Creating Active Directory Accounts for vSphere 5.1 Services
To set up the management pieces of vSphere, I need to have an account or accounts created in Active Directory. I need to determine how many to create and what permissions they need.
In Single Sign on Server, I need to choose an account that vCenter server will use when it connects to SSO. I can use the default admin@system-domain. Or I can add an account that is configured in Active Directory. Or, I can also use an active directory group instead of an individual user. What is the best way to do this and if I use an AD account, what permissions does it need at the domain level and at the local level on the Single Sign on Server? (I'm using multisite mode, so I can't use local accounts)
In SQL Server, I need to choose an account to use for the SQL server service. Should this account be an active directory account or a local user account? If so, what permissions should be assigned to the account in Active Directory and what permissions should be assigned to it on the local machine? What AD group, if any should it be a part of? What local permissions does it need?
In vCenter Server, I need to choose an account to run the "vCenter Server Service" in. Is it best to use the default "system" account or to use an account from Active Directory, or a local account?
I'm trying to get a big picture of an AD account/group strategy to use that covers the main management pieces of vSphere - vCenter Server, Single Sign on, Inventory Service, Web Client Services.
For example, create one group called "vSphere Services", then create separate accounts for each management piece, and assign them specific permissions on specific systems. Or create separate groups for each management piece and assign permissions to the groups. Is it better to consolidate some of these user names or split them out? Any experiences / suggestions welcome. Thanks.
Hello,
For general services I use a service specific account within AD. This was before SSO and I use the same after SSO. SSO is used by only two services that I know about at the moment (Inventory Service and perhaps vCloud). However, there are many other service accounts that should be created. You want one account per service and I use AD for this, this way I can create a service account group and give it the appropriate roles and privileges. FOr example I have service accounts for:
VMware View
XenDesktop
vCops
HPSIM
Solarwinds
VMTurbo
NetApp
etc.
One service, one service account, each with either a general role or custom role depending on access requirements to vCenter.
For SSO, I to am waiting on general information, but I set mine up fairly basically to cover only those resources that make use of SSO. Since the vast majority of items do not use SSO, the rule still applies. Once SSO is supported by more than one or two tools, you still need to maintain that separation.
So I say yes, tie SSO to AD and do everything in one place, unfortunately, that is not very clear, or at least was not to me and these SSO issues are either beng fixed, documented, or both.
Best regards,
Edward L. Haletky aka Texiwill
Similar Messages
-
How to avoid duplicate DN exception when creating Active Directory Account
I am using OIM 9.1.0.2 to provision Active Directory accounts.
I run into issues when the DN of the user to be created already exists and I would like to know if anyone has some logic I can use to generate a different DN for new user by adding a number or something like that to the DN
Here is an example.
User 1 exists already and their DN: cn=john smith, cn=users, dc=company,dc=org
New user joins the company and his name is also john smith and he has no middle name: so system attempts to create his account as cn=john smith, cn=users, dc=company,dc=org
how can I accomplish this by making the account say cn=john smith_1, cn=users, dc=company,dc=org855640 wrote:
I run into issues when the DN of the user to be created already exists and I would like to know if anyone has some logic I can use to generate a different DN for new user by adding a number or something like that to the DN
There are two different questions:
1. How to generate a sequence of candidates for the name attribute
2. How to check if a record with the given name candidate already exists in the Active Directory, and hence try the next candidate from the sequence.
The answer for the first part is usually defined by the policy existing in your organization, in the simplest case you can append sequential integer numbers to the end of the original name.
The answer for the second question is not so simple if you use are provisioning with MSAD connector.
There are two places you can put the check:
-- in the pre-populate adapter for the UD_ADUSER_COMMONNAME field
-- in the adpADCSCREATEUSER event handler, which is responsible for new AD user record creation.
Both cases need some coding, since you have to obtain the AD connection and search AD for matching records.
Pros & cons
Placing check code in the pre-populate adapter:
Pros:
the result is visible in the form, administrator can change the pre-calculated value if he wishes
Cons:
you need to have all access to connection parameters, and establish one extra connection
this is not the way OIM is supposed to work :-(
Placing check code in the AD user creation task:
Pros:
you have all access to connection parameters, and open a connection here anyway
Cons:
the result is not present in the form, so no way for manual interaction by administrator here
BTW: this problem is not only related to DN generation, some other AD attributes (e.g. sAMAccountName, mailNickName, userPrincipalName, mail) should be unique in the AD domain scope.
Edited by: madhatter on Sep 7, 2012 12:02 AM -
Powershell Active Directory Account Expiration Script
I am putting together a script that creates a user account in AD, sets the password, adds groups, etc. The part I am having problems with is when the user selects the Contractor employee option and is prompted for the expiration date of the AD account.
The script will create the account, but the expiration date is not set in AD. Any suggestions?
