Active Directory Account Creation Script

Posted on 2009-04-16
Last Modified: 2012-05-06
We are trying to run one student account creation script on one central domain controller for all of our different schools.. Everything seems to work fine except when it came to setting the Home folders. We have a Domain Controller at each of our schools. They are all part of the same domain.

We set the home folder to connect as an H: drive to the students local school server. So this obviously means that the home folders are not being stored on the server we run the account creation script from. For example, if we run the creation script on the central board-adc server to create accounts for school1, all the home folders for accounts at school1 will reside on school1's ADC server.

So what is happening is the account creation script runs, creates the account in AD and sets the home folder and since the home folder didn't exist on the server yet, it will create the new home folder.

The problem is with permissions on that folder. Since it creates the new home folder on the students local school server it tries to give that user permissions, but that user doesn't yet exist on that schools AD server because it wouldn't have replicated that quickly. So when you check the permissions on that folder has an extry for Account Unknown.

Eventually once the replication has happened the Account Unknown changes to the actual student account, however when they try and access their H: drive it says  access denied.

So what we have done in the mean time is create a specific account creation script on each schools server, and it creates the accounts that will have home drives on that server. This seems to work, but its a lot of scripts to maintain.

If anyone has any ideas that would be great!
Question by:colesy
    LVL 21

    Accepted Solution

    When the home folder is created and the user don't excist in the domain it can not set the correct permissions.

    This is just an idea (maybe even a stupid idea:)

    In the script that creates the user, just after the user creation you can force a replication with something like this and pause the script for x-minutes. Then create the home folder.


    Author Comment

    Hmm.. I will look into this and get back to you.. Not a bad idea if it will work..

    Author Comment

    I tried this out and it resolved the issue with bad permissions showing up under security for the folder, but for some reason now the user isn't even mapping an H: drive, however their My Documents is correctly redirected via GPO.

    Another thing I realized is that in my script I was creating the home directory and setting permissions. If I take that out the home folder is setup when the user first logs in and is given persmissions to it. This reacts the same way though with not mapping an H: and My Docs are redirected right.

    I can't really figure out why this is happening. All other users seems to map an H fine.
    LVL 21

    Expert Comment

    I don't know how you create your users, but assuming something like this (see snippet):

    You don't have to set the permissions within the script. That is handled by AD and the NTFS permissions on the parent folder to the share. Here is a very nice "cook book" about creating the home folder:

    NewUser.put "sAMAccountName",lcase(sLogon)
    NewUser.put "givenName",sFirstName
    NewUser.put "sn",sLastName
    NewUser.put "UserPrincipalName",lcase(SLogon)&"@"&sDomain
    NewUser.put "DisplayName",sDisplayName
    NewUser.put "name",lcase(sLogon)
    NewUser.put "homeDirectory", "\\server\share\"&sLogon ' This will create the home folder! 
    ' This will map the home folder. You don't have to map it with a logon script!
    NewUser.put "homeDrive", "X:" 
    NewUser.SetInfo ' Writes to AD

    Open in new window


    Author Comment

    I may have found the issue.. I will play around a little more tomorrow to verify and then let you know.. I appreciate the help, and if everything works out I will accept your response as a solution.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Free Trending Threat Insights Every Day

    Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

    Do you have users whose passwords are expiring and they are constantly calling you?  Well I sure did and needed a way to put an end to this.  We have a lot of remote users which would not be notified that their passwords were expiring since they wer…
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
    This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

    759 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    10 Experts available now in Live!

    Get 1:1 Help Now