Account Disabled on Active Directory while provisioning

Similar Messages

• How to set in Windows 8.1 the Account Picture from Active Directory

  Hello All,
  In my company I have uploaded the photos for
  each employees in
  Active Directory using a powershell script that set the attribute
  thumbnailphoto.
  This is useful for images in Lync and Outlook,
  now I want to use these pictures
  to sync with the account picture
  in Windows 8.1 but I haven't found anything in internet that helps me
  for this.
  I hope someone can help me,
  Thanks!

  Hi,
  You can try the steps in following article:
  Using Pictures from Active Directory
  http://msitpros.com/?p=1036
  This response contains a reference to a third party World Wide Web site. Microsoft is providing this information as a convenience to you. Microsoft does not control these sites and has not tested any software or information found on these sites; therefore,
  Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there. There are inherent dangers in the use of any software found on the Internet, and Microsoft cautions you to make sure that you
  completely understand the risk before retrieving any software from the Internet.
  For your reference, here is the similar thread with different method:
  http://social.technet.microsoft.com/Forums/en-US/d6e7b2c3-c343-4900-a01d-24bfb30357b6/is-there-a-solution-to-set-user-account-picture-from-active-directory-thumbnailphoto-attribute-in?forum=w8itproinstall
  Hope these would be helpful.
  Kate Li
  TechNet Community Support

• Account Unknown on Active Directory

  How can I delete Account Unknown on Active Directory? is there a tool or script for deleting 1000 Account Unknown on Active Directory?

  Generally, Account Unknown may appear if the system cannot find the account SID which was recorded in ACL of an object in local system or AD database. This issue may occur if user accounts were deleted or the Account Unknown belongs to other system(dual
  boot configuration). This is reason that we recommend granting permission on resources to the Domain Local security group instead of individual users. It will be much easier for management and will not generate orphaned SID because user group is stabler.
  If you don’t have another system on the same computer or Domain Trust, we can delete the unknown accounts safely.
  However, It would be suggested to create a delegation report using the following command before deleting unknown accounts. I will help check them.
  for /f "delims=" %x in ('dsquery OU "OU=HR,DC=d1,DC=com"') do acldiag %x > %x.txt
  Please refer to this earlier discussed thread that is based on same concern :
  http://social.technet.microsoft.com/Forums/windowsserver/en-US/d3d6b211-7c31-4ebc-aff6-489d60fd9910/active-directory-security-permissions-account-unknown?forum=winserverDS
  Since, there is a number of unknown accounts that is required to be deleted, you may try this
  AD cleaner tool that can be helpful to accomplish this task in quick attempt.
  Carlo

• Problem migrating account from one active directory domain to another. Using NetBIOS

  Hello,
  I'm migrating a Lion machine from one domain to another. When I try to join it to abc.example.com it joines it to 123.example.com in the list of domains. 123.example.com is the NetBIOS name of abc.example.com. This configuration does not work.
  What is even more strange, is if I go into the Open Directory Utility > Active Directory to set the create mobile account settings, once I apply the settings (or even if I don't apply the settings) when I get back to the list of domains, it show BOTH abc.example.com and 123.example.com as domains I am joined to. If I remove 123.example.com it removes abc.example.com.
  I've only seen this problem one other time and this was with a snow leopard machine that was not bound to AD. I upgraded it to Lion and tried to bind it, and had the exact same thing occur.
  I'm certain there is a "stuck" setting somewhere that is causing this. I have had successful snow leopard > lion upgrades work, and many lion machines joined to AD so this does work normally. Just not sure whats wrong or really where to look.
  The OS is fully patched and updated to the current version.
  Any thoughts?

  Case 1:
  Here you can written pre-update event handler which will check whether minor and major org code changed or not.
  If changed then first starts de-provisioning and then start provisioning.
  If not changed then do nothing.
  This approach will not transfer accounts from one domain to another but it will create fresh accounts and remove accounts from old domain.
  Case2:
  If you want to transfer accounts from one domain to another in that on pre-update you have to change OU of user on process which automatically move to another domain.
  but not sure about exchange it is possible to move to another domain.
  hopping that all domains under same forest otherwise same Connector Sever will not work.

• Oracle account and microsoft active directory password synchronisation

  Hi
  We are migrating our application to use windows active directory authentication. We have separate oracle account for
  each logged in user in the application, and these oracle credentials have to be the same as the windows active directory
  credentials.
  Also, a password change on windows Active directory should change the oracle account password.
  Is there a tool available to manage and synchronize the microsoft active directory and oracle account.
  We use oracle 10g and application is hosted on Windows 2008 server.
  Thanks
  Karthik

  There's an OOTB connector for Password Synch between AD -> OIM. Please use that.
  http://www.oracle.com/technetwork/middleware/id-mgmt/downloads/connectors-101674.html
  For password synch, OIM- AD/Oracle, you can use triggers.
  Enabling update for provisioned user in OIM11g

• Building a Basic Runbook to disable a Active Directory User who has not logged in for 90 days.

  I am new to Orchestrator.  I am using Orchestrator 2012 R2 on a Hyper-V running Server 2008.  I have been trying to set up a Runbook to sweep AD for user accounts that have not logged in for 90 days and have those accounts automatically disabled
  and moved to another OU.  However, I would be happy just to have the account just be disabled.  If you need any more info or I have posted in the wrong forum, please let me know.  
  Thanks

  Hi,
  there is no SCO Activity to do this.
  Problem with this is, the LastLogedOn Times are not synced between DomainControllers.
  Best will be you take a look at this PowerShell Script
  http://gallery.technet.microsoft.com/scriptcenter/Get-Active-Directory-User-bbcdd771
  and change it to your needs
  Seidl Michael | http://www.techguy.at |
  twitter.com/techguyat | facebook.com/techguyat

• Pulling "cn=Users" account data from Active Directory issue

  I'm using the following general syntax:
  ldapsearch -h <active directory server> -p 389 -D "CN=Administrator,CN=Users,dc=ORACLE,dc=COM" -b "DC=ORACLE,DC=COM" -s base objectclass=*
  What I get is only "cn=System" output. Any ideas to get the "cn=Users" data?? I can authenticate users in other ways using the Oracle LDAP tools through the same "active directory server". So it's not a matter of it not existing in the Active Directory Server. Also, there is no password right now for the "Administrator" account; so it's not a matter of including/excluding the "-w" option.
  Any suggestions??
  Thanks.

