Creating users



  • The current process in the organization is to take a template (literally just a user with a special name, settings and group memberships) and copy that to create a user. I'm thinking there has to be a better way. Is anyone out there using something that works as well or better?





  • I was hoping to get away from heaving 'dead' user accounts that serve no other purpose than being a template. Surely there is a better way?



  • You can try creating users by importing them from a csv file.



  • "WHEN A MAAAAN LOVES A WOMAN...":notes: :musical_note:



  • You could probably waste a bunch of time creating an .hta with dropdowns and all kinds of things.

    Or you could get HR to fill out a .csv with required fields and import that to create a user.

    Easiest to keep things how they are. There's no harm in a user template in AD. It's fast and simple.



  • I've done it by PowerShell before. However, I have found that it's not very good at adding permissions to objects, such as files and folders. Otherwise, it creates the user with the correct username, template password, email, and prints out an onboarding sheet for the new employee. It asks you the basic questions and takes care of the rest for you.


  • Service Provider

    Ansible and Salt have good methods for this if you wanted to go that route.



  • @Tim_G said in Creating users:

    You could probably waste a bunch of time creating an .hta with dropdowns and all kinds of things.

    Or you could get HR to fill out a .csv with required fields and import that to create a user.

    Easiest to keep things how they are. There's no harm in a user template in AD. It's fast and simple.

    And it sucks to have a whole bunch of template users. It's not efficient, in my view.
    i-was-getting-4qbs0x.jpg



  • Try this out. It pops up with a command prompt to ask you a few questions to get started. Once the questions are answered, it takes care of most everything else. When it is done, it should spit out a piece of paper for you to give to the new employee with the information that they need.

    I sterilized it so that you could use it in your company.

    #Imports the AD & NTFS Modules (Module 1.02)
    Import-Module activedirectory
    Import-Module MSOnline
    
    #Sets Variables (Module 1.03)
    $fn #First Name
    $ln #Last Name
    $title
    $dep #Department
    $loc #Location
    $man #Manager
    $un #Username
    $officePhone
    $streetAdd
    $city
    $ZIP
    $fi #First Name Initial, will be used to figure out Username
    
    #Getting information (Module 1.04)
    Write-Host "I need some information from you first. Answer the following questions to get started."
    $fn = read-host "First Name?"
    $ln = Read-Host "Last Name?"
    $title = Read-Host "Title?"
    $dep = Read-Host "Department?"
    $man = Read-Host "Manager (Username)?"
    $loc = Read-Host "<location>?"
    
    #Finding out the Username (Module 1.05)
    $fi = $fn.Substring(0,1)
    $un = -join ($ln, $fi)
    
    #Sets Location information (Module 1.06)
    if ($loc -eq "Loc1") { #If the user is in Loc1 (Module 1.07)
        $officePhone = "(999) 999-9999";
        $streetAdd = "123 Anywhere Drive";
        $city = "YourTown";
        $ZIP = "12345";
    }
    Else { #If the user is in Loc2 (Module 1.08)
        $officePhone = "(987) 654-3210";
        $streetAdd = "987 Nothere Blvd";
        $city = "Somewhere Else";
        $ZIP = "98765";
    }
    
    #Sets Password (Module 1.09)
    $passwd = (Read-Host -AsSecureString "Account Password")
    $password = ConvertFrom-SecureString -SecureString $passwd
    
    $userParams = @{ #(Module 1.10)
    	'Name' = $un;
    	'Enabled' = $true;
    	'AccountPassword' = $passwd; 
    	'UserPrincipalName' = -join ($un, "@mycompany.com");
    	'SamAccountName' = $un;
    	'ChangePasswordAtLogon' = $false;
    	'GivenName' = $fn;
    	'Surname' = $ln;
    	'DisplayName' = -join ($fn, " ", $ln);
    	'Description' = $title;
    	'OfficePhone' = $officePhone;
    	'StreetAddress' =  $streetAdd;
    	'City' = $city;
    	'State' = "Texas";
    	'PostalCode' = $ZIP;
    	'Title' = $title;
    	'Department' = $dep;
    	'Company' = 'MyCompany';
    	'Manager' = $man;
    }
    
    #Creates the user in AD (Module 1.11)
    New-ADUser @userParams
    
    #Wait for the account to be created before doing anything else (Module 1.12)
    Start-Sleep -Seconds 10
    
    #Makes the user's network drive, scan folder, and sets the permissions to their folders and files (Module 1.13)
    if ($loc -eq "Loc1") { #If the user is in Loc1 (Module 1.14)
    New-Item -Name $un -ItemType directory -Path "\\server\folder\" #Creates users network drive
    New-Item -Name scans -ItemType directory -Path "\\server\folder\$un\" #Creates users scan folder
    }
    Else { #If the user is in Loc2 (Module 1.15)
    New-Item -Name $un -ItemType directory -Path "\\server\folder\" #Creates users network drive
    New-Item -Name scans -ItemType directory -Path "\\server\folder\$un" #Creates users scan folder
    }
    
