Create an user account on an Active Directory domain. This action is
intended to create user accounts in domains and organizational units of
Active Directory. In addition to just creating the account itself it also
will also configure Active Directory attributes of the account, such as
for example the password and the description of the account, and many
more.
Some attributes of the user account may specify the usage by the account
of other resources in the network. These resources themselves will not
be created by this action. If these resources need to be created, this
can be done by separate actions that follow this action in the User Management
Resource Administrator script. An example of such a property is the Home
Directory. When specified in this Create User action, the Home Directory
attribute of the user account will be set. The directory itself however
is not created. In order to create the directory itself, the script action
File System, Create directory should
be performed
This action cannot be used to create accounts outside of Active Directory.
In order to create user accounts in a NT4 domain, or to create local user
accounts on specific computers, use the action "Script
Action: Create User (no AD)" instead.
This action is typically used as core part of a script designed to create
users in Active Directory domains, in order to create the account and
its attributes itself. In such a script this is usually the first major
action invoked. After creating the account, the script usually continues
by invoking actions to create home directories, home shares, group memberships,
etc.
|
Property Name |
Description |
Typical setting |
Remarks |
|
Domain |
The domain in which to create the user domain
account. |
%Domain% |
Often the domain name is used in many different
actions, and is determined and stored in a variable previous to the action
( e.g. %Domain%). The name of the domain can be either in DNS or NETBIOS
style. (e.g. Tools4ever.com or TOOLS4EVER). For more information on how
to specify the domain/OU/container in which the user account is created,
see the Remarks
section below. |
|
Organizational Unit-Container |
The name of the Active Directory Organizational
unit or other container in which to create the account. |
Users |
Specify the path of the organizational unit
(OU) or container relative to the domain. To specify OU's in OU's, use
the full path relative to the domain, separated by slashes: OU/ChildOU/GrandChildOU.
Examples: students or students/group1.
For more information on how to specify the domain/OU/container in which
the user account is created, see the Remarks section below. |
|
LDAP container |
Optional: The LDAP name of the container in
which to create the account. |
|
Optionally specifies name of the Active Directory container in which
the user is created directly by means of its LDAP name (Example: CN=users,
DC=tools4ever,DC=com Example: OU=Group1, OU=Students, DC=tools4ever, DC=com)
This specification can be used instead of
the Domain and Organizational Unit-Container properties of this action.
If specified, the specified LDAP Container takes precedence, and the Domain
And Organization Unit-Container properties are ignored. For more information
on how to specify the domain/OU/container in which the user account is
created, see the Remarks section below. |
|
Domain (controller) |
Optional: The name of the domain controller
or domain used to access the domain. |
|
If this value is not specified, the application creates the account
on a domain controller that is determined by Active Directory (serverless
binding). If a domain controller is specified, the account is explicitly
created on the specified controller (server binding). In both cases, Active
Directory itself will replicate the account information to all domain
controllers in the forest automatically as required.
Depending on the actual User Management Resource Administrator Script
used, it may be necessary to specify a domain controller here. If an subsequent
script action does an Active Directory query to obtain information of
the newly created user, this query may occur before Active Directory has
replicated the new information to other Domain Controllers. As a consequence,
the query may fail to find the newly created user. When both actions however
specify the same domain controller, the newly created user can be found.
Often a requery of Active Directory by subsequent
actions for the newly created user can be prevented by using the User
Object that is created by this action in subsequent actions, instead of
the name of the user. |
|
Name generation algorithm |
Specifies the name of the algorithm used to
generate user names |
Default |
The main purpose of the Name Generation algorithm is to create unique
names that adhere to your company's syntax requirements.
A common implementation of the algorithm will take as input the three
variables %FirstName%, %MiddleName% and %LastName%, and generate from
these the variables %FullName% and %UserName%. Here %FullName% contains
the complete name of the user formatted for display purposes, and %UserName%
the name formatted for use as the name of the account. These resulting
variables can then be used as input for the other properties of this action
For a thorough discussion, please see Name
Generation Algorithms |
|
SAM-Account-Name |
The user logon name(Pre-Windows 2000) without the (NETBIOS) Domain name.
|
%UserName% |
This name is required, also in domains that use solely Active Directory
domain controllers. This name is usually chosen to be the same as the
prefix of the User Principal Name.
