Create and Manage Active Directory Users and Computers
Users and computers are the basic leaf objects that populate the branches of the AD DS tree. Creating and managing these objects are everyday tasks for most AD DS administrators.
Creating User Objects
The user account is the primary means by which people using an AD DS forest access resources. Resource access for individuals takes place through their individual user accounts. To gain access to the network, prospective network users must authenticate to a network with a specific user account.
Authentication is the process of confirming a user's identity by using a known value such as a password, a smart card, or a fingerprint. When a user supplies a name and password, the authentication process validates the credentials supplied in the logon against information that has been stored within the AD DS database. Do not confuse authentication with authorization, which is the process of confirming that an authenticated user has the correct permissions to access one or more network resources.
There are two types of user accounts on systems running Windows Server 2012 R2, as follows:
- Local Users:
These accounts can only access resources on the local computer and are stored in the local Security Account Manager (SAM) database on the computer where they reside. Local accounts are never replicated to other computers and do not provide domain access. This means that a local account configured on one server cannot be used to access resources on a second server; you would need to configure a second local account in that case. - Domain Users:
These accounts can access AD DS or network-based resources, such as shared folders and printers. Account information for these users is stored in the AD DS database and replicated to all domain controllers within the same domain. A subset of the domain user account information is replicated to the global catalog, which is then replicated to other global catalog servers throughout the forest.
User Creation Tools
One of the most common tasks for administrators is the creation of Active Directory user objects. Windows Server 2012 R2 includes several tools you can use to create objects. The specific tool you use depends on how many objects you need to create, the time frame available for the creation of these groups, and any special circumstances, such as importing users from an existing database.
When creating a single user, administrators can use Active Directory Administrative Center or the Active Directory Users And Computers console. However, when you need to create multiple users in a short time frame or you have an existing database from which to import these objects, you will want to use a more efficient tool. Windows Server 2012 R2 provides a number of tools you can choose based on what you want to accomplish. The following list describes the most commonly used methods for creating multiple users and groups. These tools are detailed in the upcoming sections.
- Dsadd.exe:
The standard command-line tool for creating AD DS leaf objects, which you can use with batch files to create AD DS objects in bulk - Windows PowerShell:
The Windows maintenance tool that enables you to create object creation scripts of nearly unlimited complexity - Comma-Separated Value Directory Exchange (CSVDE.exe):
A commandline utility that can create new AD DS objects by importing information from a comma-separated value (.csv) file - LDAP Data Interchange Format Directory Exchange (LDIFDE.exe):
Like CSVDE, but with more functionality, LDIFDE is a utility that can import AD DS information and use it to add, delete, or modify objects, in addition to modifying the schema, if necessary
These tools all have their roles in network administration; it is up to the administrator to select the best tool to suit his or her skill set and the particular situation.
The following sections examine various scenarios for using these tools to create user objects.
Creating single users
For some administrators, creating individual user accounts is a daily task and there are many ways to go about it. Windows Server 2012 R2 has redesigned the Active Directory Administrative Center (ADAC) application, first introduced in Windows Server 2008 R2, to fully incorporate new features such as the Active Directory Recycle Bin and fine-grained password policies. You can also use the tool to create and manage AD DS user accounts To create a single user account by using the Active Directory Administrative Center, use the following procedure.
- In Server Manager, on the Tools menu, select Active Directory Administrative Center. The Active Directory Administrative Center console opens.
- In the left pane, find the domain in which you want to create the user object and select a container in that domain.
- In the Tasks pane, under the container name, click New, User to open the Create User window.
- Type the user's name in the Full Name field and an account name in the User SamAccountName Logon field.
- Type an initial password for the user in the Password field and the Confirm password field.
- Supply information for any of the optional fields on the page you wish.
- Click OK. The user object appears in the container.
- Close the Active Directory Administrative Center console.
Administrators who are more comfortable with the familiar Active Directory Users And Computers console can still use it to create user objects by using the New Object - User Wizard.
For administrators working on Server Core installations or who are more comfortable with the command line, it is also possible to create user objects without a graphical interface.
USING DSADD.EXE
For administrators more comfortable with the traditional command prompt, the Dsadd.exe program can create new user objects by using the syntax.
