[Last Call] Learn how to a build a cloud-first strategyRegister Now


Active Directory Account Creation Script

Posted on 2009-04-16
Medium Priority
Last Modified: 2012-05-06
We are trying to run one student account creation script on one central domain controller for all of our different schools.. Everything seems to work fine except when it came to setting the Home folders. We have a Domain Controller at each of our schools. They are all part of the same domain.

We set the home folder to connect as an H: drive to the students local school server. So this obviously means that the home folders are not being stored on the server we run the account creation script from. For example, if we run the creation script on the central board-adc server to create accounts for school1, all the home folders for accounts at school1 will reside on school1's ADC server.

So what is happening is the account creation script runs, creates the account in AD and sets the home folder and since the home folder didn't exist on the server yet, it will create the new home folder.

The problem is with permissions on that folder. Since it creates the new home folder on the students local school server it tries to give that user permissions, but that user doesn't yet exist on that schools AD server because it wouldn't have replicated that quickly. So when you check the permissions on that folder has an extry for Account Unknown.

Eventually once the replication has happened the Account Unknown changes to the actual student account, however when they try and access their H: drive it says  access denied.

So what we have done in the mean time is create a specific account creation script on each schools server, and it creates the accounts that will have home drives on that server. This seems to work, but its a lot of scripts to maintain.

If anyone has any ideas that would be great!
Question by:colesy
  • 3
  • 2
LVL 21

Accepted Solution

snusgubben earned 1500 total points
ID: 24159236
When the home folder is created and the user don't excist in the domain it can not set the correct permissions.

This is just an idea (maybe even a stupid idea:)

In the script that creates the user, just after the user creation you can force a replication with something like this http://techtasks.com/code/viewbookcode/1831 and pause the script for x-minutes. Then create the home folder.


Author Comment

ID: 24159319
Hmm.. I will look into this and get back to you.. Not a bad idea if it will work..

Author Comment

ID: 24160921
I tried this out and it resolved the issue with bad permissions showing up under security for the folder, but for some reason now the user isn't even mapping an H: drive, however their My Documents is correctly redirected via GPO.

Another thing I realized is that in my script I was creating the home directory and setting permissions. If I take that out the home folder is setup when the user first logs in and is given persmissions to it. This reacts the same way though with not mapping an H: and My Docs are redirected right.

I can't really figure out why this is happening. All other users seems to map an H fine.
LVL 21

Expert Comment

ID: 24161271
I don't know how you create your users, but assuming something like this (see snippet):

You don't have to set the permissions within the script. That is handled by AD and the NTFS permissions on the parent folder to the share. Here is a very nice "cook book" about creating the home folder: http://blogs.technet.com/askds/archive/2008/06/30/automatic-creation-of-user-folders-for-home-roaming-profile-and-redirected-folders.aspx

NewUser.put "sAMAccountName",lcase(sLogon)
NewUser.put "givenName",sFirstName
NewUser.put "sn",sLastName
NewUser.put "UserPrincipalName",lcase(SLogon)&"@"&sDomain
NewUser.put "DisplayName",sDisplayName
NewUser.put "name",lcase(sLogon)
NewUser.put "homeDirectory", "\\server\share\"&sLogon ' This will create the home folder! 
' This will map the home folder. You don't have to map it with a logon script!
NewUser.put "homeDrive", "X:" 
NewUser.SetInfo ' Writes to AD

Open in new window


Author Comment

ID: 24161522
I may have found the issue.. I will play around a little more tomorrow to verify and then let you know.. I appreciate the help, and if everything works out I will accept your response as a solution.

Featured Post

Get free NFR key for Veeam Availability Suite 9.5

Veeam is happy to provide a free NFR license (1 year, 2 sockets) to all certified IT Pros. The license allows for the non-production use of Veeam Availability Suite v9.5 in your home lab, without any feature limitations. It works for both VMware and Hyper-V environments

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Group policies can be applied selectively to specific devices with the help of groups. Utilising this, it is possible to phase-in group policies, over a period of time, by randomly adding non-members user or computers at a set interval, to a group f…
This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question