A SAM-Account-Name cannot be identical to any other user or group name
on the domain being administered. It can contain up to 20 uppercase or
lowercase characters, except for the following: " / \ [ ] : ; | =
, + * < >. A SAM-Account-Name cannot consist solely of periods (.)
or spaces.
Typically the name contained in %UserName%
is generated by the Name
generation algorithm. If the name is found not be unique, the next
iteration of the algorithm is tried until unique definite names are generated. |
|
User-Principal-Name |
The User-Principal-Name (UPN) is an Internet
style logon name for the user. |
%UserName%
@Mycompany.com |
The UPN is the preferred loin name for Active Directory users. Users
should be using their UPN to log on to the domain. The UPN has the format
account_name@domain.com, where account_name is the UPN prefix and domain.com
is the UPN suffix.
The UPN Prefix is usually chosen to be the
same as the SAM-Account-Name. Typically the name contained in %UserName%
is generated by the name generation algorithm. |
|
CommonName |
The CommonName is the full name of the user.
This name is most commonly used in user interfaces. |
%FullName% |
Typically the name contained in %FullName%
is generated by the name generation algorithm. |
|
DisplayName |
This is the Display name attribute of the
account. It usually contains the full name of the user. |
%FullName% |
Typically the name contained in %FullName%
is generated by the name generation algorithm. |
|
Given-Name |
Optional. The given name corresponds usually
with the first name of the user. |
%FirstName% |
Typically the variable %FirstName% is directly
read from the a import file specifying the users to create. |
|
Initials |
Optional. The initials of the user. It has
a maximum length of six characters. |
%MiddleName% |
Typically the variable %MiddleName% is directly
read from the a import file specifying the users to create. |
|
SurName |
Optional. The surname of the user. |
%LastName% |
Typically the variable %LastName% is directly read from the a import
file specifying the users to create.
|
|
Password generator |
The specification how to generate passwords for the user account
|
|
Specifies the method used to generate a password for the user account.
These methods vary from simple (easy to remember) passwords to strong
passwords. There are several predefined settings available.
The resulting password will be stored in a
variable. By default it is stored in the variable %Password%. This variable
is used as the value for the Password property. |
|
Password |
The password for the created account |
%Password% |
Typically the name contained in the variable
%Password% is generated by the Password
generator. To create the same password for all users you can specify
the password here directly. For example "test1234". You can
also read the password from the input file. |
|
Description |
A text string, that will be shown in the Description
field of the user account in windows. The string can have any length. |
|
|
|
Home directory |
The home directory of the user as specified
in the "Home folder" setting of the user account |
\\%HomeServer%\
users\
%UserName% |
The value can be specified either in the form \\<server name>\<share
name>\<rest of path>, or as an local path e.g. G:\UserData\<user
name>.
Note, This specification does create the home directory itself if it
does not exist. In order to create the home directory, specify the action
Create Directory in the
User Management Resource Administrator script after this action.
Typically the name contained in %UserName%
is generated by the name
generation algorithm, and the name contained in \\%HomeServer% is
specified previously in the script, or in the import file. |
|
Home directory drive |
The drive letter to which the home directory is connected. Specify only
the drive letter itself without colon and or backslash
|
|
If the drive letter is specified, the Home directory must be specified
in the form \\<server name>\<share name>\<rest of path>,
and not as a local path.
|
|
User profile |
The profile path of the user account |
\\%HomeServer%\
profiles\
%UserName% |
The value must have he form \\<server name>\<share
name>\<rest of path>. |
|
Logon script |
Full or relative path to the script file that
is executed by Windows when the user logs on |
\\%HomeServer%\
scripts\
%UserName%.bat
or
%UserName%.bat |
If a relative path is specified, this is relative
to the default Script directory of Windows. |
|
User must change password at next logon |
Specifies whether the user must change the
password at the next logon |
Yes |
Valid specifications are YES and NO. The default
value is NO. When set to YES, the User
cannot change password property must by set to NO. |
|
User cannot change password |
Specifies whether the user is disallowed change
the assigned password |
No |
Valid specifications are YES and NO. The default
value is NO. This setting has no effect on members of the administrators
group. When set to YES, the User must
change password at next logon property must by set to NO. |
|
Password never expires |
Specifies whether the password will never
expire |
|
Valid specifications are YES and NO. The default
value is NO. This setting overrides the Maximum
Password Age setting in the password policy for the domain/computer. |
|
Store password using reversible encryption |
Specifies whether the password will be stored
using reversible encryption |
No |
Allows a user to log on to a Windows network
from Apple computers. If a user is not logging on from an Apple computer,
this option should not be used. |
|
Account Disabled |
Specifies whether the account should be create
in the disabled state |
No |
Valid specifications are YES and NO. The default
value is NO |
|
Smart cart is required for interactive logon. |
Specifies whether a smart cart is required |
No |
Requires that the user possesses a smart cart
to log on to the network interactively. The users must also have a smart
card reader attached to their computer and a valid personal identification
number (PIN) for the smart cart. When this option is selected, the password
for the user account is automatically set to a random and complex value
and the Password never expires account option is set. |
|
Account is trusted for delegation |
Specifies whether the account is trusted for
delegation |
No |
Allows a service running under this account
to perform operations on behalf of other user accounts on the network.