Here's the code:
#Script to create Active Directory account
#Add the Active Directory Module if not already present
if (-not (Get-Module ActiveDirectory))
Import-Module ActiveDirectory -Force
Write-Host ""
Write-Host "======================================================" -ForegroundColor DarkYellow
Write-Host ""
Write-Host "Computer Access"
Write-Host "Create Active Directory User Script"
Write-Host "PowerShell 3.0"
Write-Host "Version: 1.2"
Write-Host "Date: 4/14/2014"
Write-Host "Author: "
Write-Host ""
Write-Host "Please review the created Active Directory Account" -ForegroundColor Red -BackgroundColor Yellow
Write-Host ""
Write-Host "Base Business Unit Group Memberships are added only" -ForegroundColor Red -BackgroundColor Yellow
Write-Host ""
Write-Host "======================================================" -ForegroundColor DarkYellow
Write-Host ""
Write-Host ""
Write-Host "======================================================" -ForegroundColor DarkYellow
Write-Host "Creating Active Directory Account" -ForegroundColor Yellow
Write-Host "======================================================" -ForegroundColor DarkYellow
Write-Host ""
#Specify the target OU for new users
$targetOU = "OU=Personnel,OU=ETA,DC=eta,DC=state,DC=tx"
#Find the current domain info
$domdns = (Get-ADDomain).dnsroot # for UPN generation
#Set Account Variables
#Set Username with Dialogue Box
[void] [System.Reflection.Assembly]::LoadWithPartialName("System.Drawing")
[void] [System.Reflection.Assembly]::LoadWithPartialName("System.Windows.Forms")
$objForm = New-Object System.Windows.Forms.Form
$objForm.Font = New-Object System.Drawing.Font("Arial",10)
$objForm.Text = "Username"
$objForm.Size = New-Object System.Drawing.Size(300,200)
$objForm.StartPosition = "CenterScreen"
$objForm.KeyPreview = $True
$objForm.Add_KeyDown({if ($_.KeyCode -eq "Enter")
{$global:setusername=$objTextBox.Text;$objForm.Close()}})
$objForm.Add_KeyDown({if ($_.KeyCode -eq "Escape")
{$objForm.Close()}})
$OKButton = New-Object System.Windows.Forms.Button
$OKButton.Location = New-Object System.Drawing.Size(75,120)
$OKButton.Size = New-Object System.Drawing.Size(75,23)
$OKButton.Text = "OK"
$OKButton.Add_Click({$global:setusername=$objTextBox.Text;$objForm.Close()})
$objForm.Controls.Add($OKButton)
$CancelButton = New-Object System.Windows.Forms.Button
$CancelButton.Location = New-Object System.Drawing.Size(150,120)
$CancelButton.Size = New-Object System.Drawing.Size(75,23)
$CancelButton.Text = "Cancel"
$CancelButton.Add_Click(
{$Looping=$False
$objForm.Close()
[environment]::Exit(0)
$objForm.Controls.Add($CancelButton)
$objLabel = New-Object System.Windows.Forms.Label
$objLabel.Location = New-Object System.Drawing.Size(10,20)
$objLabel.Size = New-Object System.Drawing.Size(280,20)
$objLabel.Text = "Please enter the username for the account:"
$objForm.Controls.Add($objLabel)
$objTextBox = New-Object System.Windows.Forms.TextBox
$objTextBox.Location = New-Object System.Drawing.Size(10,40)
$objTextBox.Size = New-Object System.Drawing.Size(260,20)
$objForm.Controls.Add($objTextBox)
$objForm.Topmost = $True
$objForm.Add_Shown({$objForm.Activate(); $objTextBox.focus()})
[void] $objForm.ShowDialog()
#If OK then set variable and continue
$samname = ($setusername | Out-String)
$samname = ($setusername) + ("")
function validateUser
param(
[string]$username
#if the username is passed without domain\
if(($username.StartsWith("domain\")) -eq $false)
$user = Get-ADUser -Filter { SamAccountName -eq $username }
if (!$user)
return $false
else
return $true
elseif(($username.StartsWith("domain\")) -eq $true)
$username = ($username.Split("\")[1])
$user = Get-ADUser -Filter { SamAccountName -eq $username }
if (!$user)
return $false
else
return $true
$usercheck = validateUser -username $samname
if($userCheck -eq $true) {
[System.Reflection.Assembly]::LoadWithPartialName("System.Windows.Forms")
[Windows.Forms.MessageBox]::Show("Username already exists in AD please check and retry",`
"Username Check", [Windows.Forms.MessageBoxButtons]::OK, [Windows.Forms.MessageBoxIcon]::Stop)
[environment]::Exit(0)
else {} #Continue
Write-Host ""
Write-Host "USERNAME has been set to" $samname -ForegroundColor Yellow
#Set User Accounts First Name
[void] [System.Reflection.Assembly]::LoadWithPartialName("System.Drawing")
[void] [System.Reflection.Assembly]::LoadWithPartialName("System.Windows.Forms")
$objForm = New-Object System.Windows.Forms.Form
$objForm.Font = New-Object System.Drawing.Font("Arial",10)
$objForm.Text = "First Name"
$objForm.Size = New-Object System.Drawing.Size(300,200)
$objForm.StartPosition = "CenterScreen"
$objForm.KeyPreview = $True
$objForm.Add_KeyDown({if ($_.KeyCode -eq "Enter")
{$global:setfirstname=$objTextBox.Text;$objForm.Close()}})
$objForm.Add_KeyDown({if ($_.KeyCode -eq "Escape")
{$objForm.Close()}})
$OKButton = New-Object System.Windows.Forms.Button
$OKButton.Location = New-Object System.Drawing.Size(75,120)
$OKButton.Size = New-Object System.Drawing.Size(75,23)
