Function
Creates a user account in an NT4 domain or on a local computer. This action is intended to create user accounts on NT4 domains. Alternatively it can be used to create user accounts on local computers. In addition to just creating the account itself it also will configure several attributes of the account, such as the password and the description of the account.
Some attributes of the user account may specify the usage by the account of other resources in the network. These resources themselves will not be created by this action. If these resources need to be created, this can be done by separate actions that follow this action in the User Management Resource Administrator script. An example of such a property is the Home Directory. When specified in this Create User action, the Home Directory attribute of the user account will be set. The directory itself however
is not created. In order to create the directory itself, the action Script Action: Create Directory on page 180 should be performed.
The action may also be used to create user accounts in the default Users container of Active Directory domains. When this action is used to create domain accounts on Active Directory domains, it will correctly create the account in the Active Directory, but many of the Active Directory properties will have default values. To create Accounts in Active Directory with other than default settings,
38
Deployment
This action is typically used as core part of a script designed to create users on NT4 domains or local (non domain controller) computers, in order to create the account itself. In such a script this is usually the first major action invoked. After creating the account, the script usually continues by invoking actions to create home directories, home shares, group memberships, etc.
Properties
Property Name Description Typical setting Remarks
Domain The Domain in which
to create the user domain account.
%Domain% Often the domain name is used in many different actions, and is determined and stored in a variable previous to the action ( e.g. %Domain%).
Alternatively the domain name can be specified directly here. Use the NETBIOS (NT4-style) domain name and not the DNS name of the domain This is usually the same as the first part of the DNS domain name.
Computer The computer on
which the local user account is created
If specified, the domain property is ignored, and the account created is a local account on the specified computer, and not a domain account.
Name generation
algorithm Specifies the name of the algorithm used to generate user names
The main purpose of the Name Generation algorithm is to create unique names that adhere to your company's syntax requirements. A common implementation of the algorithm will take as input the three variables %FirstName%, %MiddleName% and %LastName%, and generate from these the variables %FullName% and %UserName%. Here %FullName% contains the complete name of the user formatted for display purposes, and
%UserName% the name formatted for use as NT Account. These resulting variables can then be used as input for the other properties of this action. For a thorough discussion, please see Name Generation on page Fout! Bladwijzer niet
gedefinieerd..
Username The name of the user
account %UserName% A user name cannot be identical to any other user or group name on the computer being administered. It can contain up to 20 uppercase or lowercase
characters, except for the following: " / \ [ ] : ; | = , + * < >
A user name cannot consist solely of periods (.) or spaces.
Typically the name contained in %UserName% is generated by the name generation algorithm. Full name The full name of the
39
Password
generator The specification how to generate passwords for the user account
Specifies the method used to generate a password
for the user account. These methods vary from simple (easy to remember) passwords to strong passwords. There are several predefined settings available.
The resulting password will be stored in a variable. By default it is stored in the variable %Password%. This variable is used as the value for the Password property.
Password The password for the
created account %Password% Typically the name contained in the variable %Password% is generated by the Password generator. To create the same password for all users you can specify the password here directly. For example "test1234". You can also read the password from the input file.
Description A text string, that will be shown in the Description field of the user account in windows. The sting can have any length
Home directory The home directory of the user as specified in the "Home folder" setting of the user account
\\%HomeServer%\ users\
%UserName%
The value can be specified either in the form
\\<server name>\<share name>\<rest of path>, or as an local path e.g. G:\UserData\<user name>. Note, This specification does create the home directory itself if it does not exist. In order to create the home directory, specify the action "Create Directory" in the User Management Resource Administrator script after this action.
Typically the name contained in %UserName% is generated by the name generation algorithm, and the name contained in \\%HomeServer% is specified previously in the script, or in the import file.
Home directory
Drive The drive letter to which the home directory is
connected. Specify only the drive letter itself without colon and or backslash
If the drive letter is specified, the Home directory must be specified in the form \\<server
name>\<share name>\<rest of path>, and not as a local path.
User profile The profile path of
the user account. \\%HomeServer%\ profiles\ %UserName%
The value must have he form \\<server name>\<share name>\<rest of path>.
40
Logon script Full or relative path to the script file that is executed by Windows when the user logs on \\%HomeServer%\ scripts\ %UserName%.bat or %UserName%.bat
If a relative path is specified, this is relative to the default Script directory of Windows.
User must change password at next logon
Specifies whether the user must change the password at the next logon
Yes Valid specifications are YES and NO. The default value is NO. When set to YES, the "User cannot change password " property must by set to NO. User cannot
change password Specifies whether the user is disallowed change the assigned password.
No Valid specifications are YES and NO. The default value is NO. This setting has no effect on members of the administrators group. When set to YES, the "User must change password at next logon" property must by set to NO.
Password never
expires Specifies whether the password will never expire
Valid specifications are YES and NO. The default value is NO. This setting overrides the "Maximum Password Age" setting in the password policy for the domain/computer.
No password
required Specifies whether it is allowed to specify an empty Password value for the user account.
No Valid specifications are YES and NO. The default value is NO. Setting this value to YES allows empty passwords to be specified. For security reasons it is strongly advised to set this property to NO. If not specified, the password is required.
Computer account This is a computer account for a MS Windows NT Workstation/Windows 2000 Professional or Windows NT Server/Windows 2000 Server that is a member of this domain. Default value: 'No'.
No Specify Yes is the account represents a computer - workstation account.
Account disabled Specifies whether the account should be create in the disabled state.
Valid specifications are YES and NO. The default value is NO.
Account
expiration Specifies the date after which the account is expired
41
Logon hours The hours the user account can log on to the domain. By default, domain logon is allowed 24 hours a day, 7 days a week.
The value is specified as a text of 42 hexadecimal characters, representing all the hours of a week. The hours of each day are represented by 6 characters.
Workstations A list of workstation names, separated by ",", on which the user is allowed to logon.
If specified, the user is only allowed to logon when seated at one of the computers (workstation or server) listed. A maximum of 8 computer (workstation or server) names can be specified. If not specified, such an explicit restriction does not apply.
Special user
comment A text string containing additional comments
This property of an user account is not exposed in the User Manager for Domains on a NT 4 machine, or the local accounts snap-in on windows 2000,XP and 2003 computers, but may be shown for informational purposes in other applications.
Output Properties
When the action is run, the actual value of the properties are determined at run time, and the action is executed using these values. Generally these values are not stored for later usage. However, it may be that the actual value of a specific property is required for an successive action in the User Management Resource Administrator script. To facilitate this need, any property can be explicitly configured to be saved in a variable when the action has been performed.
For example, when the password of a user is created with the password generator, the resulting password value may be stored in a variable, so it can be exported to a file by an other action in the script.
By default the following properties are saved in a variable for usage in other scripts. Properties that are exported are shown with a blue arrow in the properties list.
Property Description Default variable name Remarks
User name The name of the user
account %UserName% If more names have been tried as a consequence of the user name generation algorithm, this contains the last name tried.
Full name The full name of the
user %FullName% If more names have been tried as a consequence of the user name generation algorithm, this contains the last name tried.
Password The password for the
created account %Password%