    #Adds the user to the correct Security Group for permissions and other network drives
    if ($dep -eq "Accounting"){ #(Module 1.16)
    Add-ADGroupMember -Identity 'Accounting' -Members $un #(Module 1.17)
    } #Adds the user to the Accounting Group
    Elseif ($dep -eq "Customer Service") { #(Module 1.18)
    Add-ADGroupMember -Identity 'Customer Service' -Members $un #(Module 1.19)
    } #Adds the user to the Customer Service Group
    Elseif ($dep -eq "Executives") { #(Module 1.20)
    Add-ADGroupMember -Identity 'Executives' -Members $un #(Module 1.21)
    } #Adds the user to the Executives Group
    Elseif ($dep -eq "HR") { #(Module 1.22)
    Add-ADGroupMember -Identity 'Human Resources' -Members $un #(Module 1.23)
    } #Adds the user to the Human Resources Group
    Elseif ($dep -eq "Human Resources") { #(Module 1.24)
    Add-ADGroupMember -Identity 'Human Resources' -Members $un #(Module 1.25)
    } #Adds the user to the Human Resources Group
    Elseif ($dep -eq "IT") { #(Module 1.26)
    Add-ADGroupMember -Identity 'Domain Admins' -Members $un #(Module 1.27)
    } #Adds the user to the Domain Admins Group for IT
    Elseif ($dep -eq "Maintenance") { #(Module 1.28)
    Add-ADGroupMember -Identity 'MaintGroup' -Members $un #(Module 1.29)
    } #Adds the user to the Maintenance Group
    Elseif ($dep -eq "Production") { #(Module 1.30)
    Add-ADGroupMember -Identity 'Production' -Members $un #(Module 1.31)
    } #Adds the user to the Production GroupHR
    Elseif ($dep -eq "QA") {  #(Module 1.32)
    Add-ADGroupMember -Identity 'QA Group' -Members $un #(Module 1.33)
    } #Adds the user to the QA Group
    Elseif ($dep -eq "Quality Assurance") {  #(Module 1.34)
    Add-ADGroupMember -Identity 'QA Group' -Members $un #(Module 1.35)
    } #Adds the user to the QA Group
    Elseif ($dep -eq "Shipping") {  #(Module 1.36)
    Add-ADGroupMember -Identity 'SHIP' -Members $un #(Module 1.37)
    } #Adds the user to the Shipping Group
    Else { #(Module 1.38)
    Add-ADGroupMember -Identity 'Domain Users' -Members $un #(Module 1.39)
    } #Dumps the user to the Domain Users Group
    
    $manfn = Get-ADUser $man -Properties Name | select Name #Gets the manager's name (Module 1.40)
    
    #Creates a report of the User's information
    $report = "Hello $fn $ln,
    
    From the IT Department, welcome to <MyCompany>.   We 
    are here to help you connect to the resources that you need for 
    your job.   If you need assistance with technology, please feel 
    free to contact us at either the help page, which is set as your 
    home page in Internet Explorer, email us at 
    [email protected]<MyCompany>.com, or call us at extension 4357.
    
    Below you will find your information so that you can login to 
    the network and get started:
    
    Your username is domain\$un
    Your password is 
    Your email address is [email protected]<MyCompany>.com
    Your phone number is $officePhone Ext. 
    
    It is suggested that you change your password to something that 
    you can remember but difficult enough that somebody else cannot 
    figure out.   The requirement is only 6 characters, but we do 
    advise on making it longer, throw some numbers and special 
    characters in there as well to make it stronger.   Best advice 
    would be to use a pass-PHRASE instead of a pass-WORD.
    
    Your computer should already be setup with your email loaded and 
    your network drives.   At <MyCompany>, we use Microsoft 
    Outlook as the email client.   Depending on what department you 
    are in will depend on what drives you have available.   
    Generally, everybody will have an F: drive and a G: drive.   The 
    F: drive is your network folder.   Place in there the documents 
    that you feel you cannot do your job without.   In the F: drive 
    will be a scan folder.   When you go to the Xerox to scan in 
    documents, then you will find them in your scan folder.   The G: 
    drive is a company-wide shared folder.  As for your department 
    drives, it would be best to talk with $($manfn.name), 
    your supervisor/manager, about the nature and uses of these drives.
    
    The use of the equipment and resources provided are a privilege 
    to you for use and should not be taken advantage of.   There are 
    measures set in place that allows us to manage the network.   Do 
    not assume that there is any personal privacy on this network.   
    The only privacy that you can assume is for the nature of your 
    work.   All information (including emails, documents, 
    spreadsheets, pictures, etc.) contained on the equipment 
    provided and on the network is the sole property of Standard 
    Meat Company.
    
    If you have problems with your equipment or network resources, 
    please feel free to ask.   We do not mind helping, but we cannot 
    help if we do not know, so please ask! 
    
    Sincerely,
    
    
    Your IT Department"
    
    if ($loc -eq "Loc1") { #(Module 1.43)
    Write-Output $report | Out-Printer
    }
    Else { #(Module 1.44)
    Write-Output $report | Out-Printer \\server\'Xerox WorkCentre 4260'
    }
    
    #Waiting for AD & Azure to Synchronize, which synchronizes every 30 minutes (Module 1.45)
    Write-host "Waiting..."
    Start-Sleep -Seconds 1800
    
    #Connect to O365 and licenses the user
    Connect-MsolService #(Module 1.46)
    Set-MsolUserLicense -UserPrincipalName (-join($un,'@<MyCompany>.com')) -AddLicenses #(Module 1.47)
    
