mistaj
asked on
VBscript for creating Active Directory users - user accounts expired!!
I have created a VB script to create numerous users in a Windows 2000 Active Dicretory domain reading the usernames from a text file in the format
firstname lastname
The script creates the users, maps home directory, enables account, sets password
however when any try to log on they get the message:
"your account has expired"
The accoutn properties are the same as the existing accounts when i check them manually - they are enabled, they havent expired, etc can someone tell me where i am going wrong as its driving me crazy!
Script below:
On Error Resume Next
Password = "password"
usrfile = "usernames.txt"
dcroot = "ou=test users,dc=testdomain,dc=COM "
hdrive = "H:"
bat = "login.bat"
hdirectory = "\\Server\users\%username% "
Const ADS_UF_DONT_EXPIRE_PASSWD = &h10000
Set objFSO = CreateObject("Scripting.Fi leSystemOb ject")
If objFSO.FileExists(usrfile) Then
Set objFile = objFSO.OpenTextFile(usrfil e, 1)
Else
Wscript.Echo "File" & usrfile & " does not exist."
WScript.Quit
End If
WScript.Echo "Reading user names from " & usrfile & VbCrLf
WScript.Echo "Line number:" & VbTab & "Action:"
WScript.Echo "========================= ========== ========== ========== ========== ========"
Do Until objFile.AtEndOfStream
CurLine = objFile.Line
Userline = objFile.ReadLine
If not Userline = "" Then
useNames = Split(Userline, " ")
FirstName = useNames(0)
Length = UBound(useNames)
If Length > 1 Then
LastName = useNames(1) & " " & useNames(2)
Else
LastName = useNames(1)
End If
FullName = useNames(0) & " " & LastName
FirstInitial = left(FirstName, 1)
LName = useNames(Length)
LogonName = LName & FirstInitial
Userpn = LogonName & "@testdomain.COM"
Set objContainer = GetObject("LDAP://" & dcroot)
If Err <> 0 Then
WScript.Echo "Can not bind to " & dcroot & ". Check syntax."
WScript.Quit
End If
Err.Clear
Set objNew = objContainer.Create("User" , "cn=" & FullName)
objNew.Put "sAMAccountName", LogonName
objNew.Put "UserPrincipalName", Userpn
objNew.Put "givenName", FirstName
objNew.Put "sn", LastName
objNew.Put "displayName", FirstName & " " & LastName
objNew.Put "homeDrive", hdrive
objNew.Put "homeDirectory", hdirectory
objNew.Put "scriptPath", bat
objNew.SetInfo
Set objNew = Nothing
Set objUser = GetObject("LDAP://cn=" & _
FullName & "," & dcroot)
objUser.ChangePassword "", Password
objUser.SetInfo
objUser.AccountDisabled = FALSE
objUser.SetInfo
objUser.AccountExpires = -1
objUser.SetInfo
intUAC = objUser.Get("userAccountCo ntrol")
objUser.Put "userAccountControl", intUAC XOR _
ADS_UF_DONT_EXPIRE_PASSWD
objUser.SetInfo
Set grp = GetObject("LDAP://cn=test group,ou=testusers,dc=test domain,dc= COM")
grp.Add(objUser.AdsPath)
grp.SetInfo
Set objUser = Nothing
Set grp = Nothing
WScript.Echo CurLine & vbTab & vbTab & "User """ & _
FullName & """ (" & LogonName & " , " & Userpn & ") created. " & pwderr
Else
WScript.Echo CurLine & vbTab & vbTab & _
"Skipping Empty line in " & usrfile
End If
Loop
objFile.Close
firstname lastname
The script creates the users, maps home directory, enables account, sets password
however when any try to log on they get the message:
"your account has expired"
The accoutn properties are the same as the existing accounts when i check them manually - they are enabled, they havent expired, etc can someone tell me where i am going wrong as its driving me crazy!
Script below:
On Error Resume Next
Password = "password"
usrfile = "usernames.txt"
dcroot = "ou=test users,dc=testdomain,dc=COM
hdrive = "H:"
bat = "login.bat"
hdirectory = "\\Server\users\%username%
Const ADS_UF_DONT_EXPIRE_PASSWD = &h10000
Set objFSO = CreateObject("Scripting.Fi
If objFSO.FileExists(usrfile)
Set objFile = objFSO.OpenTextFile(usrfil
Else
Wscript.Echo "File" & usrfile & " does not exist."