  I recommend you to post this here:
  Forums Home » Oracle Technology Network (OTN) » Products » Application Server » Oracle Internet Directory
  Identity Manager
  Joel Pérez
  http://otn.oracle.com/experts

• How to modify the Account options in Active directory?

  I want to modify some user account options in my active directory through java. Such as "user must change the password on next logon" & "account expires" the user has to change the password by redirecting to the change password page after login.
  if account expires or the user must change the password on next logon functionality in the account options is enabled, i couldn't able to bind that user. this is because i am unable to authenticate the same user with the password in the login page. it shows that User is not authenticated & i got data 773 error which means that i want to redirect to the change password page.
  During the change password, i cannot able to change the password due to unsuccessfull bind. since the user is not authenticated with the temporary password.
  please suggest me solutions.
  Thanks in advance.

  You've come across the chicken & egg problem.
  A user's password has expired and they must change their password at the next logon, however in order to change their password over LDAP, they must perform a successful bind !
  Unfortunatey LDAP is not an authentication protocol.
  You will have to find some other way for the user to change their password, perhaps by using Kerberos & kpasswd.
  If the user's account has expired, there isin't anything a user can do, except to have an adminstrator re-enable the account by changing the account expiration date.

• ICloud/iTunes Account Locking out Active Directory Account [?]

  The facts:
  I have been having this problem for the past four+ months.
  My work email address is my iTunes account name
  My work AD account gets logged out most evenings, sometimes within an hour of leaving work, sometimes late at night
  I know when my account is logged out because my iPhone will ask for my Exchange password, or I cannot get into Outlook Web Access
  When my iTunes/iCloud account password is the same as my Active Directory password this does not happen. When this was the case earlier this year I went 90 days without a lockout. The day after my password expired and I changed my password - locked out again
  Exchange recognizes two mobile devices, my iPad2 and my iPhone 4, as mobile ActiveSync clients
  I have reset both of these devices, updated to the latest iOS and reinstalled and reconfigured my apps
  This occurs even when neither of these devices has an active ActiveSync account set up to use my work Exchange server
  The keyrings (Mac) and Credential Managers (PC) of all my home machines have been sanitized
  Mail (Mac) and Outlook are not configured on my home machines, and they are not affiliated with the work domain in any way
  From these facts it seems to me that the issue is:
  There exists a machine attempting to reach my Exchange account using a password I have used in the past
  If it is a computer that I have possession of, it must be an iDevice, because this behavior has still occurred when all others have been powered off
  If it is an iDevice under my control then it is something in iCloud/iTunes, because it does not depend on having the Exchange account configured on either iDevice and those are the only applications with knowledge of my work email address
  So,
  If it is my iCloud/iTunes account then WHY in the name of all that is sacred is it hitting my work Exchange server and locking out my account?
  I can think of no other -possible- devices or online services that have both that password, and knowledge of that email address. I remotely wiped an old phone that might have had the email account configured.
  Help?

  I would very much like to hear from someone at Apple regarding this as I'm having a very similar if not the exact same issue.

• SQL content database is locking when a user is disabled in Active Directory.

   We have an issue, first of all we are running custom code in C# within a visual web part to "Offboard Users".  In essence it disables their AD account and moves it to another OU using the ActiveDirectoryServiceClient.
  Sometimes it works seamlessly, other times it causes a lock in the SQL content DB. The list ID that always comes up with the error is the User Information List.  I have researched that SharePoint will update the UserInfo table with tp_Deleted when a
  user is Disabled. Would this also update the AllUserData table with a corresponding int value due to the foreign key relationships between these two tables?  If so could this update be causing the SQL lock? Is there anything we can do to expedite the
  process, it runs really long, goes to critical, locks the DB, proceeds to completion successfully, but meanwhile users cannot interact with the site. The list is indexed on user name and work email. It is close to 4,000 list items, but broken into views. However
  I don't think this has anything to do with the list itself as the Profile Service should be updating the list, the code does not.
  We have separate DB for each site collection and all are within / under the 100GB limit. 
  How is the AllUserData table updated from the UserInfo table? 
  Thank You,
  Crjangel 
  Frances Garland

  I wouldn't have expected such a problem, but there you are :-(. Luckily you can analyze further by issuing a SQL DMV query providing details about existing locks, for instance using this one:
  http://www.toadworld.com/platforms/sql-server/b/weblog/archive/2013/08/11/dmv-13-finding-locking-amp-blocking-sys-dm-tran-locks.aspx
  Kind regards,
  Margriet Bruggeman
  Lois & Clark IT Services
  web site: http://www.loisandclark.eu
  blog: http://www.sharepointdragons.com

• Is it possible to move or merge my local user account with an Active Directory account?

  10.7.2 update now allows me to authenticate against AD, and I have a shiny new account on my mac.  Is there any way to merge my local and AD accounts?  Or link my local account to my AD account? Can I change the home directory of the AD account to point to my local account folder?

  Gary,
  Performance would be absolutely horrible if you hung a USB drive off an AEBS and used that as your home directory, wirelessly. You're going to be getting no more than about 10 MB/sec, or roughly 1/5 the speed (in the IDEAL case -- practically it's worse than that) of your current setup.
  If you want to access the same email from multiple Macs, you should consider using IMAP. .Mac can do this -- and you can have up to 4 GB on the server, if you pay for it. Default is up to 1 GB, if you shrink your iDisk space to nothing.
  Another alternative if you want to share something centrally is to use OS X Server and Portable Home Directories. This is pretty complicated for the home user, though, and requires OS X Server (minimum $499), a machine to run it on, and some good knowledge of Open Directory and AFP services. It works quite well for corporate clients though.
  Otherwise, synching stuff across multiple machines may work. But don't even think about moving your whole home directory to a central network mounted drive, especially something as slow as a USB drive on an AEBS over wireless.

