Crear cuentas de usuario

Vamos a ver como crear cuentas de usuario, incluyendo el buzón de correo, su directorio personal, su directorio de perfil. Necesitas 1) Exchange 2007 Management Shell Snapin; 2)Quest Active Roles management PS snapin; and, 3) xcacls.vbs en el mismo directorio que el script.  El script esta documentado en ingles, pero creo que esto no tiene que ser gran problema.

 

Write-Host "============ Create new domain user ============" -foregroundcolor Cyan
 
$username = Read-Host "Username "
## check if only letters were used
$regex = "^([a-zA-Z]+)$" ## only text, no spaces, no numbers
If ($username -notmatch $regex) {
      Write-Host "Invalid username specified. $username" -foregroundcolor Cyan
      break
}
 
## Check if there's already a user with this samAccountName
$dom = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
$domainnb = "DOMAIN"
$root = $dom.GetDirectoryEntry()
 
$search = [System.DirectoryServices.DirectorySearcher]$root
$search.Filter = "(samAccountName=$username)"
$result = $search.FindOne()
 
if ($result -ne $null) {
      $user = $result.GetDirectoryEntry()
      Write-Host "There is already a useraccount $username." -foregroundcolor Cyan
      Write-Host "User found: " $user.distinguishedName -foregroundcolor Cyan
      break
}
 
$surname = read-host "User's last name (surname) "
$regex = "^([a-zA-Z'-]+)$" ## allows characters and dashes only
If ($surname -notmatch $regex) {
      Write-Host "Invalid surname specified. $surname" -foregroundcolor Cyan
      break
}
 
$tussenvoegsel = read-host "Infix. I.e. van den "
 
$name = Read-Host "User's first name "
 
$tel = Read-Host "Extension number "
$regex = "^(7|8)\d{3}$" ## 4 digit extension numbers, starting with 7 or 8 only.
If ($tel -notmatch $regex) {
      Write-Host "Invalid extension number specified. $tel" -foregroundcolor Cyan
      break
}
 
$passwd = Read-Host "Specify user's password "
## Password must be at least 6 characters, 
## no more than 15 characters, 
## and must include at least one upper case letter, 
## one lower case letter, and one numeric digit.
$regex = "^(?=.*\d)(?=.*[a-z])(?=.*[A-Z]).{6,15}$"
If ($password -notmatch $regex) {
      Write-Host "Invalid password specified. $password" -foregroundcolor Cyan
      break
}
 
$DisplayName = "$surname, $name $tussenvoegsel"
$homeroot = "\\server1\mydocuments"
$profileroot = "\\server1\profiles"
 
Write-Host "================================================" -foregroundcolor Cyan
Write-Host "Creating user $DisplayName using New-Mailbox cmdlet.." -foregroundcolor Cyan
 
New-Mailbox -Name $DisplayName.Trim() `
      -Database "EXCHSRVR\Mailbox Store\Mailbox Database" `
      -Password (convertto-securestring $passwd -asplaintext -force) `
      -UserPrincipalName $username@DOMAIN.LOCAL `
      -ActiveSyncMailboxPolicy "Default" `
      -Alias $username `
      -Confirm `
      -DisplayName ($DisplayName.Trim()) `
      -FirstName "$name $tussenvoegsel" `
      -LastName $surname `
      -OrganizationalUnit "DOMAIN.LOCAL/OU Users " `
      -ResetPasswordOnNextLogon $true `
      -SamAccountName $username
 
## Wait for DC's to pick up change
Start-Sleep -s 10
 
## Modify user properties
Get-QADUser $username | Set-QADUser -PhoneNumber $tel `
                                   -UserPassword $passwd
 
Write-Host "================================================" -foregroundcolor Cyan
 
## Create home directory with permissions
If ( !(Test-Path -Path "$homeroot\$username" -PathType Container) ) {
      ## Doesn't exist so create it.
      Write-Host "home directory doesn't exist. Creating home directory." -ForegroundColor Cyan
      
      ## Create the directory
      New-Item -path $homeroot -Name $username -ItemType Directory
      $homedir = "$homeroot\$username"
      
      ## Modify  Permissions on homedir
 
      ## Instead of using the .NET approach of setting NTFS permissions, using xcacls is quicker:
      cscript xcacls.vbs $homedir /E /G `"$nbdomain\$username`":M
      