To create a user by using the Dsadd.exe utility, you must know the distinguished name (DN) for the user and the user's login ID, also known as the SAM account name attribute within AD DS. The distinguished name of an object signifies its location within the Active Directory structure. For example, in the distinguished name:
cn=Maria Nelson,ou=Research,dc=adatum,dc=com
the cn refers to the common name for Maria Nelson's user account, which resides in the Research OU, which resides in the adatum.com domain.
Each object has a unique DN, but this DN can change if you move the object to different locations within the Active Directory structure. For example, if you create an additional layer of OUs representing offices in different cities, the previous DN might change to:
cn=Maria Nelson,ou=Research,ou=Baltimore,dc=adatum,dc=com
even though it is the same user object with the same rights and permissions.
The SAM account name refers to each user's login name-the portion to the left of the @ within a User Principal Name-which is eander in eander@adatum.com. The SAM account name must be unique across a domain.
When you have both these items, you can create a user with the Dsadd.exe utility by using the following syntax:
dsadd user <distinguished name> -samid <SAM account name>
For example, in its simplest form, you can create the account for Maria Nelson referenced earlier as follows:
dsadd user cn="Maria Nelson,ou=Research,dc=adatum,dc=com" -samid eander
You can also add attribute values by using the Dsadd.exe tool. The following command adds some of the most common attributes to the user object:
Dsadd.exe user "CN=Maria Nelson,OU=Research,DC=adatum,DC=local" -samid "eander" -fn "Maria" -ln "Nelson" -disabled no -mustchpwd yes -pwd "Pa$$w0rd"
USING WINDOWS POWERSHELL
Microsoft is placing increased emphasis on Windows PowerShell as a server management tool, and provides a cmdlet called New-ADUser, which you can use to create a user account and configure any or all of the attributes associated with it. The New-ADUser cmdlet has many parameters, to enable access to all the user object's attributes.
For example, to create a new user object for Maria Nelson in an organizational unit (OU) called Research, you could use the New-ADUser cmdlet with the following parameters:
new-ADUser -Name "Maria Nelson" -SamAccountName "eander" -GivenName "Maria" -SurName "Nelson" -path 'OU=Research,DC=adatum,dc=local' -Enabled $true -AccountPassword "Pa$$w0rd" -ChangePasswordAtLogon $true
The -Name and -SamAccountName parameters are required to identify the object. The -path parameter specifies the location of the object in the AD DS hierarchy. The -Enabled parameter ensures that the account is active.
Creating user templates
In some cases, administrators have to create single users on a regular basis, but the user accounts contain so many attributes that creating them individually is time-consuming.
One way to speed up the process of creating complex user objects is to use the New-ADUser cmdlet or the Dsadd.exe program and retain your commands in a script or batch file. However, if you prefer a graphical interface, you can do roughly the same thing by creating a user template.
A user template is a standard user object containing boilerplate attribute settings. When you want to create a new user with those settings, just copy the template to a new user object and change the name and any other attributes that are unique to the user.
To create a user template by using the Active Directory Users And Computers console, use the following procedure.
- In Server Manager, on the Tools menu, select Active Directory Users And Computers. The Active Directory Administrative Users And Computers console appears.
- Create a user object with the name Default Template, clearing the User Must Change Password At Next Logon check box and selecting the Account Is Disabled check box.
- Open the user's Properties sheet and modify the attributes on the various tabs with values common to all the users you will be creating.
To use the template, right-click the Default Template user object and, from the shortcut menu, select Copy. The Copy Object - User Wizard starts.
Enter the required unique information for the user and clear the Account Is Disabled check box before clicking OK. The wizard creates a new user object with a subset of the attributes you configured in the template.
Creating multiple users
Administrators sometimes have to create hundreds or thousands of user objects, making the single object creation procedures impractical. The previous sections described the procedures for creating single users and group objects by using the GUI and some of the available command-line tools in Windows Server 2012 R2. The following sections examine some of the mechanisms for automating the creation of large numbers of Active Directory objects.
USING CSVDE.EXE
Applications such as Microsoft Excel can generate lists of users, with their accompanying information, to add to the AD DS database. In these cases, you can export information from the applications by saving it to a file in CSV format. CSV format also can be used to import information into and export it from other third-party applications.