• Spfarm Account Permissions in active directory

  Hello All,
  I have created SP 2010 lab env with AD. i have created on user in ad as SP_farm. i dont know exactly what permissions should be given to SP_Farm account in AD.
  Thanks

  It can be a normal user in AD but if you use same account for Profile sync the it should have "Replicate directory changes" on AD.  Normally people use same account for install as well. Then it should have server admin permission on SP Server.
  http://technet.microsoft.com/en-us/library/cc263445%28v=office.15%29.aspx
  Server farm account
  This account is also referred to as the database access account.
  This account has the following properties:
  It's the application pool identity for the SharePoint Central Administration website.
  It's the process account for the Windows SharePoint Services Timer service.
  Setup user account
  The user account that is used to run:
  If you run Windows PowerShell cmdlets that affect a database, this account must be a member of the
  db_owner fixed database role for the database.
  Setup on each server computer
  SharePoint Products Configuration Wizard
  The Psconfig command-line tool
  The Stsadm command-line tool
  If this helped you resolve your issue, please mark it Answered

• Add random number to a email id while creating account in active directory

  Hi,
  I have this code with me,
  in this code i am creating user account into the active directory, i am facing issue in validating it.
  validation is: Let's say we got 2nd Aman verma into the active directory, first aman verma got id as [email protected], i want id of second aman verma as [email protected] (or any other number at the place of 1)
  below is my code,
  using System;
  using System.IO;
  using System.DirectoryServices;
  namespace ActiveDirectoryAddContacts
  class Class1
  static void Main(string[] args)
  System.DirectoryServices.DirectorySearcher DSESearcher = new System.DirectoryServices.DirectorySearcher();
  string RootDSE=DSESearcher.SearchRoot.Path;
  RootDSE=RootDSE.Insert(7,"ou=Mytest,");
  DirectoryEntry myDE = new DirectoryEntry(RootDSE);
  DirectoryEntries myEntries = myDE.Children;
  // Create a new entry 'Sample' in the container.
  FileStream fs = new FileStream("C:\\UserDetails.csv" , FileMode.OpenOrCreate, FileAccess.Read
  StreamReader sr = new StreamReader(fs); 
  for(int i=1;i<291;i++)
  string str = sr.ReadLine();
  char[] ca={','};
  try
  string[] sa = str.Split(ca,4);
  DirectoryEntry myDirectoryEntry = myEntries.Add("CN="+sa[2], "user");
  myDirectoryEntry.Properties["givenname"].Value=sa[0];
  //myDirectoryEntry.Properties["sn"].Value=sa[1];
  //myDirectoryEntry.Properties["displayname"].Value=sa[2];
  //myDirectoryEntry.Properties["mail"].Value=sa[3];
  //myDirectoryEntry.CommitChanges();
  catch (Exception e)
  Console.WriteLine(str);
  any Help will be highly appreciated.
  Thank you!
  Aman 

  Hi,
  As this might not be a SharePoint issue, I suggest you open a thread in the Windows Server forum, you will get more help and confirmed answers there:
  https://social.technet.microsoft.com/Forums/windowsserver/en-US/home?forum=winserverDS
  Thanks
  Patrick Liang
  TechNet Community Support
  Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact
  [email protected]

