colesy
asked on
Active Directory Account Creation Script
We are trying to run one student account creation script on one central domain controller for all of our different schools.. Everything seems to work fine except when it came to setting the Home folders. We have a Domain Controller at each of our schools. They are all part of the same domain.
We set the home folder to connect as an H: drive to the students local school server. So this obviously means that the home folders are not being stored on the server we run the account creation script from. For example, if we run the creation script on the central board-adc server to create accounts for school1, all the home folders for accounts at school1 will reside on school1's ADC server.
So what is happening is the account creation script runs, creates the account in AD and sets the home folder and since the home folder didn't exist on the server yet, it will create the new home folder.
The problem is with permissions on that folder. Since it creates the new home folder on the students local school server it tries to give that user permissions, but that user doesn't yet exist on that schools AD server because it wouldn't have replicated that quickly. So when you check the permissions on that folder has an extry for Account Unknown.
Eventually once the replication has happened the Account Unknown changes to the actual student account, however when they try and access their H: drive it says access denied.
So what we have done in the mean time is create a specific account creation script on each schools server, and it creates the accounts that will have home drives on that server. This seems to work, but its a lot of scripts to maintain.
If anyone has any ideas that would be great!
We set the home folder to connect as an H: drive to the students local school server. So this obviously means that the home folders are not being stored on the server we run the account creation script from. For example, if we run the creation script on the central board-adc server to create accounts for school1, all the home folders for accounts at school1 will reside on school1's ADC server.
So what is happening is the account creation script runs, creates the account in AD and sets the home folder and since the home folder didn't exist on the server yet, it will create the new home folder.
The problem is with permissions on that folder. Since it creates the new home folder on the students local school server it tries to give that user permissions, but that user doesn't yet exist on that schools AD server because it wouldn't have replicated that quickly. So when you check the permissions on that folder has an extry for Account Unknown.
Eventually once the replication has happened the Account Unknown changes to the actual student account, however when they try and access their H: drive it says access denied.
So what we have done in the mean time is create a specific account creation script on each schools server, and it creates the accounts that will have home drives on that server. This seems to work, but its a lot of scripts to maintain.
If anyone has any ideas that would be great!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I tried this out and it resolved the issue with bad permissions showing up under security for the folder, but for some reason now the user isn't even mapping an H: drive, however their My Documents is correctly redirected via GPO.
Another thing I realized is that in my script I was creating the home directory and setting permissions. If I take that out the home folder is setup when the user first logs in and is given persmissions to it. This reacts the same way though with not mapping an H: and My Docs are redirected right.
I can't really figure out why this is happening. All other users seems to map an H fine.
Another thing I realized is that in my script I was creating the home directory and setting permissions. If I take that out the home folder is setup when the user first logs in and is given persmissions to it. This reacts the same way though with not mapping an H: and My Docs are redirected right.
I can't really figure out why this is happening. All other users seems to map an H fine.
I don't know how you create your users, but assuming something like this (see snippet):
You don't have to set the permissions within the script. That is handled by AD and the NTFS permissions on the parent folder to the share. Here is a very nice "cook book" about creating the home folder: http://blogs.technet.com/askds/archive/2008/06/30/automatic-creation-of-user-folders-for-home-roaming-profile-and-redirected-folders.aspx
You don't have to set the permissions within the script. That is handled by AD and the NTFS permissions on the parent folder to the share. Here is a very nice "cook book" about creating the home folder: http://blogs.technet.com/askds/archive/2008/06/30/automatic-creation-of-user-folders-for-home-roaming-profile-and-redirected-folders.aspx
NewUser.put "sAMAccountName",lcase(sLogon)
NewUser.put "givenName",sFirstName
NewUser.put "sn",sLastName
NewUser.put "UserPrincipalName",lcase(SLogon)&"@"&sDomain
NewUser.put "DisplayName",sDisplayName
NewUser.put "name",lcase(sLogon)
NewUser.put "homeDirectory", "\\server\share\"&sLogon ' This will create the home folder!
' This will map the home folder. You don't have to map it with a logon script!
NewUser.put "homeDrive", "X:"
NewUser.SetInfo ' Writes to AD
ASKER
I may have found the issue.. I will play around a little more tomorrow to verify and then let you know.. I appreciate the help, and if everything works out I will accept your response as a solution.
ASKER