail
    $oUser.Put("wWWHomePage",$WebPage)      ;Web page
    $oUser.Put("userPrincipalName", $userPrincipalName) ;userPrincipalName

    $oUser.SetInfo
    $CreateUserAccount = @error
    if $CreateUserAccount
        ? "SetInfo Error: " + @error +  " "  + @Serror
    endif
Endfunction


Kdyer
(KiX Supporter)
2004-10-08 02:08 PM
Re: LDAP User Creation Question

Howard,

I am looking at this code with interest.. The reason being is that we have some admins that continually miss creating the user personal drives and other information. If this was combined with the ADSSECURITY.DLL, this would be pretty slick..

Re- Kent- Review a WSH script - Part Deux

Thanks,

Kent

Howard Bullock
(KiX Supporter)
2004-10-08 08:06 PM
Re: LDAP User Creation Question

Not sure where ADsSecurity.DLL fits into the picture, but there should be no reason additional functions could not be daisy-chained to this to provide complete automation of creating and configuring a user.

NTDOCAdministrator
(KiX Master)
2004-10-08 09:56 PM
Re: LDAP User Creation Question

One issue is replication time. You can't add a user permissios to a new share on a remote server that does not recognize the account name yet.

Howard Bullock
(KiX Supporter)
2004-10-08 10:33 PM
Re: LDAP User Creation Question

But if you are smart about the binding, you could bind to a specific domain controller to create the user. If you select the DC that is in the same site as the file/print resource the account would be immediately available.

One could add an additional option parmeter call $DCname. Then the LDAP string would look like:
Code:
 $LDAPpath = "LDAP://" + $DCname + "/" + $ContainerDN + $sDNdom
if the parm was used. $DCname would default back to the $Domain value if not used. This would permit the creation of objects on a specific DC.

Kdyer
(KiX Supporter)
2004-10-12 02:29 PM
Re: LDAP User Creation Question

Let me explain..

ADSSECURITY.DLL is used to apply persms where you would traditionally use CALCS/XCACLS to set persm on folders. This would be when create a new user, you would also setup the personal drive too.

Kent