• Powershell Active Directory Account Expiration Script

  I am putting together a script that creates a user account in AD, sets the password, adds groups, etc.  The part I am having problems with is when the user selects the Contractor employee option and is prompted for the expiration date of the AD account. 
  The script will create the account, but the expiration date is not set in AD.  Any suggestions?
  Here's the code:
  #Script to create Active Directory account
  #Add the Active Directory Module if not already present
  if (-not (Get-Module ActiveDirectory))
  Import-Module ActiveDirectory -Force
  Write-Host ""
  Write-Host "======================================================" -ForegroundColor DarkYellow
  Write-Host ""
  Write-Host "Computer Access"      
  Write-Host "Create Active Directory User Script"
  Write-Host "PowerShell 3.0"
  Write-Host "Version: 1.2"                   
  Write-Host "Date: 4/14/2014"                       
  Write-Host "Author: "
  Write-Host ""
  Write-Host "Please review the created Active Directory Account" -ForegroundColor Red -BackgroundColor Yellow
  Write-Host ""
  Write-Host "Base Business Unit Group Memberships are added only" -ForegroundColor Red -BackgroundColor Yellow
  Write-Host ""
  Write-Host "======================================================" -ForegroundColor DarkYellow
  Write-Host ""
  Write-Host ""
  Write-Host "======================================================" -ForegroundColor DarkYellow
  Write-Host "Creating Active Directory Account" -ForegroundColor Yellow
  Write-Host "======================================================" -ForegroundColor DarkYellow
  Write-Host ""
  #Specify the target OU for new users
  $targetOU = "OU=Personnel,OU=ETA,DC=eta,DC=state,DC=tx"
  #Find the current domain info
  $domdns = (Get-ADDomain).dnsroot # for UPN generation
  #Set Account Variables
  #Set Username with Dialogue Box
  [void] [System.Reflection.Assembly]::LoadWithPartialName("System.Drawing")
  [void] [System.Reflection.Assembly]::LoadWithPartialName("System.Windows.Forms")
  $objForm = New-Object System.Windows.Forms.Form
  $objForm.Font = New-Object System.Drawing.Font("Arial",10)
  $objForm.Text = "Username"
  $objForm.Size = New-Object System.Drawing.Size(300,200)
  $objForm.StartPosition = "CenterScreen"
  $objForm.KeyPreview = $True
  $objForm.Add_KeyDown({if ($_.KeyCode -eq "Enter")
      {$global:setusername=$objTextBox.Text;$objForm.Close()}})
  $objForm.Add_KeyDown({if ($_.KeyCode -eq "Escape")
      {$objForm.Close()}})
  $OKButton = New-Object System.Windows.Forms.Button
  $OKButton.Location = New-Object System.Drawing.Size(75,120)
  $OKButton.Size = New-Object System.Drawing.Size(75,23)
  $OKButton.Text = "OK"
  $OKButton.Add_Click({$global:setusername=$objTextBox.Text;$objForm.Close()})
  $objForm.Controls.Add($OKButton)
  $CancelButton = New-Object System.Windows.Forms.Button
  $CancelButton.Location = New-Object System.Drawing.Size(150,120)
  $CancelButton.Size = New-Object System.Drawing.Size(75,23)
  $CancelButton.Text = "Cancel"
  $CancelButton.Add_Click(
  {$Looping=$False
  $objForm.Close()
  [environment]::Exit(0)
  $objForm.Controls.Add($CancelButton)
  $objLabel = New-Object System.Windows.Forms.Label
  $objLabel.Location = New-Object System.Drawing.Size(10,20)
  $objLabel.Size = New-Object System.Drawing.Size(280,20)
  $objLabel.Text = "Please enter the username for the account:"
  $objForm.Controls.Add($objLabel)
  $objTextBox = New-Object System.Windows.Forms.TextBox
  $objTextBox.Location = New-Object System.Drawing.Size(10,40)
  $objTextBox.Size = New-Object System.Drawing.Size(260,20)
  $objForm.Controls.Add($objTextBox)
  $objForm.Topmost = $True
  $objForm.Add_Shown({$objForm.Activate(); $objTextBox.focus()})
  [void] $objForm.ShowDialog()
  #If OK then set variable and continue
  $samname = ($setusername | Out-String)
  $samname = ($setusername) + ("")
  function validateUser
      param(
      [string]$username
      #if the username is passed without domain\
      if(($username.StartsWith("domain\")) -eq $false)
          $user = Get-ADUser -Filter { SamAccountName -eq $username }
          if (!$user)
              return $false
          else
              return $true
      elseif(($username.StartsWith("domain\")) -eq $true)
          $username = ($username.Split("\")[1])
          $user = Get-ADUser -Filter { SamAccountName -eq $username }
          if (!$user)
              return $false
          else
              return $true
  $usercheck = validateUser -username $samname
  if($userCheck -eq $true) {
  [System.Reflection.Assembly]::LoadWithPartialName("System.Windows.Forms")
  [Windows.Forms.MessageBox]::Show("Username already exists in AD please check and retry",`
   "Username Check", [Windows.Forms.MessageBoxButtons]::OK, [Windows.Forms.MessageBoxIcon]::Stop)
  [environment]::Exit(0)
  else {} #Continue
  Write-Host ""
  Write-Host "USERNAME has been set to" $samname -ForegroundColor Yellow
  #Set User Accounts First Name
  [void] [System.Reflection.Assembly]::LoadWithPartialName("System.Drawing")
  [void] [System.Reflection.Assembly]::LoadWithPartialName("System.Windows.Forms")
  $objForm = New-Object System.Windows.Forms.Form
  $objForm.Font = New-Object System.Drawing.Font("Arial",10)
  $objForm.Text = "First Name"
  $objForm.Size = New-Object System.Drawing.Size(300,200)
  $objForm.StartPosition = "CenterScreen"
  $objForm.KeyPreview = $True
  $objForm.Add_KeyDown({if ($_.KeyCode -eq "Enter")
      {$global:setfirstname=$objTextBox.Text;$objForm.Close()}})
  $objForm.Add_KeyDown({if ($_.KeyCode -eq "Escape")
      {$objForm.Close()}})
  $OKButton = New-Object System.Windows.Forms.Button
  $OKButton.Location = New-Object System.Drawing.Size(75,120)
  $OKButton.Size = New-Object System.Drawing.Size(75,23)
  $OKButton.Text = "OK"
  $OKButton.Add_Click({$global:setfirstname=$objTextBox.Text;$objForm.Close()})
  $objForm.Controls.Add($OKButton)
  $CancelButton = New-Object System.Windows.Forms.Button
  $CancelButton.Location = New-Object System.Drawing.Size(150,120)
  $CancelButton.Size = New-Object System.Drawing.Size(75,23)
  $CancelButton.Text = "Cancel"
  $CancelButton.Add_Click(
  {$Looping=$False
  $objForm.Close()
  [environment]::Exit(0)
  $objForm.Controls.Add($CancelButton)