A service running under a user account (otherwise known as a service account)
that is trusted for delegation can impersonate a client to gain access
to resources on the computer |
|
Account is sensitive and cannot be delegated |
Specified that the account cannot be delegated. |
No |
Allows control over a user account, such as
a for guest or temporary account. This option can be user if this account
cannot be assigned for delegation by another account |
|
Use Des encryption types for this account |
Provides support for Data Encryption Standard
(DES) |
No |
The Default value is NO |
|
Do not require Kerberos preauthentication |
Provides support for alternative implementations
of the Kerberos protocol |
No |
The Default value is NO.
|
|
Computer account |
This is a computer account for a MS Windows
NT Workstation/Windows 2000 Professional or Windows NT Server/Windows
2000 Server that is a member of this domain. Default value: 'No'. |
No |
Specify Yes if the account is computer workstation account. |
|
Account Expiration |
Specifies the date after which the account
is expired |
|
If not specified, the account will never
expire. |
|
Logon hours |
The hours the user account can log on to the
domain. By default, domain logon is allowed 24 hours a day, 7 days a week. |
|
The value is specified as a text of 42 hexadecimal
characters, representing all the hours of a week. The hours of each day
are represented by 6 characters. |
|
Workstations |
A list of workstation names, separated by
",", on which the user is allowed to logon. |
|
If specified, the user is only allowed to logon when seated at one of
the computers (workstation or server) listed. A maximum of 8 computer
(workstation or server) names can be specified.
If not specified, such an explicit restriction
does not apply. |
|
General - Office |
The users's office location This is the person's
office location, including the building and office address or number. |
|
|
|
General - TelephoneNumber |
The user's phone number |
|
|
|
General - E-mail |
The user's e-mail address. The e-mail address appears with the universal
principal name suffix (for example, someone@microsoft.com).
|
|
|
|
General - Web-Page |
The user's home page URL, either on the Internet or in the local intranet
site.
|
|
|
|
Address - Street |
The user's street address |
|
|
|
Address - P.O. Box |
The user's post office box number |
|
|
|
Address - City |
The city where the user is located |
|
|
|
Address - State/province |
The state or province where the user is located |
|
|
|
Address - Zip/Postal Code |
The zip or postal code applicable for the
user |
|
|
|
Address -Country/region |
The user's country or region |
|
The country can be either explicitly chosen
from a drop down list, or be specified as text. In the latter case it
can also be read from a variable, for instance created by a column from
the list of users. |
|
Telephones - Home |
The user's home telephone number |
|
|
|
Telephones - Pager |
The user's page number |
|
|
|
Telephones - Mobil |
The user's mobil telephone number |
|
|
|
Telephones - Fax |
The user's fax number |
|
|
|
Telephones - IP phone |
The users IP telephone number |
|
|
|
Telephones - Notes |
Descriptive information and any comments for this user.
|
|
|
|
Organization - Title |
The user's title |
|
|
|
Organization - Department |
The user's department |
|
|
|
Organization - Company |
The users's company |
|
|
|
|
|
|
|
When the action is run, the actual value of the properties are determined
at run time, and the action is executed using these values. Generally
these values are not stored for later usage. However, it may be that the
actual value of a specific property is required for an successive action
in the User Management Resource Administrator script. To facilitate this
need, any property can be explicitly configured to be saved in a variable
when the action has been performed. For example, when the password of
a user is created with the password generator, the resulting password
value may be stored in a variable, so it can be exported to a file by
an other action in the script.
By default the following properties are saved in a variable for usage
in other scripts. Properties that are exported are shown with an image
with a green arrow in the properties list.
