Hey, Scripting Guy! How Can I Create More Than One User, Assign Attribute Values, and Assign the Users to Groups?

ScriptingGuy1

Hey, Scripting Guy! Question

Hey, Scripting Guy! I enjoyed your article yesterday about creating a local user account. However, for my purposes I need to be able to create more than one user. Also I would like to be able to assign values to attributes such as the description. If it is not asking too much, I would also like to be able to assign the user to a group. After all, a user that is not a member of a group is pretty much useless from a security perspective.

– WC

SpacerHey, Scripting Guy! Answer

Hi WC,

Users go into groups. Groups get assigned permission to access resources. MCSE 101 stuff! When we were taking one of my first MCP exams for Windows NT 3.51, we had a test that harped on that over and over again. If you remembered that mantra, you could pass the exam. The test was boring! In the end, we quit reading the questions, and just read the answers. If the answer was something that looked like “place the user in a group—give the group permission to access the resource,” we selected that answer. By the way, we passed. Oh, you wanted a script didn’t you?

This week we will be looking at scripting Windows PowerShell as it applies to local account management. This is an area that comes up from time to time and for which there are not an awful lot of resources from which to choose. We have these tasks in the Script Center Script Repository pretty well hidden away in the Other Directory Services category. There are some great scripts in the Community-Submitted Scripts Center. Local account management has been a favorite topic of the “Hey, Scripting Guy!” articles over the years, and as a result we have a good selection of articles grouped together in the “Hey, Scripting Guy!” archive. The most extensive reference you will find is the MSDN coverage of the WinNT ADSI provider.

We decided to write the ReadCSVCreateLocalUsersAddToGroup.ps1 script. We don’t really have this exact VBScript on the Script Center. Here is a script that adds a user to a local group, and here is a script that creates a local user. You would need to combine them and then add the code to read a text file if you wanted to reproduce the ReadCSVCreateLocalUSersAddToGroup.ps1 script in VBScript.

$computer = $Env:ComputerName
$text = "C:\fso\LocalUsers.txt"
$user = import-csv -path $text
   foreach($strUser in $user)
    {
     $user = $struser.user
     $password = $struser.password
     $description =  $struser.description
     $group = $struser.group
     Clear-Host
     $ObjOU = [ADSI]"WinNT://$computer"
     $objUser = $objOU.Create("User", $user)
     $objUser.setpassword($password)
     $objUser.put("description",$description)
     $objUser.SetInfo()
     $objGroup = [ADSI]"WinNT://$computer/$group"
     $objGroup.add("WinNT://$computer/$user")
     $objGroup.SetInfo()
    }

The first thing we do is create a variable named $computer and assign the name of the local computer to it. We obtain the name of the local computer by reading the value of the environmental variable ComputerName. This value is obtained from the Environmental PSDrive as seen here:

$computer = $Env:ComputerName

After we have the computer name, we type the path to the LocalUsers.txt file and assign the string to the $text variable. The LocalUsers file is actually a comma separated value (CSV) file. We just got tired of it opening up in Microsoft Excel each time we accidently double clicked it, so we gave it a .txt extension. Now if we accidently double click it, the contents are immediately displayed in Notepad. The contents of the LocalUsers.txt file are seen here:

$text = "C:\fso\LocalUsers.txt"

Image of the contents of the LocalUsers.txt file

 

After we specify the path to the LocalUsers.txt file, we feed it to the Import-Csv cmdlet. The resulting custom WIndows PowerShell object is stored in the $user variable. If we were to use the Import-Csv cmdlet without storing the returned object in a variable, the results would look very similar to the text file itself. We will be able to access these values via a dotted notation later on in the script.

PS C:\> Import-Csv -Path C:\fso\localUsers.txt

user                password            description         group
----                --------            -----------         -----
auser               P@ssword1           a user from script  users
buser               P@ssword1           b user from script  users
cuser               P@ssword1           c user from script  users

The command that reads the csv file is shown here:

$user = import-csv -path $text

Next we need to walk through the collection of user information that is contained in the $user variable. To do this, we use the ForEach statement as seen here.

   ForEach($strUser in $user)
    {

It is time to populate the variables we will use when creating the user. We decide to recycle the $user variable to hold the user name from the csv file. We store the password in the $password variable, the description goes in the $description variable, and the group name goes into the $group variable:

$user = $struser.user
     $password = $struser.password
     $description =  $struser.description
     $group = $struser.group

We now use the Clear-Host function to remove any distracting information that may be displayed on the Windows PowerShell console window. This is seen here:

Clear-Host

When we have populated all the variables, we now make the connection to the local account database. To do this, we use the [adsi] type accelerator, and specify the WinNT ADSI provider. We feed it the computer name stored in the $computer variable and store the returned object in the $objOU variable as seen here:

$ObjOU = [ADSI]"WinNT://$computer"

After we have made the connection to the local account database, we call the create method. We tell it we want to create a user, and we give it the name of the user from the $user variable. This is seen here:

$objUser = $objOU.Create("User", $user)

We now need to assign a password for the local user. To do this, we use the setpassword method and we give it the password contained in the $password variable:

$objUser.setpassword($password)

After setting the password, we decide to assign a description to the user. To do this we use the put method to write to the description attribute the value we stored in the $description variable:

$objUser.put("description",$description)

Next we need to commit the information back to the account database. To do this, we use the SetInfo method as seen here:

$objUser.SetInfo()

At this point, the user account actually has been created. There are not very many attributes exposed for a local user account. The auser user dialog box is seen here:

Image of the auser user dialog box

 

We need for the user account to exist before attempting to assign the user account to a group. It may seem obvious to some, but it is impossible to assign a nonexistent user to a group. To assign a user to a group, we need to first grab the Group object. To do this, we once again dig out the [ADSI] type accelerator, and once again we use the WinNT ADSI provider, and we use the computer name from the $computer variable and the group that was specified in the $group variable. We store the Group object that is returned in the $objGroup variable as seen here:

$objGroup = [ADSI]"WinNT://$computer/$group"

Now we use the add method from the Group object to add the user to the group. We need to use the WinNT provider together with the name of the computer and the name of the user to be able to add the user to the group. This is seen here:

$objGroup.add("WinNT://$computer/$user")

Now that we have connected to the group, and used the add method from the group to add the user to the group, it is time to commit the changes to the account database. We do this by using the SetInfo method as shown here:

$objGroup.SetInfo()
    }

We open the Users group property sheet as seen in the following image, and all of our newly created user accounts have been added to the Users group. So the script worked.

Image of the Users group property sheet

 

Well, WC, that is it. Users go into groups, and we can use the [adsi] type accelerator and the WinNT provider to make it happen. Hope you enjoy the script. We will see you tomorrow as Local Account Management Week continues. Until tomorrow, keep cool.

 

Ed Wilson and Craig Liebendorfer, Scripting Guys

0 comments

Discussion is closed.

Feedback usabilla icon