  $objLabel = New-Object System.Windows.Forms.Label
  $objLabel.Location = New-Object System.Drawing.Size(10,20)
  $objLabel.Size = New-Object System.Drawing.Size(280,20)
  $objLabel.Text = "Please enter the users first name:"
  $objForm.Controls.Add($objLabel)
  $objTextBox = New-Object System.Windows.Forms.TextBox
  $objTextBox.Location = New-Object System.Drawing.Size(10,40)
  $objTextBox.Size = New-Object System.Drawing.Size(260,20)
  $objForm.Controls.Add($objTextBox)
  $objForm.Topmost = $True
  $objForm.Add_Shown({$objForm.Activate(); $objTextBox.focus()})
  [void] $objForm.ShowDialog()
  #If OK then set variable and continue
  $givname = ($setfirstname | Out-String)
  $givname = ("$setfirstname") + ("")
  Write-Host ""
  Write-Host "FIRST NAME has been set to" $givname -ForegroundColor Yellow
  #Set User Accounts Last Name
  [void] [System.Reflection.Assembly]::LoadWithPartialName("System.Drawing")
  [void] [System.Reflection.Assembly]::LoadWithPartialName("System.Windows.Forms")
  $objForm = New-Object System.Windows.Forms.Form
  $objForm.Font = New-Object System.Drawing.Font("Arial",10)
  $objForm.Text = "Last Name"
  $objForm.Size = New-Object System.Drawing.Size(300,200)
  $objForm.StartPosition = "CenterScreen"
  $objForm.KeyPreview = $True
  $objForm.Add_KeyDown({if ($_.KeyCode -eq "Enter")
      {$global:setlastname=$objTextBox.Text;$objForm.Close()}})
  $objForm.Add_KeyDown({if ($_.KeyCode -eq "Escape")
      {$objForm.Close()}})
  $OKButton = New-Object System.Windows.Forms.Button
  $OKButton.Location = New-Object System.Drawing.Size(75,120)
  $OKButton.Size = New-Object System.Drawing.Size(75,23)
  $OKButton.Text = "OK"
  $OKButton.Add_Click({$global:setlastname=$objTextBox.Text;$objForm.Close()})
  $objForm.Controls.Add($OKButton)
  $CancelButton = New-Object System.Windows.Forms.Button
  $CancelButton.Location = New-Object System.Drawing.Size(150,120)
  $CancelButton.Size = New-Object System.Drawing.Size(75,23)
  $CancelButton.Text = "Cancel"
  $CancelButton.Add_Click(
  {$Looping=$False
  $objForm.Close()
  [environment]::Exit(0)
  $objForm.Controls.Add($CancelButton)
  $objLabel = New-Object System.Windows.Forms.Label
  $objLabel.Location = New-Object System.Drawing.Size(10,20)
  $objLabel.Size = New-Object System.Drawing.Size(280,20)
  $objLabel.Text = "Please enter the users last name:"
  $objForm.Controls.Add($objLabel)
  $objTextBox = New-Object System.Windows.Forms.TextBox
  $objTextBox.Location = New-Object System.Drawing.Size(10,40)
  $objTextBox.Size = New-Object System.Drawing.Size(260,20)
  $objForm.Controls.Add($objTextBox)
  $objForm.Topmost = $True
  $objForm.Add_Shown({$objForm.Activate(); $objTextBox.focus()})
  [void] $objForm.ShowDialog()
  #If OK then set variable and continue
  $surname = ($setlastname | Out-String)
  $surname = ("$setlastname") + ("")
  Write-Host ""
  Write-Host "LAST NAME has been set to" $surname -ForegroundColor Yellow
  #Set the Department Number for the Active Directory Account
  [void] [System.Reflection.Assembly]::LoadWithPartialName("System.Drawing")
  [void] [System.Reflection.Assembly]::LoadWithPartialName("System.Windows.Forms")
  $objForm = New-Object System.Windows.Forms.Form
  $objForm.Font = New-Object System.Drawing.Font("Arial",10)
  $objForm.Text = "Cost Center"
  $objForm.Size = New-Object System.Drawing.Size(300,200)
  $objForm.StartPosition = "CenterScreen"
  $objForm.KeyPreview = $True
  $objForm.Add_KeyDown({if ($_.KeyCode -eq "Enter")
      {$global:setcostcode=$objTextBox.Text;$objForm.Close()}})
  $objForm.Add_KeyDown({if ($_.KeyCode -eq "Escape")
      {$objForm.Close()}})
  $OKButton = New-Object System.Windows.Forms.Button
  $OKButton.Location = New-Object System.Drawing.Size(75,120)
  $OKButton.Size = New-Object System.Drawing.Size(75,23)
  $OKButton.Text = "OK"
  $OKButton.Add_Click({$global:setcostcode=$objTextBox.Text;$objForm.Close()})
  $objForm.Controls.Add($OKButton)
  $CancelButton = New-Object System.Windows.Forms.Button
  $CancelButton.Location = New-Object System.Drawing.Size(150,120)
  $CancelButton.Size = New-Object System.Drawing.Size(75,23)
  $CancelButton.Text = "Cancel"
  $CancelButton.Add_Click(
  {$Looping=$False
  $objForm.Close()
  [environment]::Exit(0)
  $objForm.Controls.Add($CancelButton)
  $objLabel = New-Object System.Windows.Forms.Label
  $objLabel.Location = New-Object System.Drawing.Size(10,20)
  $objLabel.Size = New-Object System.Drawing.Size(280,20)
  $objLabel.Text = "Please enter the cost center for the account:"
  $objForm.Controls.Add($objLabel)
  $objTextBox = New-Object System.Windows.Forms.TextBox
  $objTextBox.Location = New-Object System.Drawing.Size(10,40)
  $objTextBox.Size = New-Object System.Drawing.Size(260,20)
  $objForm.Controls.Add($objTextBox)
  $objForm.Topmost = $True
  $objForm.Add_Shown({$objForm.Activate(); $objTextBox.focus()})
  [void] $objForm.ShowDialog()
  #If OK then set variable and continue
  $costcode = ($setcostcode | Out-String)
  $costcode = ("$setcostcode") + ("")
  Write-Host ""
  Write-Host "COSTCODE has been set to" $costcode -ForegroundColor Yellow
  #This creates a checkbox called Employee
  $objTypeCheckbox = New-Object System.Windows.Forms.Checkbox
  $objTypeCheckbox.Location = New-Object System.Drawing.Size(10,220)
  $objTypeCheckbox.Size = New-Object System.Drawing.Size(500,20)
  $objTypeCheckbox.Text = "Employee"
  $objTypeCheckbox.TabIndex = 4
  $objForm.Controls.Add($objTypeCheckbox)
  #This creates a checkbox called Citrix User
  $objCitrixUserCheckbox = New-Object System.Windows.Forms.Checkbox
  $objCitrixUserCheckbox.Location = New-Object System.Drawing.Size(10,240)
  $objCitrixUserCheckbox.Size = New-Object System.Drawing.Size(500,20)
  $objCitrixUserCheckbox.Text = "Citrix User"
  $objCitrixUserCheckbox.TabIndex = 5
  $objForm.Controls.Add($objCitrixUserCheckbox)
  #Set Permanent or Contractor (Expiration Date)
  [void][reflection.assembly]::Load("System.Windows.Forms, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089")
  [void][reflection.assembly]::Load("System.Drawing, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a")
  [System.Windows.Forms.Application]::EnableVisualStyles()
  $form1 = New-Object 'System.Windows.Forms.Form'
  $datetimepicker1 = New-Object 'System.Windows.Forms.DateTimePicker'
  $radiobuttonPermanent = New-Object 'System.Windows.Forms.RadioButton'