    #Connects to the Exchange box, creates the users email account, then disconnects from the Exchange box
    $mail = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -AllowRedirection -Authentication Basic -Credential $cred #(Module 1.48-Part 1)
    Import-PSSession $mail -WarningAction SilentlyContinue | Out-Null #(Module 1.48-Part 2)
    enable-Mailbox -Identity $un -Alias $un -DisplayName (-join($fn,$ln)) #Creates the users mailbox (Module 1.49)
    IF ($dep -eq "Executives") { #(Module 1.50)
    Set-Mailbox (-join($un,'@<MyCompany>.com')) -ProhibitSendQuota 19.5GB -ProhibitSendReceiveQuota 20GB -IssueWarningQuota 19GB #Sets the mailbox size in Exchange Online so that the user isn't using all 50 GB of storage (Module 1.51)
    } #If they are an executive, then they get 20 GB of mailbox space
    elseif ($dep -eq "IT") { #(Module 1.52)
    Set-Mailbox (-join($un,'@<MyCompany>.com')) #(Module 1.53)
    } #IT gets the full mailbox, of course 
    else { #(Module 1.54)
    Set-Mailbox (-join($un,'@<MyCompany>.com')) -ProhibitSendQuota 9.5GB -ProhibitSendReceiveQuota 10GB -IssueWarningQuota 9GB #Sets the mailbox size in Exchange Online so that the user isn't using all 50 GB of storage (Module 1.55)
    } #Otherwise, everybody else gets 10 GB of mailbox space
    Remove-PSSession -Session $mail #Disconnects from the Exchange box (Module 1.56)
    


  • @NerdyDad said in Creating users:

    Try this out. It pops up with a command prompt to ask you a few questions to get started. Once the questions are answered, it takes care of most everything else. When it is done, it should spit out a piece of paper for you to give to the new employee with the information that they need.

    I sterilized it so that you could use it in your company.

    #Imports the AD & NTFS Modules (Module 1.02)
    Import-Module activedirectory
    Import-Module MSOnline
    
    #Sets Variables (Module 1.03)
    $fn #First Name
    $ln #Last Name
    $title
    $dep #Department
    $loc #Location
    $man #Manager
    $un #Username
    $officePhone
    $streetAdd
    $city
    $ZIP
    $fi #First Name Initial, will be used to figure out Username
    
    #Getting information (Module 1.04)
    Write-Host "I need some information from you first. Answer the following questions to get started."
    $fn = read-host "First Name?"
    $ln = Read-Host "Last Name?"
    $title = Read-Host "Title?"
    $dep = Read-Host "Department?"
    $man = Read-Host "Manager (Username)?"
    $loc = Read-Host "<location>?"
    
    #Finding out the Username (Module 1.05)
    $fi = $fn.Substring(0,1)
    $un = -join ($ln, $fi)
    
    #Sets Location information (Module 1.06)
    if ($loc -eq "Loc1") { #If the user is in Loc1 (Module 1.07)
        $officePhone = "(999) 999-9999";
        $streetAdd = "123 Anywhere Drive";
        $city = "YourTown";
        $ZIP = "12345";
    }
    Else { #If the user is in Loc2 (Module 1.08)
        $officePhone = "(987) 654-3210";
        $streetAdd = "987 Nothere Blvd";
        $city = "Somewhere Else";
        $ZIP = "98765";
    }
    
    #Sets Password (Module 1.09)
    $passwd = (Read-Host -AsSecureString "Account Password")
    $password = ConvertFrom-SecureString -SecureString $passwd
    
    $userParams = @{ #(Module 1.10)
    	'Name' = $un;
    	'Enabled' = $true;
    	'AccountPassword' = $passwd; 
    	'UserPrincipalName' = -join ($un, "@mycompany.com");
    	'SamAccountName' = $un;
    	'ChangePasswordAtLogon' = $false;
    	'GivenName' = $fn;
    	'Surname' = $ln;
    	'DisplayName' = -join ($fn, " ", $ln);
    	'Description' = $title;
    	'OfficePhone' = $officePhone;
    	'StreetAddress' =  $streetAdd;
    	'City' = $city;
    	'State' = "Texas";
    	'PostalCode' = $ZIP;
    	'Title' = $title;
    	'Department' = $dep;
    	'Company' = 'MyCompany';
    	'Manager' = $man;
    }
    
    #Creates the user in AD (Module 1.11)
    New-ADUser @userParams
    
    #Wait for the account to be created before doing anything else (Module 1.12)
    Start-Sleep -Seconds 10
    
    #Makes the user's network drive, scan folder, and sets the permissions to their folders and files (Module 1.13)
    if ($loc -eq "Loc1") { #If the user is in Loc1 (Module 1.14)
    New-Item -Name $un -ItemType directory -Path "\\server\folder\" #Creates users network drive
    New-Item -Name scans -ItemType directory -Path "\\server\folder\$un\" #Creates users scan folder
    }
    Else { #If the user is in Loc2 (Module 1.15)
    New-Item -Name $un -ItemType directory -Path "\\server\folder\" #Creates users network drive
    New-Item -Name scans -ItemType directory -Path "\\server\folder\$un" #Creates users scan folder
    }
    