$OKButton.Text = "OK"
$OKButton.Add_Click({$global:setfirstname=$objTextBox.Text;$objForm.Close()})
$objForm.Controls.Add($OKButton)
$CancelButton = New-Object System.Windows.Forms.Button
$CancelButton.Location = New-Object System.Drawing.Size(150,120)
$CancelButton.Size = New-Object System.Drawing.Size(75,23)
$CancelButton.Text = "Cancel"
$CancelButton.Add_Click(
{$Looping=$False
$objForm.Close()
[environment]::Exit(0)
$objForm.Controls.Add($CancelButton)
$objLabel = New-Object System.Windows.Forms.Label
$objLabel.Location = New-Object System.Drawing.Size(10,20)
$objLabel.Size = New-Object System.Drawing.Size(280,20)
$objLabel.Text = "Please enter the users first name:"
$objForm.Controls.Add($objLabel)
$objTextBox = New-Object System.Windows.Forms.TextBox
$objTextBox.Location = New-Object System.Drawing.Size(10,40)
$objTextBox.Size = New-Object System.Drawing.Size(260,20)
$objForm.Controls.Add($objTextBox)
$objForm.Topmost = $True
$objForm.Add_Shown({$objForm.Activate(); $objTextBox.focus()})
[void] $objForm.ShowDialog()
#If OK then set variable and continue
$givname = ($setfirstname | Out-String)
$givname = ("$setfirstname") + ("")
Write-Host ""
Write-Host "FIRST NAME has been set to" $givname -ForegroundColor Yellow
#Set User Accounts Last Name
[void] [System.Reflection.Assembly]::LoadWithPartialName("System.Drawing")
[void] [System.Reflection.Assembly]::LoadWithPartialName("System.Windows.Forms")
$objForm = New-Object System.Windows.Forms.Form
$objForm.Font = New-Object System.Drawing.Font("Arial",10)
$objForm.Text = "Last Name"
$objForm.Size = New-Object System.Drawing.Size(300,200)
$objForm.StartPosition = "CenterScreen"
$objForm.KeyPreview = $True
$objForm.Add_KeyDown({if ($_.KeyCode -eq "Enter")
{$global:setlastname=$objTextBox.Text;$objForm.Close()}})
$objForm.Add_KeyDown({if ($_.KeyCode -eq "Escape")
{$objForm.Close()}})
$OKButton = New-Object System.Windows.Forms.Button
$OKButton.Location = New-Object System.Drawing.Size(75,120)
$OKButton.Size = New-Object System.Drawing.Size(75,23)
$OKButton.Text = "OK"
$OKButton.Add_Click({$global:setlastname=$objTextBox.Text;$objForm.Close()})
$objForm.Controls.Add($OKButton)
$CancelButton = New-Object System.Windows.Forms.Button
$CancelButton.Location = New-Object System.Drawing.Size(150,120)
$CancelButton.Size = New-Object System.Drawing.Size(75,23)
$CancelButton.Text = "Cancel"
$CancelButton.Add_Click(
{$Looping=$False
$objForm.Close()
[environment]::Exit(0)
$objForm.Controls.Add($CancelButton)
$objLabel = New-Object System.Windows.Forms.Label
$objLabel.Location = New-Object System.Drawing.Size(10,20)
$objLabel.Size = New-Object System.Drawing.Size(280,20)
$objLabel.Text = "Please enter the users last name:"
$objForm.Controls.Add($objLabel)
$objTextBox = New-Object System.Windows.Forms.TextBox
$objTextBox.Location = New-Object System.Drawing.Size(10,40)
$objTextBox.Size = New-Object System.Drawing.Size(260,20)
$objForm.Controls.Add($objTextBox)
$objForm.Topmost = $True
$objForm.Add_Shown({$objForm.Activate(); $objTextBox.focus()})
[void] $objForm.ShowDialog()
#If OK then set variable and continue
$surname = ($setlastname | Out-String)
$surname = ("$setlastname") + ("")
Write-Host ""
Write-Host "LAST NAME has been set to" $surname -ForegroundColor Yellow
#Set the Department Number for the Active Directory Account
[void] [System.Reflection.Assembly]::LoadWithPartialName("System.Drawing")
[void] [System.Reflection.Assembly]::LoadWithPartialName("System.Windows.Forms")
$objForm = New-Object System.Windows.Forms.Form
$objForm.Font = New-Object System.Drawing.Font("Arial",10)
$objForm.Text = "Cost Center"
$objForm.Size = New-Object System.Drawing.Size(300,200)
$objForm.StartPosition = "CenterScreen"
$objForm.KeyPreview = $True
$objForm.Add_KeyDown({if ($_.KeyCode -eq "Enter")
{$global:setcostcode=$objTextBox.Text;$objForm.Close()}})
$objForm.Add_KeyDown({if ($_.KeyCode -eq "Escape")
{$objForm.Close()}})
$OKButton = New-Object System.Windows.Forms.Button
$OKButton.Location = New-Object System.Drawing.Size(75,120)
$OKButton.Size = New-Object System.Drawing.Size(75,23)
$OKButton.Text = "OK"
$OKButton.Add_Click({$global:setcostcode=$objTextBox.Text;$objForm.Close()})
$objForm.Controls.Add($OKButton)
$CancelButton = New-Object System.Windows.Forms.Button
$CancelButton.Location = New-Object System.Drawing.Size(150,120)
$CancelButton.Size = New-Object System.Drawing.Size(75,23)
$CancelButton.Text = "Cancel"
$CancelButton.Add_Click(
{$Looping=$False
$objForm.Close()
[environment]::Exit(0)
$objForm.Controls.Add($CancelButton)
$objLabel = New-Object System.Windows.Forms.Label
$objLabel.Location = New-Object System.Drawing.Size(10,20)
$objLabel.Size = New-Object System.Drawing.Size(280,20)
$objLabel.Text = "Please enter the cost center for the account:"
$objForm.Controls.Add($objLabel)
$objTextBox = New-Object System.Windows.Forms.TextBox
$objTextBox.Location = New-Object System.Drawing.Size(10,40)
$objTextBox.Size = New-Object System.Drawing.Size(260,20)
$objForm.Controls.Add($objTextBox)