WScript.Quit
End If
WScript.Echo "Reading user names from " & usrfile & VbCrLf
WScript.Echo "Line number:" & VbTab & "Action:"
WScript.Echo "=========================
Do Until objFile.AtEndOfStream
CurLine = objFile.Line
Userline = objFile.ReadLine
If not Userline = "" Then
useNames = Split(Userline, " ")
FirstName = useNames(0)
Length = UBound(useNames)
If Length > 1 Then
LastName = useNames(1) & " " & useNames(2)
Else
LastName = useNames(1)
End If
FullName = useNames(0) & " " & LastName
FirstInitial = left(FirstName, 1)
LName = useNames(Length)
LogonName = LName & FirstInitial
Userpn = LogonName & "@testdomain.COM"
Set objContainer = GetObject("LDAP://" & dcroot)
If Err <> 0 Then
WScript.Echo "Can not bind to " & dcroot & ". Check syntax."
WScript.Quit
End If
Err.Clear
Set objNew = objContainer.Create("User"
objNew.Put "sAMAccountName", LogonName
objNew.Put "UserPrincipalName", Userpn
objNew.Put "givenName", FirstName
objNew.Put "sn", LastName
objNew.Put "displayName", FirstName & " " & LastName
objNew.Put "homeDrive", hdrive
objNew.Put "homeDirectory", hdirectory
objNew.Put "scriptPath", bat
objNew.SetInfo
Set objNew = Nothing
Set objUser = GetObject("LDAP://cn=" & _
FullName & "," & dcroot)
objUser.ChangePassword "", Password
objUser.SetInfo
objUser.AccountDisabled = FALSE
objUser.SetInfo
objUser.AccountExpires = -1
objUser.SetInfo
intUAC = objUser.Get("userAccountCo
objUser.Put "userAccountControl", intUAC XOR _
ADS_UF_DONT_EXPIRE_PASSWD
objUser.SetInfo
Set grp = GetObject("LDAP://cn=test group,ou=testusers,dc=test
grp.Add(objUser.AdsPath)
grp.SetInfo
Set objUser = Nothing
Set grp = Nothing
WScript.Echo CurLine & vbTab & vbTab & "User """ & _
FullName & """ (" & LogonName & " , " & Userpn & ") created. " & pwderr
Else
WScript.Echo CurLine & vbTab & vbTab & _
"Skipping Empty line in " & usrfile
End If
Loop
objFile.Close
ASKER CERTIFIED SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
To be able to do that, you could use a WinNT query just on the user object, and if it returned something, then it already exists. Something like this might do:
Dim objNetwork
Set objNetwork = CreateObject("WScript.Netw ork")
strUserName = objNetwork.UserName
strUserName = "jtest"
Dim objWinntUser
On Error Resume Next
Set objWinntUser = GetObject("WinNT://" & objNetwork.UserDomain & "/" & strUserName & ",user")
If Err Then
If Err.Number = "-2147022675" Then
MsgBox "The user was not found. User can be created"
' create user
Else
MsgBox Err.Number & VbCrLf & Err.Description
End If
Err.Clear
Else
MsgBox "User already exists. Can not create user."
End If
This checks their login name, not full name.
Regards,
Rob.
Dim objNetwork
Set objNetwork = CreateObject("WScript.Netw
strUserName = objNetwork.UserName
strUserName = "jtest"
Dim objWinntUser
On Error Resume Next
Set objWinntUser = GetObject("WinNT://" & objNetwork.UserDomain & "/" & strUserName & ",user")
If Err Then
If Err.Number = "-2147022675" Then
MsgBox "The user was not found. User can be created"
' create user
Else
MsgBox Err.Number & VbCrLf & Err.Description
End If
Err.Clear
Else
MsgBox "User already exists. Can not create user."
End If
This checks their login name, not full name.
Regards,
Rob.
Oh, put an On Erro GoTo 0 after the last End If to turn error checking back on.
Regards,
Rob.
Regards,
Rob.
mistaj, do you have a solution enough to be able to close this question?
Regards,
Rob.
Regards,
Rob.
This changes the Password Never Expires flag from Off to On:
If Not objUser.userAccountControl
objUser.Put "userAccountControl", objUser.userAccountControl
objUser.SetInfo
End If
and this changes it from On to Off
If objUser.userAccountControl
objUser.Put "userAccountControl", objUser.userAccountControl
objUser.SetInfo
End If
I am wondering if your XOR line is setting the password as expired.
I would use code like this to set the flag, then force the user to change the password when they log on. Maybe you're setting a blank password that expires.
userActCtrl = objItem.Get("userAccountCo
If objItem.userAccountControl
' Check if they have Password Never Expires ticked, and uncheck it
objItem.Put "userAccountControl", objItem.userAccountControl
'userActCtrl = userActCtrl And Not (ADS_UF_DONT_EXPIRE_PASSWD
'objItem.Put "userAccountControl", userActCtrl
objItem.setInfo
MsgBox "Flag unticked"
' And then make the Force user to change password ticked
objItem.pwdLastSet = 0
objItem.SetInfo
Else
' Otherwise just make the Force user to change password ticked
objItem.pwdLastSet = 0
objItem.SetInfo
End If
Regards,
Rob.