    #Adds the user to the correct Security Group for permissions and other network drives
    if ($dep -eq "Accounting"){ #(Module 1.16)
    Add-ADGroupMember -Identity 'Accounting' -Members $un #(Module 1.17)
    } #Adds the user to the Accounting Group
    Elseif ($dep -eq "Customer Service") { #(Module 1.18)
    Add-ADGroupMember -Identity 'Customer Service' -Members $un #(Module 1.19)
    } #Adds the user to the Customer Service Group
    Elseif ($dep -eq "Executives") { #(Module 1.20)
    Add-ADGroupMember -Identity 'Executives' -Members $un #(Module 1.21)
    } #Adds the user to the Executives Group
    Elseif ($dep -eq "HR") { #(Module 1.22)
    Add-ADGroupMember -Identity 'Human Resources' -Members $un #(Module 1.23)
    } #Adds the user to the Human Resources Group
    Elseif ($dep -eq "Human Resources") { #(Module 1.24)
    Add-ADGroupMember -Identity 'Human Resources' -Members $un #(Module 1.25)
    } #Adds the user to the Human Resources Group
    Elseif ($dep -eq "IT") { #(Module 1.26)
    Add-ADGroupMember -Identity 'Domain Admins' -Members $un #(Module 1.27)
    } #Adds the user to the Domain Admins Group for IT
    Elseif ($dep -eq "Maintenance") { #(Module 1.28)
    Add-ADGroupMember -Identity 'MaintGroup' -Members $un #(Module 1.29)
    } #Adds the user to the Maintenance Group
    Elseif ($dep -eq "Production") { #(Module 1.30)
    Add-ADGroupMember -Identity 'Production' -Members $un #(Module 1.31)
    } #Adds the user to the Production GroupHR
    Elseif ($dep -eq "QA") {  #(Module 1.32)
    Add-ADGroupMember -Identity 'QA Group' -Members $un #(Module 1.33)
    } #Adds the user to the QA Group
    Elseif ($dep -eq "Quality Assurance") {  #(Module 1.34)
    Add-ADGroupMember -Identity 'QA Group' -Members $un #(Module 1.35)
    } #Adds the user to the QA Group
    Elseif ($dep -eq "Shipping") {  #(Module 1.36)
    Add-ADGroupMember -Identity 'SHIP' -Members $un #(Module 1.37)
    } #Adds the user to the Shipping Group
    Else { #(Module 1.38)
    Add-ADGroupMember -Identity 'Domain Users' -Members $un #(Module 1.39)
    } #Dumps the user to the Domain Users Group
    
    $manfn = Get-ADUser $man -Properties Name | select Name #Gets the manager's name (Module 1.40)
    
    #Creates a report of the User's information
    $report = "Hello $fn $ln,
    
    From the IT Department, welcome to <MyCompany>.   We 
    are here to help you connect to the resources that you need for 
    your job.   If you need assistance with technology, please feel 
    free to contact us at either the help page, which is set as your 
    home page in Internet Explorer, email us at 
    [email protected]<MyCompany>.com, or call us at extension 4357.
    
    Below you will find your information so that you can login to 
    the network and get started:
    
    Your username is domain\$un
    Your password is 
    Your email address is [email protected]<MyCompany>.com
    Your phone number is $officePhone Ext. 
    
    It is suggested that you change your password to something that 
    you can remember but difficult enough that somebody else cannot 
    figure out.   The requirement is only 6 characters, but we do 
    advise on making it longer, throw some numbers and special 
    characters in there as well to make it stronger.   Best advice 
    would be to use a pass-PHRASE instead of a pass-WORD.
    
    Your computer should already be setup with your email loaded and 
    your network drives.   At <MyCompany>, we use Microsoft 
    Outlook as the email client.   Depending on what department you 
    are in will depend on what drives you have available.   
    Generally, everybody will have an F: drive and a G: drive.   The 
    F: drive is your network folder.   Place in there the documents 
    that you feel you cannot do your job without.   In the F: drive 
    will be a scan folder.   When you go to the Xerox to scan in 
    documents, then you will find them in your scan folder.   The G: 
    drive is a company-wide shared folder.  As for your department 
    drives, it would be best to talk with $($manfn.name), 
    your supervisor/manager, about the nature and uses of these drives.
    
    The use of the equipment and resources provided are a privilege 
    to you for use and should not be taken advantage of.   There are 
    measures set in place that allows us to manage the network.   Do 
    not assume that there is any personal privacy on this network.   
    The only privacy that you can assume is for the nature of your 
    work.   All information (including emails, documents, 
    spreadsheets, pictures, etc.) contained on the equipment 
    provided and on the network is the sole property of Standard 
    Meat Company.
    
    If you have problems with your equipment or network resources, 
    please feel free to ask.   We do not mind helping, but we cannot 
    help if we do not know, so please ask! 
    
    Sincerely,
    
    
    Your IT Department"
    
    if ($loc -eq "Loc1") { #(Module 1.43)
    Write-Output $report | Out-Printer
    }
    Else { #(Module 1.44)
    Write-Output $report | Out-Printer \\server\'Xerox WorkCentre 4260'
    }
    
    #Waiting for AD & Azure to Synchronize, which synchronizes every 30 minutes (Module 1.45)
    Write-host "Waiting..."
    Start-Sleep -Seconds 1800
    
    #Connect to O365 and licenses the user
    Connect-MsolService #(Module 1.46)
    Set-MsolUserLicense -UserPrincipalName (-join($un,'@<MyCompany>.com')) -AddLicenses #(Module 1.47)
    