$objForm.Topmost = $True
$objForm.Add_Shown({$objForm.Activate(); $objTextBox.focus()})
[void] $objForm.ShowDialog()
#If OK then set variable and continue
$costcode = ($setcostcode | Out-String)
$costcode = ("$setcostcode") + ("")
Write-Host ""
Write-Host "COSTCODE has been set to" $costcode -ForegroundColor Yellow
#This creates a checkbox called Employee
$objTypeCheckbox = New-Object System.Windows.Forms.Checkbox
$objTypeCheckbox.Location = New-Object System.Drawing.Size(10,220)
$objTypeCheckbox.Size = New-Object System.Drawing.Size(500,20)
$objTypeCheckbox.Text = "Employee"
$objTypeCheckbox.TabIndex = 4
$objForm.Controls.Add($objTypeCheckbox)
#This creates a checkbox called Citrix User
$objCitrixUserCheckbox = New-Object System.Windows.Forms.Checkbox
$objCitrixUserCheckbox.Location = New-Object System.Drawing.Size(10,240)
$objCitrixUserCheckbox.Size = New-Object System.Drawing.Size(500,20)
$objCitrixUserCheckbox.Text = "Citrix User"
$objCitrixUserCheckbox.TabIndex = 5
$objForm.Controls.Add($objCitrixUserCheckbox)
#Set Permanent or Contractor (Expiration Date)
[void][reflection.assembly]::Load("System.Windows.Forms, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089")
[void][reflection.assembly]::Load("System.Drawing, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a")
[System.Windows.Forms.Application]::EnableVisualStyles()
$form1 = New-Object 'System.Windows.Forms.Form'
$datetimepicker1 = New-Object 'System.Windows.Forms.DateTimePicker'
$radiobuttonPermanent = New-Object 'System.Windows.Forms.RadioButton'
$radiobuttonContractor = New-Object 'System.Windows.Forms.RadioButton'
$buttonOK = New-Object 'System.Windows.Forms.Button'
$InitialFormWindowState = New-Object 'System.Windows.Forms.FormWindowState'
$radiobuttonContractor_CheckedChanged={
if($radiobuttonContractor.Checked){
$datetimepicker1.Visible=$true
}else{
$datetimepicker1.Visible=$false
$Form_StateCorrection_Load=
#Correct the initial state of the form to prevent the .Net maximized form issue
$form1.WindowState = $InitialFormWindowState
$Form_Cleanup_FormClosed=
#Remove all event handlers from the controls
try
$radiobuttonContractor.remove_CheckedChanged($radiobuttonContractor_CheckedChanged)
$form1.remove_Load($FormEvent_Load)
$form1.remove_Load($Form_StateCorrection_Load)
$form1.remove_FormClosed($Form_Cleanup_FormClosed)
catch [Exception]
$form1.Controls.Add($datetimepicker1)
$form1.Controls.Add($radiobuttonPermanent)
$form1.Controls.Add($radiobuttonContractor)
$form1.Controls.Add($buttonOK)
$form1.AcceptButton = $buttonOK
$form1.ClientSize = '508, 262'
$form1.FormBorderStyle = 'FixedDialog'
$form1.MaximizeBox = $False
$form1.MinimizeBox = $False
$form1.Name = "form1"
$form1.StartPosition = 'CenterScreen'
$form1.Text = "Form"
$form1.add_Load($FormEvent_Load)
# datetimepicker1
$datetimepicker1.Location = '160, 91'
$datetimepicker1.Name = "datetimepicker1"
$datetimepicker1.Size = '200, 20'
$datetimepicker1.TabIndex = 3
$datetimepicker1.Visible = $False
# radiobuttonPermanent
$radiobuttonPermanent.Location = '33, 57'
$radiobuttonPermanent.Name = "radiobuttonPermanent"
$radiobuttonPermanent.Size = '104, 24'
$radiobuttonPermanent.TabIndex = 2
$radiobuttonPermanent.TabStop = $True
$radiobuttonPermanent.Text = "Permanent"
$radiobuttonPermanent.UseVisualStyleBackColor = $True
# radiobuttonContractor
$radiobuttonContractor.Location = '33, 87'
$radiobuttonContractor.Name = "radiobuttonContractor"
$radiobuttonContractor.Size = '104, 24'
$radiobuttonContractor.TabIndex = 1
$radiobuttonContractor.TabStop = $True
$radiobuttonContractor.Text = "Contractor"
$radiobuttonContractor.UseVisualStyleBackColor = $True
$radiobuttonContractor.add_CheckedChanged($radiobuttonContractor_CheckedChanged)
# buttonOK
$buttonOK.Anchor = 'Bottom, Right'
$buttonOK.DialogResult = 'OK'
$buttonOK.Location = '421, 227'
$buttonOK.Name = "buttonOK"
$buttonOK.Size = '75, 23'
$buttonOK.TabIndex = 0
$buttonOK.Text = "OK"
$buttonOK.UseVisualStyleBackColor = $True
#endregion Generated Form Code
#Save the initial state of the form
$InitialFormWindowState = $form1.WindowState
#Init the OnLoad event to correct the initial state of the form
$form1.add_Load($Form_StateCorrection_Load)
#Clean up the control events
$form1.add_FormClosed($Form_Cleanup_FormClosed)
#Show the Form
$form1.ShowDialog()
#Set the password for the new user account
#Change P@$$w0rd to whatever you want the account password to be
[void] [System.Reflection.Assembly]::LoadWithPartialName("System.Drawing")
[void] [System.Reflection.Assembly]::LoadWithPartialName("System.Windows.Forms")
$objForm = New-Object System.Windows.Forms.Form
$objForm.Font = New-Object System.Drawing.Font("Arial",10)
$objForm.Text = "Password"
$objForm.Size = New-Object System.Drawing.Size(300,200)
$objForm.StartPosition = "CenterScreen"
$objForm.KeyPreview = $True
$objForm.Add_KeyDown({if ($_.KeyCode -eq "Enter")
{$global:setpassword=$objTextBox.Text;$objForm.Close()}})
$objForm.Add_KeyDown({if ($_.KeyCode -eq "Escape")
