Link to home
Create AccountLog in
Avatar of mistaj
mistaj

asked on

VBscript for creating Active Directory users - user accounts expired!!

I have created a VB script to create numerous users in a Windows 2000 Active Dicretory domain reading the usernames from a text file in the format

firstname lastname

The script creates the users, maps home directory, enables account, sets password

however when any try to log on they get the message:

"your account has expired"

The accoutn properties are the same as the existing accounts when i check them manually - they are enabled, they havent expired, etc can someone tell me where i am going wrong as its driving me crazy!

Script below:

On Error Resume Next  
Password = "password"              
usrfile = "usernames.txt"  
dcroot = "ou=test users,dc=testdomain,dc=COM"
hdrive = "H:"
bat = "login.bat"
hdirectory = "\\Server\users\%username%"
Const ADS_UF_DONT_EXPIRE_PASSWD = &h10000

Set objFSO = CreateObject("Scripting.FileSystemObject")
If objFSO.FileExists(usrfile) Then
    Set objFile = objFSO.OpenTextFile(usrfile, 1)
Else
    Wscript.Echo "File" & usrfile & " does not exist."
    WScript.Quit
End If

WScript.Echo "Reading user names from " & usrfile & VbCrLf
WScript.Echo "Line number:" & VbTab & "Action:"
WScript.Echo "========================================================================="
Do Until objFile.AtEndOfStream
    CurLine = objFile.Line
    Userline = objFile.ReadLine
    If not Userline = "" Then
       useNames = Split(Userline, " ")
          FirstName = useNames(0)
          Length = UBound(useNames)
     If Length > 1 Then
          LastName  = useNames(1) & " " & useNames(2)
     Else        
          LastName  = useNames(1)
     End If
          FullName = useNames(0) & " " & LastName
          FirstInitial = left(FirstName, 1)
          LName = useNames(Length)
          LogonName = LName & FirstInitial
          Userpn = LogonName & "@testdomain.COM"
        Set objContainer = GetObject("LDAP://" & dcroot)
        If Err <> 0 Then
            WScript.Echo "Can not bind to " & dcroot & ". Check syntax."
            WScript.Quit
        End If
        Err.Clear
           
            Set objNew = objContainer.Create("User", "cn=" & FullName)
            objNew.Put "sAMAccountName", LogonName
            objNew.Put "UserPrincipalName", Userpn
            objNew.Put "givenName", FirstName
            objNew.Put "sn", LastName
            objNew.Put "displayName", FirstName & " " & LastName
            objNew.Put "homeDrive", hdrive
            objNew.Put "homeDirectory", hdirectory
            objNew.Put "scriptPath", bat
            objNew.SetInfo
            Set objNew = Nothing
            Set objUser = GetObject("LDAP://cn=" & _
                          FullName & "," & dcroot)
            objUser.ChangePassword "", Password
            objUser.SetInfo
            objUser.AccountDisabled = FALSE
            objUser.SetInfo
            objUser.AccountExpires = -1
            objUser.SetInfo
            intUAC = objUser.Get("userAccountControl")
            objUser.Put "userAccountControl", intUAC XOR _
            ADS_UF_DONT_EXPIRE_PASSWD
            objUser.SetInfo
            Set grp = GetObject("LDAP://cn=test group,ou=testusers,dc=testdomain,dc=COM")
            grp.Add(objUser.AdsPath)
            grp.SetInfo
            Set objUser = Nothing
            Set grp = Nothing
            WScript.Echo CurLine & vbTab & vbTab & "User """ & _
                         FullName & """ (" & LogonName & " , " & Userpn &  ") created. " & pwderr
       
    Else
        WScript.Echo CurLine & vbTab & vbTab & _
                     "Skipping Empty line in " & usrfile
    End If
Loop
objFile.Close


Avatar of RobSampson
RobSampson
Flag of Australia image

mistaj,

This changes the Password Never Expires flag from Off to On:
If Not objUser.userAccountControl AND ADS_UF_DONT_EXPIRE_PASSWD Then
    objUser.Put "userAccountControl", objUser.userAccountControl XOR ADS_UF_DONT_EXPIRE_PASSWD
    objUser.SetInfo
End If

and this changes it from On to Off
If objUser.userAccountControl AND ADS_UF_DONT_EXPIRE_PASSWD Then
    objUser.Put "userAccountControl", objUser.userAccountControl XOR ADS_UF_DONT_EXPIRE_PASSWD
    objUser.SetInfo
End If

I am wondering if your XOR line is setting the password as expired.
I would use code like this to set the flag, then force the user to change the password when they log on.  Maybe you're setting a blank password that expires.
         userActCtrl = objItem.Get("userAccountControl")
          If objItem.userAccountControl AND ADS_UF_DONT_EXPIRE_PASSWD Then
                ' Check if they have Password Never Expires ticked, and uncheck it
                objItem.Put "userAccountControl", objItem.userAccountControl XOR ADS_UF_DONT_EXPIRE_PASSWD
                'userActCtrl = userActCtrl And Not (ADS_UF_DONT_EXPIRE_PASSWD)
                'objItem.Put "userAccountControl", userActCtrl
                objItem.setInfo
                MsgBox "Flag unticked"
                ' And then make the Force user to change password ticked
                objItem.pwdLastSet = 0
                objItem.SetInfo
          Else
                ' Otherwise just make the Force user to change password ticked
                objItem.pwdLastSet = 0
                objItem.SetInfo          
          End If

Regards,

Rob.
ASKER CERTIFIED SOLUTION
Avatar of mistaj
mistaj

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer
To be able to do that, you could use a WinNT query just on the user object, and if it returned something, then it already exists.  Something like this might do:
Dim objNetwork
Set objNetwork = CreateObject("WScript.Network")

strUserName = objNetwork.UserName
strUserName = "jtest"

Dim objWinntUser
On Error Resume Next
Set objWinntUser = GetObject("WinNT://" & objNetwork.UserDomain & "/" & strUserName & ",user")
If Err Then
      If Err.Number = "-2147022675" Then
            MsgBox "The user was not found. User can be created"
            ' create user
      Else
            MsgBox Err.Number & VbCrLf & Err.Description
      End If
      Err.Clear
Else
      MsgBox "User already exists.  Can not create user."
End If

This checks their login name, not full name.

Regards,

Rob.
Oh, put an On Erro GoTo 0 after the last End If to turn error checking back on.

Regards,

Rob.
mistaj, do you have a solution enough to be able to close this question?

Regards,

Rob.