    #Connects to the Exchange box, creates the users email account, then disconnects from the Exchange box
    $mail = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -AllowRedirection -Authentication Basic -Credential $cred #(Module 1.48-Part 1)
    Import-PSSession $mail -WarningAction SilentlyContinue | Out-Null #(Module 1.48-Part 2)
    enable-Mailbox -Identity $un -Alias $un -DisplayName (-join($fn,$ln)) #Creates the users mailbox (Module 1.49)
    IF ($dep -eq "Executives") { #(Module 1.50)
    Set-Mailbox (-join($un,'@<MyCompany>.com')) -ProhibitSendQuota 19.5GB -ProhibitSendReceiveQuota 20GB -IssueWarningQuota 19GB #Sets the mailbox size in Exchange Online so that the user isn't using all 50 GB of storage (Module 1.51)
    } #If they are an executive, then they get 20 GB of mailbox space
    elseif ($dep -eq "IT") { #(Module 1.52)
    Set-Mailbox (-join($un,'@<MyCompany>.com')) #(Module 1.53)
    } #IT gets the full mailbox, of course 
    else { #(Module 1.54)
    Set-Mailbox (-join($un,'@<MyCompany>.com')) -ProhibitSendQuota 9.5GB -ProhibitSendReceiveQuota 10GB -IssueWarningQuota 9GB #Sets the mailbox size in Exchange Online so that the user isn't using all 50 GB of storage (Module 1.55)
    } #Otherwise, everybody else gets 10 GB of mailbox space
    Remove-PSSession -Session $mail #Disconnects from the Exchange box (Module 1.56)
    

    This looks amazing and I can't wait to get it edited and try it out.


  • Service Provider

    @Grey you aren't the only one



  • Here is another copy of the same code, but for a local exchange box instead of O365.

    #Imports the AD
    Import-Module activedirectory
    
    #Sets Variables
    $fn #First Name
    $ln #Last Name
    $title
    $dep #Department
    $loc #Location
    $man #Manager
    $un #Username
    $officePhone
    $streetAdd
    $city
    $ZIP
    $fi #First Name Initial, will be used to figure out Username
    
    #Getting information
    $fn = read-host "First Name?"
    $ln = Read-Host "Last Name?"
    $title = Read-Host "Title?"
    $dep = Read-Host "Department?"
    $man = Read-Host "Manager (Username)?"
    $loc = Read-Host "Loc1 or Loc2?"
    
    #Finding out the Username
    $fi = $fn.Substring(0,1)
    $un = -join ($ln, $fi)
    
    #Sets Location information (Module 1.06)
    if ($loc -eq "Loc1") { #If the user is in Loc1 (Module 1.07)
        $officePhone = "(999) 999-9999";
        $streetAdd = "123 Anywhere Drive";
        $city = "YourTown";
        $ZIP = "12345";
    }
    Else { #If the user is in Loc2 (Module 1.08)
        $officePhone = "(987) 654-3210";
        $streetAdd = "987 Nothere Blvd";
        $city = "Somewhere Else";
        $ZIP = "98765";
    }
    
    #Sets Password
    $passwd = (Read-Host -AsSecureString "Account Password")
    $password = ConvertFrom-SecureString -SecureString $passwd
    
    $userParams = @{
    	'Name' = $un;
    	'Enabled' = $true;
    	'AccountPassword' = $passwd; 
    	'UserPrincipalName' = -join ($un, "@smc.com");
    	'SamAccountName' = $un;
    	'ChangePasswordAtLogon' = $false;
    	'GivenName' = $fn;
    	'Surname' = $ln;
    	'DisplayName' = -join ($fn," ",$ln);
    	'Description' = $title;
    	'OfficePhone' = $officePhone;
    	'StreetAddress' =  $streetAdd;
    	'City' = $city;
    	'State' = "Texas";
    	'PostalCode' = $ZIP;
    	'Title' = $title;
    	'Department' = $dep;
    	'Company' = 'Standard Meat Company';
    	'Manager' = $man;
    }
    
    #Creates the user in AD
    New-ADUser @userParams
    
    #Wait for the account to be created before doing anything else
    Start-Sleep -Seconds 10
    
    #Makes the user's network drive, scan folder, and sets the permissions to their folders and files
    if ($loc -eq "Loc1") { #If the user is in Loc1
    New-Item -Name $un -ItemType directory -Path "\\server\folder\" #Creates users network drive
    New-Item -Name scans -ItemType directory -Path "\\server\folder\$un\" #Creates users scan folder
    }
    Else { #If the user is in Loc2
    New-Item -Name $un -ItemType directory -Path "\\server\folder\" #Creates users network drive
    New-Item -Name scans -ItemType directory -Path "\\server\folder\$un" #Creates users scan folder
    }
    
    #Adds the user to the correct Security Group for permissions and other network drives
    if ($dep -eq "Accounting"){
    Add-ADGroupMember -Identity 'Accounting' -Members $un
    } #Adds the user to the Accounting Group
    Elseif ($dep -eq "Customer Service") {
    Add-ADGroupMember -Identity 'Customer Service' -Members $un
    } #Adds the user to the Customer Service Group
    Elseif ($dep -eq "HR") {
    Add-ADGroupMember -Identity 'Human Resources' -Members $un
    } #Adds the user to the Human Resources Group
    Elseif ($dep -eq "Human Resources") {
    Add-ADGroupMember -Identity 'Human Resources' -Members $un
    } #Adds the user to the Human Resources Group
    Elseif ($dep -eq "IT") {
    Add-ADGroupMember -Identity 'Domain Admins' -Members $un
    } #Adds the user to the Domain Admins Group for IT
    Elseif ($dep -eq "Maintenance") {
    Add-ADGroupMember -Identity 'MaintGroup' -Members $un
    } #Adds the user to the Maintenance Group
    Elseif ($dep -eq "Production") {
    Add-ADGroupMember -Identity 'Production' -Members $un
    } #Adds the user to the Production Group
    Elseif ($dep -eq "QA") { 
    Add-ADGroupMember -Identity 'QA Group' -Members $un
    } #Adds the user to the QA Group
    Elseif ($dep -eq "Quality Assurance") { 
    Add-ADGroupMember -Identity 'QA Group' -Members $un
    } #Adds the user to the QA Group
    Elseif ($dep -eq "Shipping") { 
    Add-ADGroupMember -Identity 'SHIP' -Members $un
    } #Adds the user to the Shipping Group
    Else {
    Add-ADGroupMember -Identity 'Domain Users' -Members $un
    } #Dumps the user to the Domain Users Group
    
