Usuário com melhor resposta
Criação de usuário via script
Pergunta
-
Na rede que comecei a administrar todos os usuários tem previlégios administrativos no Windows XP Professional.
Existe alguma maneira de criar uma .bat que possa adicionar uma conta nova de usuário (por exemplo admin), definir senha e lhe dar com poderes administrativos nas estações, sem que haja a necessidade de eu ter que ir pessoalmente fazer isso em cada estação? Tenho pelo menos 150 estações nesse perfil!!!!
Obrigado,
Respostas
-
Write-Host "============ Create new domain user ============" -foregroundcolor Cyan $username = Read-Host "Username " ## check if only letters were used $regex = "^([a-zA-Z]+)$" ## only text, no spaces, no numbers If ($username -notmatch $regex) { Write-Host "Invalid username specified. $username" -foregroundcolor Cyan break } ## Check if there's already a user with this samAccountName $dom = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain() $domainnb = "DOMAIN" $root = $dom.GetDirectoryEntry() $search = [System.DirectoryServices.DirectorySearcher]$root $search.Filter = "(samAccountName=$username)" $result = $search.FindOne() if ($result -ne $null) { $user = $result.GetDirectoryEntry() Write-Host "There is already a useraccount $username." -foregroundcolor Cyan Write-Host "User found: " $user.distinguishedName -foregroundcolor Cyan break } $surname = read-host "User's last name (surname) " $regex = "^([a-zA-Z'-]+)$" ## allows characters and dashes only If ($surname -notmatch $regex) { Write-Host "Invalid surname specified. $surname" -foregroundcolor Cyan break } $tussenvoegsel = read-host "Infix. I.e. van den " $name = Read-Host "User's first name " $tel = Read-Host "Extension number " $regex = "^(7|8)\d{3}$" ## 4 digit extension numbers, starting with 7 or 8 only. If ($tel -notmatch $regex) { Write-Host "Invalid extension number specified. $tel" -foregroundcolor Cyan break } $passwd = Read-Host "Specify user's password " ## Password must be at least 6 characters, ## no more than 15 characters, ## and must include at least one upper case letter, ## one lower case letter, and one numeric digit. $regex = "^(?=.*\d)(?=.*[a-z])(?=.*[A-Z]).{6,15}$" If ($password -notmatch $regex) { Write-Host "Invalid password specified. $password" -foregroundcolor Cyan break } $DisplayName = "$surname, $name $tussenvoegsel" $homeroot = "\\server1\mydocuments" $profileroot = "\\server1\profiles" Write-Host "================================================" -foregroundcolor Cyan Write-Host "Creating user $DisplayName using New-Mailbox cmdlet.." -foregroundcolor Cyan New-Mailbox -Name $DisplayName.Trim() ` -Database "EXCHSRVR\Mailbox Store\Mailbox Database" ` -Password (convertto-securestring $passwd -asplaintext -force) ` -UserPrincipalName $username@DOMAIN.LOCAL ` -ActiveSyncMailboxPolicy "Default" ` -Alias $username ` -Confirm ` -DisplayName ($DisplayName.Trim()) ` -FirstName "$name $tussenvoegsel" ` -LastName $surname ` -OrganizationalUnit "DOMAIN.LOCAL/OU Users " ` -ResetPasswordOnNextLogon $true ` -SamAccountName $username ## Wait for DC's to pick up change Start-Sleep -s 10 ## Modify user properties Get-QADUser $username | Set-QADUser -PhoneNumber $tel ` -UserPassword $passwd Write-Host "================================================" -foregroundcolor Cyan ## Create home directory with permissions If ( !(Test-Path -Path "$homeroot\$username" -PathType Container) ) { ## Doesn't exist so create it. Write-Host "home directory doesn't exist. Creating home directory." -ForegroundColor Cyan ## Create the directory New-Item -path $homeroot -Name $username -ItemType Directory $homedir = "$homeroot\$username" ## Modify Permissions on homedir ## Instead of using the .NET approach of setting NTFS permissions, using xcacls is quicker: cscript xcacls.vbs $homedir /E /G `"$nbdomain\$username`":M ## The .NET approach - remmed out ## To list available rights options, run: [system.enum]::getnames([System.Security.AccessControl.FileSystemRights]) ## To list available inheritance flags, run: [system.enum]::getnames([System.Security.AccessControl.InheritanceFlags]) ## Idem for Propagation flags. #$newrights = [System.Security.AccessControl.FileSystemRights]"Modify" #$InheritanceFlag = [System.Security.AccessControl.InheritanceFlags]::"ObjectInherit" #$PropagationFlag = [System.Security.AccessControl.PropagationFlags]::"InheritOnly" #$Typ = [System.Security.AccessControl.AccessControlType]::Allow #$ID = new-object System.Security.Principal.NTAccount($domainnb + "\" + $username) #$SecRule = new-object System.Security.AccessControl.FileSystemAccessRule($ID, $newrights, $InheritanceFlag, PropagationFlag, $Typ) #$myACL = Get-Acl -Path $homedir #$myACL.AddAccessRule($SecRule) #Set-ACL -AclObject $myACL $homedir } Else { Write-Host "home directory already exists. Script end." -ForegroundColor Cyan Break } ## Create Profile directory with permissions If ( !