{$objForm.Close()}})
$OKButton = New-Object System.Windows.Forms.Button
$OKButton.Location = New-Object System.Drawing.Size(75,120)
$OKButton.Size = New-Object System.Drawing.Size(75,23)
$OKButton.Text = "OK"
$OKButton.Add_Click({$global:setpassword=$objTextBox.Text;$objForm.Close()})
$objForm.Controls.Add($OKButton)
$CancelButton = New-Object System.Windows.Forms.Button
$CancelButton.Location = New-Object System.Drawing.Size(150,120)
$CancelButton.Size = New-Object System.Drawing.Size(75,23)
$CancelButton.Text = "Cancel"
$CancelButton.Add_Click(
{$Looping=$False
$objForm.Close()
[environment]::Exit(0)
$objForm.Controls.Add($CancelButton)
$objLabel = New-Object System.Windows.Forms.Label
$objLabel.Location = New-Object System.Drawing.Size(10,20)
$objLabel.Size = New-Object System.Drawing.Size(280,40)
$objLabel.Text = "Please enter the password you wish to set. Press Enter for P@SSw0rd:"
$objForm.Controls.Add($objLabel)
$objTextBox = New-Object System.Windows.Forms.TextBox
$objTextBox.Location = New-Object System.Drawing.Size(10,60)
$objTextBox.Size = New-Object System.Drawing.Size(260,20)
$objForm.Controls.Add($objTextBox)
$objForm.Topmost = $True
$objForm.Add_Shown({$objForm.Activate(); $objTextBox.focus()})
[void] $objForm.ShowDialog()
#If OK then set password and continue
$userpassword = ($setpassword | Out-String)
$userpassword = ("$setpassword") + ("")
if ($userpassword -eq "") {$userpassword = 'P@SSw0rd'}
$password = (ConvertTo-SecureString $userpassword -AsPlainText -Force)
#Set Variables for New-ADUser cmdlet
$dplname = "$surname, $givname"
$upname = "$givname.$surname" + "@" + "$domdns"
$email = "$givname" + "." + "$surname" + "@eta.state.tx.us"
$office = "WBT"
$description = "$costcode"
$description2 = "611IS - Permanent"
$description3 = "611PM - Permanent"
$description4 = "501 - Permanent"
##$loginscript = "yourloginscriptname"
$servername = "teafs2"
$homedir = "\\$($servername)\User\$($samname)"
$homedirpath = "\\$($servername)\User\$($samname)"
$Company= "ETA"
$department = "yourdepartment"
$department4 = "School Finance"
$departmentnumber = "" + "-" + "$costcode"
Write-Host ""
Write-Host "HOME SERVER is" $servername -ForegroundColor Yellow
Write-Host ""
Write-Host "HOME DIRECTORY has been set to" $homedir -ForegroundColor Yellow
Write-Host ""
Write-Host "DEPARTMENT has been set to" $department -ForegroundColor Yellow
Write-Host ""
Write-Host "DESCRIPTION has been set to" $departmentnumber -ForegroundColor Yellow
Write-Host ""
#Create Active Directory Account
New-ADUser -Name $dplname -SamAccountName $samname -DisplayName $dplname `
-givenname $givname -surname $surname -userprincipalname $upname -emailaddress $email `
-Path $targetou -Enabled $true -ChangePasswordAtLogon $true -Department $department `
-OtherAttributes @{'departmentNumber'="$departmentnumber"} -Company $Company -HomeDrive "H" -HomeDirectory $homedir `
-Description $description -Office $office -ScriptPath $loginscript -AccountPassword $password `
#Add User to Active Directory Groups Based on Description Field
If ((Get-ADUser $samname -Properties description).description -eq $description2) {
Add-ADGroupMember -Identity "CN=InformationSystemsPrintGroup,CN=Groups,OU=ETA,DC=tea,DC=state,DC=tx" -Member $samname
Add-ADGroupMember -Identity "CN=InformationSystemsOUDataGroup,CN=Groups,OU=ETA,DC=tea,DC=state,DC=tx" -Member $samname
Add-ADGroupMember -Identity "CN=InformationSystemsNetworkAccess,CN=Groups,OU=ETA,DC=tea,DC=state,DC=tx" -Member $samname
Add-ADGroupMember -Identity "CN=Mail users,OU=Groups,DC=tea,DC=state,DC=tx" -Member $samname
If ((Get-ADUser $samname -Properties description).description -eq $description3) {
Add-ADGroupMember -Identity "CN=ProjectMgmtNetworkAccess,CN=Groups,OU=ETA,DC=tea,DC=state,DC=tx" -Member $samname
Add-ADGroupMember -Identity "CN=ProjectMgmtOUDataGroup,CN=Groups,OU=ETA,DC=tea,DC=state,DC=tx" -Member $samname
Add-ADGroupMember -Identity "CN=ProjectMgmtPrintGroup,CN=Groups,OU=ETA,DC=tea,DC=state,DC=tx" -Member $samname
Add-ADGroupMember -Identity "CN=Cognos ETASE Dev-Test-Prod,OU=Groups,DC=tea,DC=state,DC=tx" -Member $samname
Add-ADGroupMember -Identity "CN=PMO ALL,OU=Distribution Groups,OU=Mailbox accounts,DC=tea,DC=state,DC=tx" -Member $samname
Add-ADGroupMember -Identity "CN=PMO Permanent,OU=Distribution Groups,OU=Mailbox accounts,DC=tea,DC=state,DC=tx" -Member $samname
Add-ADGroupMember -Identity "CN=Mail users,OU=Groups,DC=tea,DC=state,DC=tx" -Member $samname
If ((Get-ADUser $samname -Properties description).description -eq $description4) {
Add-ADGroupMember -Identity "CN=SchoolFinancePrintGroup,CN=Groups,OU=ETA,DC=tea,DC=state,DC=tx" -Member $samname
Add-ADGroupMember -Identity "CN=SchoolFinanceOUDataGroup,CN=Groups,OU=ETA,DC=tea,DC=state,DC=tx" -Member $samname
Add-ADGroupMember -Identity "CN=SchoolFinanceNetworkAccess,CN=Groups,OU=ETA,DC=tea,DC=state,DC=tx" -Member $samname
Add-ADGroupMember -Identity "CN=Mail users,OU=Groups,DC=tea,DC=state,DC=tx" -Member $samname
#Does the user require a mailbox?