    #Connects to the Exchange box, creates the users email account, then disconnects from the Exchange box
    $mail = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri http://<exchange>/powershell -name <exchange> -Authentication Kerberos -Credential $cred
    Import-PSSession $mail -WarningAction SilentlyContinue | Out-Null
    enable-Mailbox -Identity $un -Alias $un -DisplayName (-join($fn,$ln)) #Creates the users mailbox
    Remove-PSSession -Session $mail #Disconnects from the Exchange box
    
    $manfn = Get-ADUser $man -Properties GivenName | select GivenName #Gets the managers first name
    $manln = Get-ADUser $man -Properties SurName | select SurName #Gets the managers last name
    
    #Create a report of the User's information
    $report = "Hello $fn $ln,
    
    From the IT Department, welcome to <MyCompany>.   We 
    are here to help you connect to the resources that you need for 
    your job.   If you need assistance with technology, please feel 
    free to contact us at either the help page, which is set as your 
    home page in Internet Explorer, email us at 
    [email protected], or call us at extension 4357.
    
    Below you will find your information so that you can login to 
    the network and get started:
    
    Your username is smc\$un
    Your password is 
    Your email address is [email protected]<MyCompany>.com
    Your phone number is $officePhone Ext. 
    
    It is suggested that you change your password to something that 
    you can remember but difficult enough that somebody else cannot 
    figure out.   The requirement is only 6 characters, but we do 
    advise on making it longer, throw some numbers and special 
    characters in there as well to make it stronger.   Best advice 
    would be to use a pass-PHRASE instead of a pass-WORD.
    
    Your computer should already be setup with your email loaded and 
    your network drives.   At Standard Meat, we use Microsoft 
    Outlook as the email client.   Depending on what department you 
    are in will depend on what drives you have available.   
    Generally, everybody will have an F: drive and a G: drive.   The 
    F: drive is your network folder.   Place in there the documents 
    that you feel you cannot do your job without.   In the F: drive 
    will be a scan folder.   When you go to the Xerox to scan in 
    documents, then you will find them in your scan folder.   The G: 
    drive is a company-wide shared folder.  As for your department 
    drives, it would be best to talk with $($manfn.name), 
    your supervisor/manager about the nature and uses of these drives.
    
    The use of the equipment and resources provided are a privilege 
    to you for use and should not be taken advantage of.   There are 
    measures set in place that allows us to manage the network.   Do 
    not assume that there is any personal privacy on this network.   
    The only privacy that you can assume is for the nature of your 
    work.   All information (including emails, documents, 
    spreadsheets, pictures, etc.) contained on the equipment 
    provided and on the network is the sole property of Standard 
    Meat Company.
    
    If you have problems with your equipment or network resources, 
    please feel free to ask.   We do not mind helping, but we cannot 
    help if we do not know, so please ask! 
    
    Sincerely,
    
    
    Your IT Department"
    
    if ($loc -eq "Loc1") {
    Write-Output $report | Out-Printer \\server\Printer
    }
    Else {
    Write-Output $report | Out-Printer \\server\Printer
    }
    

  • Service Provider

    @NerdyDad said in Creating users:

    Here is another copy of the same code, but for a local exchange box instead of O365.

    #Imports the AD
    Import-Module activedirectory
    
    #Sets Variables
    $fn #First Name
    $ln #Last Name
    $title
    $dep #Department
    $loc #Location
    $man #Manager
    $un #Username
    $officePhone
    $streetAdd
    $city
    $ZIP
    $fi #First Name Initial, will be used to figure out Username
    
    #Getting information
    $fn = read-host "First Name?"
    $ln = Read-Host "Last Name?"
    $title = Read-Host "Title?"
    $dep = Read-Host "Department?"
    $man = Read-Host "Manager (Username)?"
    $loc = Read-Host "Loc1 or Loc2?"
    
    #Finding out the Username
    $fi = $fn.Substring(0,1)
    $un = -join ($ln, $fi)
    
    #Sets Location information (Module 1.06)
    if ($loc -eq "Loc1") { #If the user is in Loc1 (Module 1.07)
        $officePhone = "(999) 999-9999";
        $streetAdd = "123 Anywhere Drive";
        $city = "YourTown";
        $ZIP = "12345";
    }
    Else { #If the user is in Loc2 (Module 1.08)
        $officePhone = "(987) 654-3210";
        $streetAdd = "987 Nothere Blvd";
        $city = "Somewhere Else";
        $ZIP = "98765";
    }
    
    #Sets Password
    $passwd = (Read-Host -AsSecureString "Account Password")
    $password = ConvertFrom-SecureString -SecureString $passwd
    