      ## The .NET approach - remmed out
      ## To list available rights options, run: [system.enum]::getnames([System.Security.AccessControl.FileSystemRights])
      ## To list available inheritance flags, run: [system.enum]::getnames([System.Security.AccessControl.InheritanceFlags])
      ## Idem for Propagation flags.
      #$newrights = [System.Security.AccessControl.FileSystemRights]"Modify"
      #$InheritanceFlag = [System.Security.AccessControl.InheritanceFlags]::"ObjectInherit"
      #$PropagationFlag = [System.Security.AccessControl.PropagationFlags]::"InheritOnly"
      #$Typ = [System.Security.AccessControl.AccessControlType]::Allow
      #$ID = new-object System.Security.Principal.NTAccount($domainnb + "\" + $username)
      #$SecRule = new-object System.Security.AccessControl.FileSystemAccessRule($ID, $newrights, $InheritanceFlag, PropagationFlag, $Typ)
      
      #$myACL = Get-Acl -Path $homedir
      #$myACL.AddAccessRule($SecRule) 
      #Set-ACL -AclObject $myACL $homedir
}
Else {
      Write-Host "home directory already exists. Script end." -ForegroundColor Cyan
      Break
}
 
## Create Profile directory with permissions
If ( !(Test-Path -Path "$profileroot\$username" -PathType Container) ) {
      ## Doesn't exist so create it.
      Write-Host "profile directory doesn't exist. Creating profile directory." -ForegroundColor Cyan
      
      ## Create the directory
      New-Item -path $profileroot -Name $username -ItemType Directory
      $profiledir = "$profileroot\$username"
 
      ## Modify Permissions on profile dir
 
      ## Instead of using the .NET approach of setting NTFS permissions, using cacls is quicker:
      cscript xcacls.vbs $profiledir /E /G `"$nbdomain\$username`":M
      
      ## The .NET approach - remmed out
      ## To list available rights options, run: [system.enum]::getnames([System.Security.AccessControl.FileSystemRights])
      ## To list available inheritance flags, run: [system.enum]::getnames([System.Security.AccessControl.InheritanceFlags])
      ## Idem for Propagation flags.
      #$newrights = [System.Security.AccessControl.FileSystemRights]"Modify"
      #$InheritanceFlag = [System.Security.AccessControl.InheritanceFlags]::"None"
      #$PropagationFlag = [System.Security.AccessControl.PropagationFlags]::"None"
      #$Typ = [System.Security.AccessControl.AccessControlType]::Allow
      #$ID = new-object System.Security.Principal.NTAccount($domainnb + "\" + $username)
      #$SecRule = new-object System.Security.AccessControl.FileSystemAccessRule($ID, $newrights, $InheritanceFlag, PropagationFlag, $Typ)
      #$myACL = Get-Acl -Path $profiledir
      #$myACL.AddAccessRule($SecRule) 
      #Set-ACL -AclObject $myACL $profiledir
}
Else {
      Write-Host "profile directory already exists. Script end." -ForegroundColor Cyan
      Break
}
 
## Modify user properties
Get-QADUser $username | Set-QADUser -ObjectAttributes @{homeDrive='H:';homeDirectory=$homedir;profilePath=$profiledir}
 
## User created. Listing properties
$info = Get-QADUser $username -IncludeAllProperties | fl DN,Name,DisplayName,userPrincipalName, `
      samAccountName,givenName,sn,homeDrive,homeDirectory, `
      ProfilePath,telephoneNumber,email
 
Write-Host "User created with the following properties: " -ForegroundColor Cyan
$info
 
Write-Host "================= Script End =================" -foregroundcolor Cyan
Anuncios

Responder

Introduce tus datos o haz clic en un icono para iniciar sesión:

Logo de WordPress.com

Estás comentando usando tu cuenta de WordPress.com. Cerrar sesión / Cambiar )

Imagen de Twitter

Estás comentando usando tu cuenta de Twitter. Cerrar sesión / Cambiar )

Foto de Facebook

Estás comentando usando tu cuenta de Facebook. Cerrar sesión / Cambiar )

Google+ photo

Estás comentando usando tu cuenta de Google+. Cerrar sesión / Cambiar )

Conectando a %s