$mailbox = New-Object -ComObject wscript.shell
$intAnswer = $mailbox.popup("Does this user require a mailbox?", `
0,"Create Mailbox",32+4)
If ($intAnswer -eq 6) {
Add-ADGroupMember -Identity "YourADGroupName5" -Member $samname
$mailbox.popup("User added to EMail Provisioning Group", `
0,"Created",64+0)
} else {
$mailbox.popup("User has not been added to the EMail Provisioning Group", `
0,"Not Created",64+0)
#Does the user require a LYNC Account?
$lyncaccount = New-Object -ComObject wscript.shell
$intAnswer = $lyncaccount.popup("Does this user require a LYNC Account?", `
0,"Create LYNC Account",32+4)
If ($intAnswer -eq 6) {
Add-ADGroupMember -Identity "YourADGroupName6" -Member $samname
$lyncaccount.popup("User added to LYNC Provisioning Group", `
0,"Created",64+0)
} else {
$lyncaccount.popup("User has not been added to the LYNC Provisioning Group", `
0,"Not Created",64+0)
#Create Home Directory and Set Permissions on Home Directory
New-Item -path $homedirpath -type directory
$acl = Get-ACL -path $homedirpath
$permission = "yourdomainname\$($samname)","Modify","ContainerInherit,ObjectInherit","None","Allow"
$accessrule = new-object System.Security.AccessControl.FileSystemAccessRule $permission
$acl.SetAccessRule($accessrule)
$acl | Set-ACL -path $homedirpath
##Set Share Permissions on Home Directory
$Computer = $servername
$Class = "Win32_Share"
$Method = "Create"
$name = $sharename
$path = $sharedirpath
$description = ""
$sd = ([WMIClass] "\\$Computer\root\cimv2:Win32_SecurityDescriptor").CreateInstance()
$ACE = ([WMIClass] "\\$Computer\root\cimv2:Win32_ACE").CreateInstance()
$Trustee = ([WMIClass] "\\$Computer\root\cimv2:Win32_Trustee").CreateInstance()
$Trustee.Name = "EVERYONE"
$Trustee.Domain = $Null
$Trustee.SID = @(1, 1, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0)
$ace.AccessMask = 2032127
$ace.AceFlags = 3
$ace.AceType = 0
$ACE.Trustee = $Trustee
$sd.DACL += $ACE.psObject.baseobject
$mc = [WmiClass]"\\$Computer\ROOT\CIMV2:$Class"
$InParams = $mc.psbase.GetMethodParameters($Method)
$InParams.Access = $sd
$InParams.Description = $description
$InParams.MaximumAllowed = $Null
$InParams.Name = $name
$InParams.Password = $Null
$InParams.Path = $path
$InParams.Type = [uint32]0
$R = $mc.PSBase.InvokeMethod($Method, $InParams, $Null)
switch ($($R.ReturnValue))
0 {Write-Host "Share:$name Path:$path Result:Success"; break}
2 {Write-Host "Share:$name Path:$path Result:Access Denied" -foregroundcolor red -backgroundcolor yellow;break}
8 {Write-Host "Share:$name Path:$path Result:Unknown Failure" -foregroundcolor red -backgroundcolor yellow;break}
9 {Write-Host "Share:$name Path:$path Result:Invalid Name" -foregroundcolor red -backgroundcolor yellow;break}
10 {Write-Host "Share:$name Path:$path Result:Invalid Level" -foregroundcolor red -backgroundcolor yellow;break}
21 {Write-Host "Share:$name Path:$path Result:Invalid Parameter" -foregroundcolor red -backgroundcolor yellow;break}
22 {Write-Host "Share:$name Path:$path Result:Duplicate Share" -foregroundcolor red -backgroundcolor yellow;break}
23 {Write-Host "Share:$name Path:$path Result:Reedirected Path" -foregroundcolor red -backgroundcolor yellow;break}
24 {Write-Host "Share:$name Path:$path Result:Unknown Device or Directory" -foregroundcolor red -backgroundcolor yellow;break}
25 {Write-Host "Share:$name Path:$path Result:Network Name Not Found" -foregroundcolor red -backgroundcolor yellow;break}
default {Write-Host "Share:$name Path:$path Result:*** Unknown Error ***" -foregroundcolor red -backgroundcolor yellow;break}Would you be able to show me how it's done?
Here's an example:
$date = Read-Host 'Enter a date (e.g. 4/23/14)'
Write-Host "Original string: $date"
$dateTime = [datetime]$date
Write-Host "DateTime object: $dateTime"
Don't retire TechNet! -
(Don't give up yet - 12,830+ strong and growing) -
Creating active directory users with dscl
Our mac workstations (OSX 10.8) are bound to a 2008 Active Directory server. We are attempting to use some existing dscl scripts on the mac client computer to create Active directory users. We can successfully read and change AD attributes of an existing user with dscl, but creating new users or new attributes for an existing user gives us an error. Here are some examples.
SUCCESSFUL READ OF AD USER ATTRIBUTE:
root# dscl -u administrator "/Active Directory/CXAD/All Domains" -read /Users/jholmes SMBHomeDrive
Password:
SMBHomeDrive: H:
root#
SUCCESSFUL DELETE OF ABOVE USER ATTRIBUTE
root# dscl -u administrator "/Active Directory/CXAD/All Domains" -delete /Users/jholmes SMBHomeDrive
Password:
root#
FAILED ATTEMPT AT RE-CREATING THE DELETED ATTRIBUTE
root# dscl -u administrator "/Active Directory/CXAD/All Domains" -create /Users/jholmes SMBHomeDrive
Password:
<main> attribute status: eDSInvalidRecordType
<dscl_cmd> DS Error: -14130 (eDSInvalidRecordType)
root#
The same error occurs when attempting to create a new user. Any ideas? Thanks in advance for any suggestions.In the end I could not find them; account info is ONLY stored locally in Open Directory when they have mobile accounts.