    $userParams = @{
    	'Name' = $un;
    	'Enabled' = $true;
    	'AccountPassword' = $passwd; 
    	'UserPrincipalName' = -join ($un, "@smc.com");
    	'SamAccountName' = $un;
    	'ChangePasswordAtLogon' = $false;
    	'GivenName' = $fn;
    	'Surname' = $ln;
    	'DisplayName' = -join ($fn," ",$ln);
    	'Description' = $title;
    	'OfficePhone' = $officePhone;
    	'StreetAddress' =  $streetAdd;
    	'City' = $city;
    	'State' = "Texas";
    	'PostalCode' = $ZIP;
    	'Title' = $title;
    	'Department' = $dep;
    	'Company' = 'Standard Meat Company';
    	'Manager' = $man;
    }
    
    #Creates the user in AD
    New-ADUser @userParams
    
    #Wait for the account to be created before doing anything else
    Start-Sleep -Seconds 10
    
    #Makes the user's network drive, scan folder, and sets the permissions to their folders and files
    if ($loc -eq "Loc1") { #If the user is in Loc1
    New-Item -Name $un -ItemType directory -Path "\\server\folder\" #Creates users network drive
    New-Item -Name scans -ItemType directory -Path "\\server\folder\$un\" #Creates users scan folder
    }
    Else { #If the user is in Loc2
    New-Item -Name $un -ItemType directory -Path "\\server\folder\" #Creates users network drive
    New-Item -Name scans -ItemType directory -Path "\\server\folder\$un" #Creates users scan folder
    }
    
    #Adds the user to the correct Security Group for permissions and other network drives
    if ($dep -eq "Accounting"){
    Add-ADGroupMember -Identity 'Accounting' -Members $un
    } #Adds the user to the Accounting Group
    Elseif ($dep -eq "Customer Service") {
    Add-ADGroupMember -Identity 'Customer Service' -Members $un
    } #Adds the user to the Customer Service Group
    Elseif ($dep -eq "HR") {
    Add-ADGroupMember -Identity 'Human Resources' -Members $un
    } #Adds the user to the Human Resources Group
    Elseif ($dep -eq "Human Resources") {
    Add-ADGroupMember -Identity 'Human Resources' -Members $un
    } #Adds the user to the Human Resources Group
    Elseif ($dep -eq "IT") {
    Add-ADGroupMember -Identity 'Domain Admins' -Members $un
    } #Adds the user to the Domain Admins Group for IT
    Elseif ($dep -eq "Maintenance") {
    Add-ADGroupMember -Identity 'MaintGroup' -Members $un
    } #Adds the user to the Maintenance Group
    Elseif ($dep -eq "Production") {
    Add-ADGroupMember -Identity 'Production' -Members $un
    } #Adds the user to the Production Group
    Elseif ($dep -eq "QA") { 
    Add-ADGroupMember -Identity 'QA Group' -Members $un
    } #Adds the user to the QA Group
    Elseif ($dep -eq "Quality Assurance") { 
    Add-ADGroupMember -Identity 'QA Group' -Members $un
    } #Adds the user to the QA Group
    Elseif ($dep -eq "Shipping") { 
    Add-ADGroupMember -Identity 'SHIP' -Members $un
    } #Adds the user to the Shipping Group
    Else {
    Add-ADGroupMember -Identity 'Domain Users' -Members $un
    } #Dumps the user to the Domain Users Group
    
    #Connects to the Exchange box, creates the users email account, then disconnects from the Exchange box
    $mail = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri http://<exchange>/powershell -name <exchange> -Authentication Kerberos -Credential $cred
    Import-PSSession $mail -WarningAction SilentlyContinue | Out-Null
    enable-Mailbox -Identity $un -Alias $un -DisplayName (-join($fn,$ln)) #Creates the users mailbox
    Remove-PSSession -Session $mail #Disconnects from the Exchange box
    
    $manfn = Get-ADUser $man -Properties GivenName | select GivenName #Gets the managers first name
    $manln = Get-ADUser $man -Properties SurName | select SurName #Gets the managers last name
    
    #Create a report of the User's information
    $report = "Hello $fn $ln,
    
    From the IT Department, welcome to <MyCompany>.   We 
    are here to help you connect to the resources that you need for 
    your job.   If you need assistance with technology, please feel 
    free to contact us at either the help page, which is set as your 
    home page in Internet Explorer, email us at 
    [email protected], or call us at extension 4357.
    
    Below you will find your information so that you can login to 
    the network and get started:
    
    Your username is smc\$un
    Your password is 
    Your email address is [email protected]<MyCompany>.com
    Your phone number is $officePhone Ext. 
    
    It is suggested that you change your password to something that 
    you can remember but difficult enough that somebody else cannot 
    figure out.   The requirement is only 6 characters, but we do 
    advise on making it longer, throw some numbers and special 
    characters in there as well to make it stronger.   Best advice 
    would be to use a pass-PHRASE instead of a pass-WORD.
    
    Your computer should already be setup with your email loaded and 
    your network drives.   At Standard Meat, we use Microsoft 
    Outlook as the email client.   Depending on what department you 
    are in will depend on what drives you have available.   
    Generally, everybody will have an F: drive and a G: drive.   The 
    F: drive is your network folder.   Place in there the documents 
    that you feel you cannot do your job without.   In the F: drive 
    will be a scan folder.   When you go to the Xerox to scan in 
    documents, then you will find them in your scan folder.   The G: 
    drive is a company-wide shared folder.  As for your department 
    drives, it would be best to talk with $($manfn.name), 
    your supervisor/manager about the nature and uses of these drives.
    