  $radiobuttonContractor = New-Object 'System.Windows.Forms.RadioButton'
  $buttonOK = New-Object 'System.Windows.Forms.Button'
  $InitialFormWindowState = New-Object 'System.Windows.Forms.FormWindowState'
  $radiobuttonContractor_CheckedChanged={
      if($radiobuttonContractor.Checked){
          $datetimepicker1.Visible=$true
      }else{
          $datetimepicker1.Visible=$false
  $Form_StateCorrection_Load=
      #Correct the initial state of the form to prevent the .Net maximized form issue
      $form1.WindowState = $InitialFormWindowState
  $Form_Cleanup_FormClosed=
      #Remove all event handlers from the controls
      try
          $radiobuttonContractor.remove_CheckedChanged($radiobuttonContractor_CheckedChanged)
          $form1.remove_Load($FormEvent_Load)
          $form1.remove_Load($Form_StateCorrection_Load)
          $form1.remove_FormClosed($Form_Cleanup_FormClosed)
      catch [Exception]
  $form1.Controls.Add($datetimepicker1)
  $form1.Controls.Add($radiobuttonPermanent)
  $form1.Controls.Add($radiobuttonContractor)
  $form1.Controls.Add($buttonOK)
  $form1.AcceptButton = $buttonOK
  $form1.ClientSize = '508, 262'
  $form1.FormBorderStyle = 'FixedDialog'
  $form1.MaximizeBox = $False
  $form1.MinimizeBox = $False
  $form1.Name = "form1"
  $form1.StartPosition = 'CenterScreen'
  $form1.Text = "Form"
  $form1.add_Load($FormEvent_Load)
  # datetimepicker1
  $datetimepicker1.Location = '160, 91'
  $datetimepicker1.Name = "datetimepicker1"
  $datetimepicker1.Size = '200, 20'
  $datetimepicker1.TabIndex = 3
  $datetimepicker1.Visible = $False
  # radiobuttonPermanent
  $radiobuttonPermanent.Location = '33, 57'
  $radiobuttonPermanent.Name = "radiobuttonPermanent"
  $radiobuttonPermanent.Size = '104, 24'
  $radiobuttonPermanent.TabIndex = 2
  $radiobuttonPermanent.TabStop = $True
  $radiobuttonPermanent.Text = "Permanent"
  $radiobuttonPermanent.UseVisualStyleBackColor = $True
  # radiobuttonContractor
  $radiobuttonContractor.Location = '33, 87'
  $radiobuttonContractor.Name = "radiobuttonContractor"
  $radiobuttonContractor.Size = '104, 24'
  $radiobuttonContractor.TabIndex = 1
  $radiobuttonContractor.TabStop = $True
  $radiobuttonContractor.Text = "Contractor"
  $radiobuttonContractor.UseVisualStyleBackColor = $True
  $radiobuttonContractor.add_CheckedChanged($radiobuttonContractor_CheckedChanged)
  # buttonOK
  $buttonOK.Anchor = 'Bottom, Right'
  $buttonOK.DialogResult = 'OK'
  $buttonOK.Location = '421, 227'
  $buttonOK.Name = "buttonOK"
  $buttonOK.Size = '75, 23'
  $buttonOK.TabIndex = 0
  $buttonOK.Text = "OK"
  $buttonOK.UseVisualStyleBackColor = $True
  #endregion Generated Form Code
  #Save the initial state of the form
  $InitialFormWindowState = $form1.WindowState
  #Init the OnLoad event to correct the initial state of the form
  $form1.add_Load($Form_StateCorrection_Load)
  #Clean up the control events
  $form1.add_FormClosed($Form_Cleanup_FormClosed)
  #Show the Form
  $form1.ShowDialog()
  #Set the password for the new user account
  #Change P@$$w0rd to whatever you want the account password to be
  [void] [System.Reflection.Assembly]::LoadWithPartialName("System.Drawing")
  [void] [System.Reflection.Assembly]::LoadWithPartialName("System.Windows.Forms")
  $objForm = New-Object System.Windows.Forms.Form
  $objForm.Font = New-Object System.Drawing.Font("Arial",10)
  $objForm.Text = "Password"
  $objForm.Size = New-Object System.Drawing.Size(300,200)
  $objForm.StartPosition = "CenterScreen"
  $objForm.KeyPreview = $True
  $objForm.Add_KeyDown({if ($_.KeyCode -eq "Enter")
      {$global:setpassword=$objTextBox.Text;$objForm.Close()}})
  $objForm.Add_KeyDown({if ($_.KeyCode -eq "Escape")
      {$objForm.Close()}})
  $OKButton = New-Object System.Windows.Forms.Button
  $OKButton.Location = New-Object System.Drawing.Size(75,120)
  $OKButton.Size = New-Object System.Drawing.Size(75,23)
  $OKButton.Text = "OK"
  $OKButton.Add_Click({$global:setpassword=$objTextBox.Text;$objForm.Close()})
  $objForm.Controls.Add($OKButton)
  $CancelButton = New-Object System.Windows.Forms.Button
  $CancelButton.Location = New-Object System.Drawing.Size(150,120)
  $CancelButton.Size = New-Object System.Drawing.Size(75,23)
  $CancelButton.Text = "Cancel"
  $CancelButton.Add_Click(
  {$Looping=$False
  $objForm.Close()
  [environment]::Exit(0)
  $objForm.Controls.Add($CancelButton)
  $objLabel = New-Object System.Windows.Forms.Label
  $objLabel.Location = New-Object System.Drawing.Size(10,20)
  $objLabel.Size = New-Object System.Drawing.Size(280,40)
  $objLabel.Text = "Please enter the password you wish to set. Press Enter for P@SSw0rd:"
  $objForm.Controls.Add($objLabel)
  $objTextBox = New-Object System.Windows.Forms.TextBox
  $objTextBox.Location = New-Object System.Drawing.Size(10,60)
  $objTextBox.Size = New-Object System.Drawing.Size(260,20)
  $objForm.Controls.Add($objTextBox)
  $objForm.Topmost = $True
  $objForm.Add_Shown({$objForm.Activate(); $objTextBox.focus()})
  [void] $objForm.ShowDialog()
  #If OK then set password and continue
  $userpassword = ($setpassword | Out-String)
  $userpassword = ("$setpassword") + ("")
  if ($userpassword -eq "") {$userpassword = 'P@SSw0rd'}
  $password = (ConvertTo-SecureString $userpassword -AsPlainText -Force)
  #Set Variables for New-ADUser cmdlet
  $dplname = "$surname, $givname"
  $upname = "$givname.$surname" + "@" + "$domdns"
  $email = "$givname" + "." + "$surname" + "@eta.state.tx.us"
  $office = "WBT"
  $description = "$costcode"
  $description2 = "611IS - Permanent"
  $description3 = "611PM - Permanent"
  $description4 = "501 - Permanent"
  ##$loginscript = "yourloginscriptname"
  $servername = "teafs2"
  $homedir = "\\$($servername)\User\$($samname)"
  $homedirpath = "\\$($servername)\User\$($samname)"
  $Company= "ETA"
  $department = "yourdepartment"
  $department4 = "School Finance"
  $departmentnumber = "" + "-" + "$costcode"
  Write-Host ""
  Write-Host "HOME SERVER is" $servername -ForegroundColor Yellow
  Write-Host ""
  Write-Host "HOME DIRECTORY has been set to" $homedir -ForegroundColor Yellow
  Write-Host ""
  Write-Host "DEPARTMENT has been set to" $department -ForegroundColor Yellow
  Write-Host ""
  Write-Host "DESCRIPTION has been set to" $departmentnumber -ForegroundColor Yellow
  Write-Host ""