However, I found I could migrate their user directories in Terminal via ditto ( I connected the old macs via Firewire Target mode) , and when they log in all their stuff and settings are there.
the command is: ditto /Volumes/<old mac hard drive>/Users/<username> /Users/<username> -
'Public' Active Directory account no longer works w/Tiger?
We have approx 20 public Macs that all log onto our Windows 2003 server using the same Active Directory account - 'Public'
This has worked fine until Tiger - Now when we attempt to log onto one of our network drives with this account name I'm told by a pop-up window that the account is either disabled or I've put the password in incorrectly.
Can anyone confirm if 'Public' cannot be used by a user on Tiger? Is it exclusively for the OS?Ran accross this in help file...
"Mac OS X 10.3 or later: "Invalid user name and password combination" Message When Using Active Directory
When binding a Mac OS X client computer to Active Directory, the account entered is not validated (resolved) at that time. It is used as entered. If entered incorrectly, you will see an alert message later.
Symptom
After configuring the Active Directory Directory Access plug-in, an alert message appears at the client computer that says "invalid user name and password combination."
Products affected
Mac OS X 10.3 or later
Solution
This happens when an incorrect name and/or password is entered, including a username entered with incorrect syntax.
The user's login name (also known as "PrincipalName") is required when binding a computer to Active Directory.
The user can also use the short part of the login name (such as "virginia"). The typical syntax of a login name is similar to "[email protected]".
Note: If the user's login name has been modified from the default "[email protected]", then the default login name must be used. The modified login name (such as "[email protected]") cannot be used." -
ActiveSync mail/contacts/calendars removed after Active Directory account is locked out?
Hey guys,
Wondering if anybody has seen an issue like this. This is a new Exchange 2010 deployment (8+ CAS servers) and the devices are all iPhones/iPads running the latest version of iOS (7.1.2). The CAS servers are behind a load-balancer.
Basically when a users' Active Directory account is Locked in AD (either manually or by entering the wrong password) their ActiveSync Contacts, Calendars and all Mail folders (except the Inbox strangely!) will be removed from the iOS device within a few hours. So an account might get locked out at say 6pm, if left locked out by the next morning the ActiveSync account will still be setup on the device as normal, but everything is gone except the mail in the Inbox. If a user has an iPad and iPhone both will be blanked.
The behaviour is similar to what is documented here - iOS: How to mitigate a full sync or reload of Exchange account data - however the Exchange servers are not issuing HTTP500 errors as we have captured logging during the window where the device blanks itself.
Any thoughts would be appreciated!
Thanks!Hello,
which event ids are shown in the event viewer from the DCs? Or maybe locally also some errors are locked that give some more details.
If this happens it sounds personally for me that Java is the problem. Have you already opened a call at
https://community.oracle.com/welcome ?
Best regards
Meinolf Weber
MVP, MCP, MCTS
Microsoft MVP - Directory Services
My Blog: http://msmvps.com/blogs/mweber/
Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights. -
Active Directory account lockout from OS X Server
I'm looking for assistance in tracking down why our 10.9 Mac server is constantly trying to use my Active Directory account. I changed my password a week ago and have been getting locked out constantly, and it appears the lockouts are coming from invalid password attempts from this OS X server. However, I don't know why the server would be using my AD credentials since I login to the Mac with an admin account and not my own. The only thing I can think of that may have used my AD credentials is connecting to a network file share at some point in the past, but I wouldn't have saved the credentials and it shouldn't be auto-mapping the share. The Mac itself is bound to Active Directory too.
I checked the Login Items and there is nothing there. I also reset the keychain to defaults and that didn't help. Does anyone else have any ideas for me to try to narrow down what the OS X server may be trying to use my credentials for?So I'm going to guess I'm the only one that's ever had this issue...
Further digging with Wireshark shows that the OS X server is indeed issuing bind requests using my old AD account credentials multiple times per minute. I tried unbinding and rebinding, but that didn't help. The requests also start right away after a reboot, so whatever is using my credentials is doing so prior to any user logins on the server. Now I'm trying to track down what is actually issuing these requests on the server
In a span of a few seconds the machine issues three bind requests. The first is
bindRequest (1) "[email protected]" simple
Followed by
bindRequest (1) "<ROOT>" sasl
then
bindRequest (2) "<ROOT>" sasl
Anyone have an idea for me as to how to track down where my user account comes into play? It wasn't used to bind the machine to AD, I didn't see it anywhere in the keychain, and I only have a few apps running on the server, none of which use AD authentication or would request binding. -
Hey Scripting Guys,
I have been in and out of Powershell last few years, not that great at it tbh !!! I'm looking for advice on how I can as in Title, Create a Powershell script to Scan Active Directory Attributes for Country and Department ,Then add to Group then add to Distribution
list based on Region/Country
I was thinking along the lines of get-aduser -LDAPFilter "(department=SALES France) and adding a where clause for country.
Any help would be great.
DecSo I have tried a few variations but get errors on both
get-aduser -LDAPFilter "(&(department=SALES)(c=us))" | Add-ADPrincipalGroupMembership -MemberOf "testgroup"
get-aduser -LDAPFilter "(&(department=SALES)(c=fr))" | Add-ADGroupMember -identity "testgroup"
Add-ADPrincipalGroupMembership : Object reference not set to an instance of an
object.
At line:1 char:86
+ get-aduser -LDAPFilter "(&(department=SALES)(c=fr))" | Add-ADPrincipalGroupMe
mbership <<<< -MemberOf "testgroup"
+ CategoryInfo : NotSpecified: (:) [Add-ADPrincipalGroupMembershi
p], NullReferenceException
+ FullyQualifiedErrorId : Object reference not set to an instance of an ob
ject.,Microsoft.ActiveDirectory.Management.Commands.AddADPrincipalGroupMem
bership -
Pre-populate adapter for setting the Active Directory OU for a user
Hi All
I created a pre-populate adapter that set the Active Directory OU for a user...
In the end the status of the resource is still showing "provisioning"..
It must be "Provsioned"..did I miss something ?