(Test-Path -Path "$profileroot\$username" -PathType Container) ) { ## Doesn't exist so create it. Write-Host "profile directory doesn't exist. Creating profile directory." -ForegroundColor Cyan ## Create the directory New-Item -path $profileroot -Name $username -ItemType Directory $profiledir = "$profileroot\$username" ## Modify Permissions on profile dir ## Instead of using the .NET approach of setting NTFS permissions, using cacls is quicker: cscript xcacls.vbs $profiledir /E /G `"$nbdomain\$username`":M ## The .NET approach - remmed out ## To list available rights options, run: [system.enum]::getnames([System.Security.AccessControl.FileSystemRights]) ## To list available inheritance flags, run: [system.enum]::getnames([System.Security.AccessControl.InheritanceFlags]) ## Idem for Propagation flags. #$newrights = [System.Security.AccessControl.FileSystemRights]"Modify" #$InheritanceFlag = [System.Security.AccessControl.InheritanceFlags]::"None" #$PropagationFlag = [System.Security.AccessControl.PropagationFlags]::"None" #$Typ = [System.Security.AccessControl.AccessControlType]::Allow #$ID = new-object System.Security.Principal.NTAccount($domainnb + "\" + $username) #$SecRule = new-object System.Security.AccessControl.FileSystemAccessRule($ID, $newrights, $InheritanceFlag, PropagationFlag, $Typ) #$myACL = Get-Acl -Path $profiledir #$myACL.AddAccessRule($SecRule) #Set-ACL -AclObject $myACL $profiledir } Else { Write-Host "profile directory already exists. Script end." -ForegroundColor Cyan Break } ## Modify user properties Get-QADUser $username | Set-QADUser -ObjectAttributes @{homeDrive='H:';homeDirectory=$homedir;profilePath=$profiledir} ## User created. Listing properties $info = Get-QADUser $username -IncludeAllProperties | fl DN,Name,DisplayName,userPrincipalName, ` samAccountName,givenName,sn,homeDrive,homeDirectory, ` ProfilePath,telephoneNumber,email Write-Host "User created with the following properties: " -ForegroundColor Cyan $info Write-Host "================= Script End =================" -foregroundcolor Cyan
Denis Faustino- Marcado como Resposta Fábio JrModerator quinta-feira, 19 de janeiro de 2012 10:45
Todas as Respostas
-
Write-Host "============ Create new domain user ============" -foregroundcolor Cyan $username = Read-Host "Username " ## check if only letters were used $regex = "^([a-zA-Z]+)$" ## only text, no spaces, no numbers If ($username -notmatch $regex) { Write-Host "Invalid username specified. $username" -foregroundcolor Cyan break } ## Check if there's already a user with this samAccountName $dom = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain() $domainnb = "DOMAIN" $root = $dom.GetDirectoryEntry() $search = [System.DirectoryServices.DirectorySearcher]$root $search.Filter = "(samAccountName=$username)" $result = $search.FindOne() if ($result -ne $null) { $user = $result.GetDirectoryEntry() Write-Host "There is already a useraccount $username." -foregroundcolor Cyan Write-Host "User found: " $user.distinguishedName -foregroundcolor Cyan break } $surname = read-host "User's last name (surname) " $regex = "^([a-zA-Z'-]+)$" ## allows characters and dashes only If ($surname -notmatch $regex) { Write-Host "Invalid surname specified. $surname" -foregroundcolor Cyan break } $tussenvoegsel = read-host "Infix. I.e. van den " $name = Read-Host "User's first name " $tel = Read-Host "Extension number " $regex = "^(7|8)\d{3}$" ## 4 digit extension numbers, starting with 7 or 8 only. If ($tel -notmatch $regex) { Write-Host "Invalid extension number specified. $tel" -foregroundcolor Cyan break } $passwd = Read-Host "Specify user's password " ## Password must be at least 6 characters, ## no more than 15 characters, ## and must include at least one upper case letter, ## one lower case letter, and one numeric digit. $regex = "^(?=.*\d)(?=.*[a-z])(?=.*[A-Z]).