  #Create Active Directory Account
  New-ADUser -Name $dplname -SamAccountName $samname -DisplayName $dplname `
  -givenname $givname -surname $surname -userprincipalname $upname -emailaddress $email `
  -Path $targetou -Enabled $true -ChangePasswordAtLogon $true -Department $department `
  -OtherAttributes @{'departmentNumber'="$departmentnumber"} -Company $Company -HomeDrive "H" -HomeDirectory $homedir `
  -Description $description -Office $office -ScriptPath $loginscript -AccountPassword $password `
  #Add User to Active Directory Groups Based on Description Field
  If ((Get-ADUser $samname -Properties description).description -eq $description2) {
    Add-ADGroupMember -Identity "CN=InformationSystemsPrintGroup,CN=Groups,OU=ETA,DC=tea,DC=state,DC=tx" -Member $samname
    Add-ADGroupMember -Identity "CN=InformationSystemsOUDataGroup,CN=Groups,OU=ETA,DC=tea,DC=state,DC=tx" -Member $samname
    Add-ADGroupMember -Identity "CN=InformationSystemsNetworkAccess,CN=Groups,OU=ETA,DC=tea,DC=state,DC=tx" -Member $samname
    Add-ADGroupMember -Identity "CN=Mail users,OU=Groups,DC=tea,DC=state,DC=tx" -Member $samname
  If ((Get-ADUser $samname -Properties description).description -eq $description3) {
    Add-ADGroupMember -Identity "CN=ProjectMgmtNetworkAccess,CN=Groups,OU=ETA,DC=tea,DC=state,DC=tx" -Member $samname
    Add-ADGroupMember -Identity "CN=ProjectMgmtOUDataGroup,CN=Groups,OU=ETA,DC=tea,DC=state,DC=tx" -Member $samname
    Add-ADGroupMember -Identity "CN=ProjectMgmtPrintGroup,CN=Groups,OU=ETA,DC=tea,DC=state,DC=tx" -Member $samname
    Add-ADGroupMember -Identity "CN=Cognos ETASE Dev-Test-Prod,OU=Groups,DC=tea,DC=state,DC=tx" -Member $samname
    Add-ADGroupMember -Identity "CN=PMO ALL,OU=Distribution Groups,OU=Mailbox accounts,DC=tea,DC=state,DC=tx" -Member $samname
    Add-ADGroupMember -Identity "CN=PMO Permanent,OU=Distribution Groups,OU=Mailbox accounts,DC=tea,DC=state,DC=tx" -Member $samname
    Add-ADGroupMember -Identity "CN=Mail users,OU=Groups,DC=tea,DC=state,DC=tx" -Member $samname
  If ((Get-ADUser $samname -Properties description).description -eq $description4) {
    Add-ADGroupMember -Identity "CN=SchoolFinancePrintGroup,CN=Groups,OU=ETA,DC=tea,DC=state,DC=tx" -Member $samname
    Add-ADGroupMember -Identity "CN=SchoolFinanceOUDataGroup,CN=Groups,OU=ETA,DC=tea,DC=state,DC=tx" -Member $samname
    Add-ADGroupMember -Identity "CN=SchoolFinanceNetworkAccess,CN=Groups,OU=ETA,DC=tea,DC=state,DC=tx" -Member $samname
    Add-ADGroupMember -Identity "CN=Mail users,OU=Groups,DC=tea,DC=state,DC=tx" -Member $samname
  #Does the user require a mailbox?
  $mailbox = New-Object -ComObject wscript.shell
  $intAnswer = $mailbox.popup("Does this user require a mailbox?", `
  0,"Create Mailbox",32+4)
  If ($intAnswer -eq 6) {
      Add-ADGroupMember -Identity "YourADGroupName5" -Member $samname
      $mailbox.popup("User added to EMail Provisioning Group", `
      0,"Created",64+0)
  } else {
      $mailbox.popup("User has not been added to the EMail Provisioning Group", `
      0,"Not Created",64+0)
  #Does the user require a LYNC Account?
  $lyncaccount = New-Object -ComObject wscript.shell
  $intAnswer = $lyncaccount.popup("Does this user require a LYNC Account?", `
  0,"Create LYNC Account",32+4)
  If ($intAnswer -eq 6) {
      Add-ADGroupMember -Identity "YourADGroupName6" -Member $samname
      $lyncaccount.popup("User added to LYNC Provisioning Group", `
      0,"Created",64+0)
  } else {
      $lyncaccount.popup("User has not been added to the LYNC Provisioning Group", `
      0,"Not Created",64+0)
  #Create Home Directory and Set Permissions on Home Directory
  New-Item -path $homedirpath -type directory
  $acl = Get-ACL -path $homedirpath
  $permission = "yourdomainname\$($samname)","Modify","ContainerInherit,ObjectInherit","None","Allow"
  $accessrule = new-object System.Security.AccessControl.FileSystemAccessRule $permission
  $acl.SetAccessRule($accessrule)
  $acl | Set-ACL -path $homedirpath
  ##Set Share Permissions on Home Directory
  $Computer = $servername
  $Class = "Win32_Share"
  $Method = "Create"
  $name = $sharename
  $path = $sharedirpath
  $description = ""
  $sd = ([WMIClass] "\\$Computer\root\cimv2:Win32_SecurityDescriptor").CreateInstance()
  $ACE = ([WMIClass] "\\$Computer\root\cimv2:Win32_ACE").CreateInstance()
  $Trustee = ([WMIClass] "\\$Computer\root\cimv2:Win32_Trustee").CreateInstance()
  $Trustee.Name = "EVERYONE"
  $Trustee.Domain = $Null
  $Trustee.SID = @(1, 1, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0)
  $ace.AccessMask = 2032127
  $ace.AceFlags = 3
  $ace.AceType = 0
  $ACE.Trustee = $Trustee
  $sd.DACL += $ACE.psObject.baseobject
  $mc = [WmiClass]"\\$Computer\ROOT\CIMV2:$Class"
  $InParams = $mc.psbase.GetMethodParameters($Method)
  $InParams.Access = $sd
  $InParams.Description = $description
  $InParams.MaximumAllowed = $Null
  $InParams.Name = $name
  $InParams.Password = $Null
  $InParams.Path = $path
  $InParams.Type = [uint32]0
  $R = $mc.PSBase.InvokeMethod($Method, $InParams, $Null)
  switch ($($R.ReturnValue))
    0 {Write-Host "Share:$name Path:$path Result:Success"; break}
    2 {Write-Host "Share:$name Path:$path Result:Access Denied" -foregroundcolor red -backgroundcolor yellow;break}
    8 {Write-Host "Share:$name Path:$path Result:Unknown Failure" -foregroundcolor red -backgroundcolor yellow;break}
    9 {Write-Host "Share:$name Path:$path Result:Invalid Name" -foregroundcolor red -backgroundcolor yellow;break}
    10 {Write-Host "Share:$name Path:$path Result:Invalid Level" -foregroundcolor red -backgroundcolor yellow;break}
    21 {Write-Host "Share:$name Path:$path Result:Invalid Parameter" -foregroundcolor red -backgroundcolor yellow;break}
    22 {Write-Host "Share:$name Path:$path Result:Duplicate Share" -foregroundcolor red -backgroundcolor yellow;break}
    23 {Write-Host "Share:$name Path:$path Result:Reedirected Path" -foregroundcolor red -backgroundcolor yellow;break}
    24 {Write-Host "Share:$name Path:$path Result:Unknown Device or Directory" -foregroundcolor red -backgroundcolor yellow;break}
    25 {Write-Host "Share:$name Path:$path Result:Network Name Not Found" -foregroundcolor red -backgroundcolor yellow;break}
    default {Write-Host "Share:$name Path:$path Result:*** Unknown Error ***" -foregroundcolor red -backgroundcolor yellow;break}