The logs speak as below :-
08:01:12,678 INFO [STDOUT] Running Create User
08:01:12,678 INFO [STDOUT] Before appending Root Context:OU=Human Resources,
08:01:12,678 INFO [STDOUT] tcUtilLDAPController.java : hierString : OU=Human Resources,dc=mydomain,dc=com
08:01:13,553 ERROR [ACTIVEDIRECTORYCONTROLLER] Problem creating object: javax.naming.OperationNotSupportedException: [LD
AP: error code 53 - 0000001F: SvcErr: DSID-031A0FC0, problem 5003 (WILL_NOT_PERFORM), data 0
]; remaining name 'cn=ASYMONDS'
08:03:18,756 INFO [[xlWebApp]] action: LogonAction: User 'XELSYSADM' logged on in session 8116CBC0FA1481D06A207A1941B9
E096
08:22:31,256 ERROR [WEBAPP] Class/Method: ProvisionedResourcesForUserAction/confirmEnableSelection encounter some proble
ms: No checkbox was checked.Just verify the OU value is correctly populated , first try doing the provisioning by manually giving OU and everything .
Is it successful ?
Then we can check if something wrong going with pre pop.
Thanks
Suren -
Error in creating activity from Account application ( from activity tab)
Hi Experts,
We are getting this error when try to create Activity from Account application in PCUI. But the same thing is working fine in at GUI level & actions profile assigned to Activity transaction is also working fine at GUI level. But in PCUIit is throwing this below error.
Diagnosis
You have attempted to create a follow-up transaction for an incorrect transction 2000764. This is not possible. You can only create follow-up transactions for error-free transactions.
System Response
The follow-up transaction is not created.
Procedure
Correct the errors in the source transaction 2000764. The error messages resulting from processing the error can be read in the application log in the source transaction.
Pls suggest solution for this.
Thanks in Advance.
Regards,
Basavaraj PatilHi Experts,
We are getting this error when try to create Activity from Account application in PCUI. But the same thing is working fine in at GUI level & actions profile assigned to Activity transaction is also working fine at GUI level. But in PCUIit is throwing this below error.
Diagnosis
You have attempted to create a follow-up transaction for an incorrect transction 2000764. This is not possible. You can only create follow-up transactions for error-free transactions.
System Response
The follow-up transaction is not created.
Procedure
Correct the errors in the source transaction 2000764. The error messages resulting from processing the error can be read in the application log in the source transaction.
Pls suggest solution for this.
Thanks in Advance.
Regards,
Basavaraj Patil -
Snow leopard Active directory account taking a long time to verify password
Hi,
My mac is configured to use an active directory account (windows small biz server 2008), i configured a mobile account when i was still under leopard and it was working fine. Since i upgraded to snow leopard i started experience the following issues:
When i am out of the office (not connected on the domain), logging in to my mac take about 5min after i type the password, same thing when the mac awakes from sleep, i type my password and it says verifying password and this takes about 5 minutes to complete! Another issue i am experiencing is that whenever i put my mac to sleep, when it wakes up most of the running applications crash and i have to restart them. i was hoping 10.6.2 would fix that but it didn't.
Sorry for the long post. Thank you in advance for your support!I guess we will have to wait for someone to give us a clue, or for apple to release 10.6.3 .
-
I have an iTunes account for my personal iPod Touch - have had for several years. When my work provided me with an iPhone and now and iPad 2, they all fall under my personal iTunes account. Is it possible for me to create a separate account for my work devices and apps, while leaving my personal account intact? I use both my compter at home and at work to sync occasionally.
A much simpler solution would be to go into Settings > Store and turn off Automatic Downloads
-
I have an I phone and my own I tunes account and just purchased an ITouch for my daughter - how do i create a seperate account for her on my computer? I want to make sure that my apps do not sync on her I touch.
Go into Setttings -> Messages and make sure your Caller ID setting for Messages is set properly.
-
I have four iphones on my icloud account, can i create an icloud account for each phone?
I have four iphones on my icloud account, can i create an icloud account for each phone?
Welcome to the Apple Community Joe.
There is nothing stopping you doing so, but you won't be able to sync anything between them. -
HT204053 how can i create multiple icloud accounts for my family members
how can i create multiple icloud accounts for my family members
Thanks... I appreciate the reply. Since I wrote the previous email, I actually went and changed my apple id (the main id) and the documentation I looked at said iCloud will set mail up automatically(?)... I had it working before.
Also, I tried to manually set up the ID via the Mail Accounts screen(s) and I can't figure out what my server information is... Pop or Imap? What's the outgoing server and the incoming server?
I typically have never had problems setting up mail accounts (in apple mail) with no problem.
Can anyone point me in the right direction?
Thanks in advance!
Maybe you are looking for
-
How can I change my iCloud Account information?
I used to use my dad's Apple ID, so I shared it with my sister. So for the iCloud Account Information part, using my dad's Apple ID,(this is how I got the iCloud Account Information on my sister's iPod: Settings>iCloud>Account>Mail) (here's how I got
-
I tried creating a new ID and installing another DE for that ID. Still won't recognize Nook HD. Help!
-
Can see iphone backup I want in preferences but can't back up from it in itunes
I had my iphone4 stolen at the weekend and am trying to restore my old iphone3G to my most recent previous backup. I can see the backup (from April) in itunes preferences, under devices, but it does not show up as a possible backup to restore from in
-
Hi Experts, What is the use of SALRT, SXMSCLUP and SXMSCLUR table in XI. Please explain what it is doing exactly and in which cases they are using, your explanation is really helpful for me. Regards, Madhu.
-
Why do some of my apps crash after 4.3.3 update?
I updated my iPhone 4 to 4.3.3 yesterday and, like quite a few people, I am having a problem with apps crashing instantly. However, unlike a lot of the posts I've seen, only a few of my apps crash, the rest work fine. I tried powering off my phone an