Active Directory Automation

Hi All,

when we create users, we have to manually put the user in the in the correct OU based on the location of the user, e.g. the user is based in Singapore, we put the user in the Singapore ou. we also have to add the user to specific groups etc.

is there a way to automate this process?

thank you in advance,
Kay

You can use this command from a powershell command like

New-ADUser -SamAccountName "Jsmith" -GivenName "John" -Surname "Smith" -DisplayName "John Smith" -Path 'CN=Users,DC=Company,DC=local'

You can also put this into a batch script like this. Save it as a .bat and give it a try.

@ECHO OFF
setlocal
REM Clear Screen of information
cls
REM Prompt for SAMAccountName
:samName

REM If samName is blank go to Error prompt.  If username is entered prompt for given name
SET samName=
SET /P samName=Please enter samAccountName: 
IF "%samName%"=="" (goto samNameError) else (goto gName)

@ECHO OFF
setlocal
REM Clear Screen of information
cls
REM Prompt for Given Name
:gName

REM If given name is blank go to Error prompt.  If given name is entered prompt for surname
SET gName=
SET /P gname=Please enter your user given name: 
IF "%gName%"=="" (goto gNameError) else (goto sName)

@ECHO OFF
setlocal
REM Clear Screen of information
cls
REM Prompt for surname
:sName

REM If display name is blank go to Error prompt.  If username is entered prompt for AD Path
SET sname=
SET /P sname=Please enter your surname: 
IF "%sName%"=="" (goto sNameError) else (goto ADPath)

@ECHO OFF
setlocal
REM Clear Screen of information
cls
REM Prompt for AD Path
:ADPath

REM If path is blank go to Error prompt.  If username is entered prompt for path
SET pathName=
SET /P pathName=Please enter Active Directory Path: 
IF "%pathName%"=="" (goto pathNameError) else (goto AddUser)

:AddUser
New-ADUser -SamAccountName "%samName%" -GivenName "%gName%" -Surname "%sName%" -DisplayName "%gName% %sName%" -Path '%path%'

Goto Quit

REM SamAccountName Error Message
:samNameError
ECHO You did not enter a SamAccountName.
SET passRetry=
SET /P passRetry=Retry? (y, then enter or press enter to exit):
IF /i "%passRetry%"=="y" (goto samName) else (goto quit)

REM given name error Message
:gNameError
ECHO You did not enter a given name.
SET passRetry=
SET /P passRetry=Retry? (y, then enter or press enter to exit):
IF /i "%passRetry%"=="y" (goto gName) else (goto quit)

REM surname error Message
:sNameError
ECHO You did not enter a surname.
SET passRetry=
SET /P passRetry=Retry? (y, then enter or press enter to exit):
IF /i "%passRetry%"=="y" (goto sName) else (goto quit)

REM surname error Message
:sNameError
ECHO You did not enter a surname.
SET passRetry=
SET /P passRetry=Retry? (y, then enter or press enter to exit):
IF /i "%passRetry%"=="y" (goto sName) else (goto quit)

:Quit

Open in new window

If you always fill out identifying fields in AD like location, you can run a scrript to evaluate that and perform the necessary changes.

the problem is we will have to run these scripts manually, is there a way the script is automatically triggered as soon as the account is created?

Administration of Active Directory does not have to be hard. Too often what should be a simple task is made more difficult than it needs to be.The solution? Hyena from SystemTools Software. With ease-of-use as well as powerful importing and bulk updating capabilities.

You always trigger that manually in one or the other way. But you cannot trigger something automatically if a user is created.
Your best choice is to use a script to create the user and perform all necessary operations, similar to what nappy_d showed.

Agreed with @Qlemo.

You would have some planning to do but based on the start I've sampled in my original post, it would be best if you had nested security, as well as role-based permissions, for your security groups.

This would assist with the script for creation of new users.

I can also show you how you can implement if statements for a feature command called if member.

I know there are utitlies like active roles, that run scripts upon user creation. are there any others that you will recommend?

Quest makes some great tools but this is not one that I've used.

It really depends on the complexity of the task that you want to automate. If it's a small environment, a PowerShell script can be perfectly ok, but if you have long provisioning procedures with lots of rules to follow, there are advanced tools that let you put it all together.

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

LVL 32

nappy_dThere are a 1000 ways to skin the technology cat.Commented: 2017-03-17

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial

LVL 73

Qlemo"Batchelor", Developer and EE Topic AdvisorCommented: 2017-03-19

Kelly GarciaSenior Systems AdministratorAuthor Commented: 2017-03-20

Qlemo"Batchelor", Developer and EE Topic AdvisorCommented: 2017-03-20

nappy_dThere are a 1000 ways to skin the technology cat.Commented: 2017-03-20

LVL 2

Sam BloomCommented: 2017-03-31

Active Directory Automation

Who is Participating?