{6,15}$" If ($password -notmatch $regex) { Write-Host "Invalid password specified. $password" -foregroundcolor Cyan break } $DisplayName = "$surname, $name $tussenvoegsel" $homeroot = "\\server1\mydocuments" $profileroot = "\\server1\profiles" Write-Host "================================================" -foregroundcolor Cyan Write-Host "Creating user $DisplayName using New-Mailbox cmdlet.." -foregroundcolor Cyan New-Mailbox -Name $DisplayName.Trim() ` -Database "EXCHSRVR\Mailbox Store\Mailbox Database" ` -Password (convertto-securestring $passwd -asplaintext -force) ` -UserPrincipalName $username@DOMAIN.LOCAL ` -ActiveSyncMailboxPolicy "Default" ` -Alias $username ` -Confirm ` -DisplayName ($DisplayName.Trim()) ` -FirstName "$name $tussenvoegsel" ` -LastName $surname ` -OrganizationalUnit "DOMAIN.LOCAL/OU Users " ` -ResetPasswordOnNextLogon $true ` -SamAccountName $username ## Wait for DC's to pick up change Start-Sleep -s 10 ## Modify user properties Get-QADUser $username | Set-QADUser -PhoneNumber $tel ` -UserPassword $passwd Write-Host "================================================" -foregroundcolor Cyan ## Create home directory with permissions If ( !(Test-Path -Path "$homeroot\$username" -PathType Container) ) { ## Doesn't exist so create it. Write-Host "home directory doesn't exist. Creating home directory." -ForegroundColor Cyan ## Create the directory New-Item -path $homeroot -Name $username -ItemType Directory $homedir = "$homeroot\$username" ## Modify Permissions on homedir ## Instead of using the .NET approach of setting NTFS permissions, using xcacls is quicker: cscript xcacls.vbs $homedir /E /G `"$nbdomain\$username`":M ## The .NET approach - remmed out ## To list available rights options, run: [system.enum]::getnames([System.Security.AccessControl.FileSystemRights]) ## To list available inheritance flags, run: [system.enum]::getnames([System.Security.AccessControl.InheritanceFlags]) ## Idem for Propagation flags. #$newrights = [System.Security.AccessControl.FileSystemRights]"Modify" #$InheritanceFlag = [System.Security.AccessControl.InheritanceFlags]::"ObjectInherit" #$PropagationFlag = [System.Security.AccessControl.PropagationFlags]::"InheritOnly" #$Typ = [System.Security.AccessControl.AccessControlType]::Allow #$ID = new-object System.Security.Principal.NTAccount($domainnb + "\" + $username) #$SecRule = new-object System.Security.AccessControl.FileSystemAccessRule($ID, $newrights, $InheritanceFlag, PropagationFlag, $Typ) #$myACL = Get-Acl -Path $homedir #$myACL.AddAccessRule($SecRule) #Set-ACL -AclObject $myACL $homedir } Else { Write-Host "home directory already exists. Script end." -ForegroundColor Cyan Break } ## Create Profile directory with permissions If ( !(Test-Path -Path "$profileroot\$username" -PathType Container) ) { ## Doesn't exist so create it. Write-Host "profile directory doesn't exist. Creating profile directory." -ForegroundColor Cyan ## Create the directory New-Item -path $profileroot -Name $username -ItemType Directory $profiledir = "$profileroot\$username" ## Modify Permissions on profile dir ## Instead of using the .NET approach of setting NTFS permissions, using cacls is quicker: cscript xcacls.vbs $profiledir /E /G `"$nbdomain\$username`":M ## The .NET approach - remmed out ## To list available rights options, run: [system.enum]::getnames([System.Security.AccessControl.FileSystemRights]) ## To list available inheritance flags, run: [system.enum]::getnames([System.Security.AccessControl.InheritanceFlags]) ## Idem for Propagation flags. #$newrights = [System.Security.AccessControl.FileSystemRights]"Modify" #$InheritanceFlag = [System.Security.AccessControl.InheritanceFlags]::"None" #$PropagationFlag = [System.Security.AccessControl.PropagationFlags]::"None" #$Typ = [System.Security.AccessControl.AccessControlType]::Allow #$ID = new-object System.Security.Principal.NTAccount($domainnb + "\" + $username) #$SecRule = new-object System.Security.AccessControl.FileSystemAccessRule($ID, $newrights, $InheritanceFlag, PropagationFlag, $Typ) #$myACL = Get-Acl -Path $profiledir #$myACL.AddAccessRule($SecRule) #Set-ACL -AclObject $myACL $profiledir } Else { Write-Host "profile directory already exists. Script end." -ForegroundColor Cyan Break } ## Modify user properties Get-QADUser $username | Set-QADUser -ObjectAttributes @{homeDrive='H:';homeDirectory=$homedir;profilePath=$profiledir} ## User created. Listing properties $info = Get-QADUser $username -IncludeAllProperties | fl DN,Name,DisplayName,userPrincipalName, ` samAccountName,givenName,sn,homeDrive,homeDirectory, ` ProfilePath,telephoneNumber,email Write-Host "User created with the following properties: " -ForegroundColor Cyan $info Write-Host "================= Script End =================" -foregroundcolor Cyan
Denis Faustino- Marcado como Resposta Fábio JrModerator quinta-feira, 19 de janeiro de 2012 10:45
-