A CSV file is a plain text file that consists of recordseach on a separate linewhich are divided into fields, separated by commas. The format is a way to save database information in a universally understandable way.
The CSVDE.exe command-line utility enables administrators to import or export Active Directory objects. It uses a CSV file that is based on a header record, which identifies the attribute contained in each comma-delimited field. The header record is just the first line of the text file that uses proper attribute names. To be imported into AD DS, the attribute names in the CSV file must match the attributes allowed by the Active Directory schema. For example, if you have a list of people and telephone numbers you want to import as users into the Active Directory database, you will need to create a header record that accurately reflects the object names and attributes you want to create. Review the following attributes that are commonly used for creating user accounts.
- dn Specifies the distinguished name of the object so that the object can be properly placed in Active Directory
- samAccountName Populates the SAM account field
- objectClass Specifies the type of object to be created, such as user, group, or OU
- telephoneNumber Populates the Telephone Number field
- userPrincipalName Populates the User Principal Name field
As you create your CSV file, you must order the data to reflect the sequence of the attributes in the header record. If fields and data are out of order, you will either encounter an error when running the CSVDE.exe utility or you might get inaccurate results in the created objects. The following example of a header record uses the previously listed attributes to create a user object.
dn,samAccountName,userPrincipalName,telephoneNumber,objectClass
A data record conforming to this header record would then appear as follows:
"cn=Maria Nelson,ou=Research,dc=adatum,dc=com",eander,eander@adatum.com,586-555-1234,user
After you have added a record for each account you want to create, save the file using .csv as the extension. You then use the following command syntax to run the CSVDE.exe program and import the file:
csvde.exe -i -f <filename.csv>
The -i switch tells CSVDE.exe that this operation will import data. The -f switch is used to specify the .csv file containing the records to be imported.
USING LDIFDE.EXE
LDIFDE.exe is a utility that has the same basic functionality as CSVDE.exe and provides the ability to modify existing records in Active Directory. For this reason, LDIFDE.exe is a more flexible option. Consider an example where you have to import 200 new users into your AD DS structure. In this case, you can use CSVDE.exe or LDIFDE.exe to import the users. However, you can use LDIFDE.exe to modify or delete the objects later, whereas CSVDE.exe does not provide this option.
You can use any text editor to create the LDIFDE.exe input file, which is formatted according to the LDAP Data Interchange Format (LDIF) standard. The format for the data file containing the object records you wish to create is significantly different from that of CSVDE. exe. The following example shows the syntax for a data file to create the same user account discussed in the CSVDE.exe example.
dn: "cn=Maria Nelson,ou=Research,dc=adatum,dc=com" changetype: add ObjectClass: user SAMAccountName: eander UserPrincipalName: eander@adatum.com telephoneNumber: 482-666-1234
Using LDIFDE.exe, you can specify one of three actions that will be performed with the LDIF file:
- Add Creates new objects by using the LDIF records
- Modify Modifies existing object attributes by using the LDIF records
- Delete Deletes existing objects by using the LDIF records
After creating the data file and saving it using the .ldf file extension, use the following syntax to execute the LDIFDE.exe program:
ldifde -i -f <filename.ldf>
The next example illustrates the LDIF syntax to modify the telephone number of an existing user object. Note that the hyphen in the last line is required for the file to function correctly.
dn: "cn=Maria Nelson,ou=Research,dc=adatum,dc=com" changetype: modify replace: telephoneNumber telephoneNumber: 482-666-1234 -
USING WINDOWS POWERSHELL
It is also possible to use CSV files to create user objects with Windows PowerShell by using the Import-CSV cmdlet to read the data from the file and piping it to the New-ADUser cmdlet. To insert the data from the file into the correct user object attributes, use the New-ADUser cmdlet parameters to reference the field names in the CSV file's header record.
An example of a bulk user creation command would be as follows:
Import-CSV users.csv | foreach {New-ADUser -SamAccountName $_.SamAccountName -Name $_.Name -Surname $_.Surname -GivenName $_.GivenName -Path "OU=Research,DC=adatum,DC=COM" -AccountPassword Pa$$w0rd -Enabled $true}