  Would you be able to show me how it's done?
  Here's an example:
  $date = Read-Host 'Enter a date (e.g. 4/23/14)'
  Write-Host "Original string: $date"
  $dateTime = [datetime]$date
  Write-Host "DateTime object: $dateTime"
  Don't retire TechNet! -
  (Don't give up yet - 12,830+ strong and growing)

• Convert Open Directory mobile accounts to Active Directory mobile accounts

  We have 200 or so Macs using OD mobile accounts.
  Implementing Active Directory, getting rid of Open Directory.
  How do I change the mobile accounts from OD accounts to AD accounts so that it authenticates against the AD Domain Controller and thus change compter login password when it's changed in AD?
  I can convert accounts this way:
  a.    Delete users’ user account in User preferences pane of System Preferences, but choose to not change the home directory.
  b.    Log into users’ account by choosing the other option, thus creating a mobile account.
  c.    Log out, log into admin account, delete the newly created home directory, rename the home directory from the deleted users account to match the name of the deleted home directory and do a chown –R on the directory for that user.
  Obviously doing above 200x times is tedious and I'd like to avoid this if possible!
  Any other ideas?  Preferably a script I can deploy to all computers?

  I am also testing Leopard in my Active Directory domain and here is what I have found so far. The wireless networks in Leopard seem to be a combination of Panther and Tiger. Each 'Location' that you set has its own list of preferred networks. I have one location for when I am locally on the domain network and others for my bench network and all others under 'Automatic'. The one problem with what you are talking about is that if people change locations and forget to change it back before they log in, it will not find the network, however, adding the other networks all in one location is fine as long as the AD network is on top. You also have to wait about 20 - 30 seconds after you reach the login prompt before proceeding or it will log in without being connected and the AD resources will not be available. I am also finding that Panther knew when it was not on the AD network and did not give any errors, however Leopard squawks when I log in on a different network.
  Cheers,
  Rob