    The use of the equipment and resources provided are a privilege 
    to you for use and should not be taken advantage of.   There are 
    measures set in place that allows us to manage the network.   Do 
    not assume that there is any personal privacy on this network.   
    The only privacy that you can assume is for the nature of your 
    work.   All information (including emails, documents, 
    spreadsheets, pictures, etc.) contained on the equipment 
    provided and on the network is the sole property of Standard 
    Meat Company.
    
    If you have problems with your equipment or network resources, 
    please feel free to ask.   We do not mind helping, but we cannot 
    help if we do not know, so please ask! 
    
    Sincerely,
    
    
    Your IT Department"
    
    if ($loc -eq "Loc1") {
    Write-Output $report | Out-Printer \\server\Printer
    }
    Else {
    Write-Output $report | Out-Printer \\server\Printer
    }
    

    You just won the Internet for me today



  • @NerdyDad
    Thank you for the sharing your scripts.



  • @black3dynamite said in Creating users:

    @NerdyDad
    Thank you for the sharing your scripts.

    Not a problem. I am looking to expand my PS skills. If anybody has any requests, I'd do my best to get something out for you.



  • @NerdyDad MIND.....BLOWN!



  • I have 2 users starting next week, might have to use your script @NerdyDad
    I usually just use the Copy User function in ADUC then fill out the name, make adjustments to group membership.
    That looks essentially like the Copy User option from ADUC, but in PS, and it makes folders and such too.
    I wonder though, are users able to answer these questions about themselves?



  • @momurda said in Creating users:

    I have 2 users starting next week, might have to use your script @NerdyDad
    I usually just use the Copy User function in ADUC then fill out the name, make adjustments to group membership.
    That looks essentially like the Copy User option from ADUC, but in PS, and it makes folders and such too.
    I wonder though, are users able to answer these questions about themselves?

    Unfortunately not because the user running the script has to be a domain admin in order to create the new user, add to groups create mailboxes, etc.



  • Full disclosure: It can create folders within network shares. I had to go through the drive (ex c$) in order to create the proper folder. However, I have not yet been able to add permissions to the folders via the script. I've always had to go back and add permissions later on. There is an NTFS add-on module that a third-party individual has written and put out there, but I was never able to get it to working properly.



  • @NerdyDad said in Creating users:

    @momurda said in Creating users:

    I have 2 users starting next week, might have to use your script @NerdyDad
    I usually just use the Copy User function in ADUC then fill out the name, make adjustments to group membership.
    That looks essentially like the Copy User option from ADUC, but in PS, and it makes folders and such too.
    I wonder though, are users able to answer these questions about themselves?

    Unfortunately not because the user running the script has to be a domain admin in order to create the new user, add to groups create mailboxes, etc.

    But after thinking about it, would you really want users creating user accounts? What if that user was let go and had created themselves a rouge account that you didn't know about? We still need to be holding the keys to the kingdom, assuming that the kingdom is still safe of course.



  • @NerdyDad
    What about using icacls command to manage permissions and ownership?



  • @black3dynamite said in Creating users:

    @NerdyDad
    What about using icacls command to manage permissions and ownership?

    Didn't know that existed. I will experiment with that and see if I can improve the scripts soon (not sure when, but soon...hopefully).



  • @NerdyDad said in Creating users:

    Full disclosure: It can create folders within network shares. I had to go through the drive (ex c$) in order to create the proper folder. However, I have not yet been able to add permissions to the folders via the script. I've always had to go back and add permissions later on. There is an NTFS add-on module that a third-party individual has written and put out there, but I was never able to get it to working properly.

    I've used this to fix full directories of user home folders. Maybe you can cut out the parts you need for this user creation script?

    #
    # !! This ONLY works in PowerShell v2. !!
    #
    #            Variables
    #
    # Where is the root of the home drives?
    $homeDrivesDir="\\domain.com\userdir$"
    # Report only? ($false = fix problems - aka dangerous mode)
    $reportMode = $false
    # Print all valid directories?
    $verbose = $false
    # What domain are your users in?
    $domainName = "domain.com"
    #
    # #############################################
     
    # Save the current working directory before we change it (purely for convenience)
    pushd .
    # Change to the location of the home drives
    set-location $homeDrivesDir
     
    # Warn the user if we will be fixing or just reporting on problems
    write-host ""
     
    if ($reportMode) {
     Write-Host "Report mode is on. Not fixing problems!"
    } else {
     Write-Host "Report mode is off. Will fix problems!"
    }
     
    write-host ""
     
    # Initialise a few counter variables. Only useful for multiple executions from the same session
    $goodPermissions = $unfixablePermissions = $fixedPermissions = $badPermissions = 0
    $failedFolders = @()
     
    # For every folder in the $homeDrivesDir folder
    foreach($homeFolder in (Get-ChildItem $homeDrivesDir | Where {$_.psIsContainer -eq $true})) {
     
     # dump the current ACL in a variable
     $Acl = Get-Acl $homeFolder
     
     # create a permission mask in the form of DOMAIN\Username where Username=foldername
     #    (adjust as necessary if your home folders are not exactly your usernames)
     $compareString = "*" + $domainName + "\" + $homeFolder.Name + " Allow  FullControl*"
     
     # if the permission mask is in the ACL
     if ($Acl.AccessToString -like $compareString) {
     
     # everything's good, increment the counter and move on.
     if ($verbose) {Write-Host "Permissions are valid for" $homeFolder.Name -backgroundcolor green -foregroundcolor white}
     $goodPermissions += 1
     
     } else {
     # Permissions are invalid, either fix or report
     # increment the number of permissions needing repair
     $badPermissions += 1
     # if we're in report mode
     if ($reportMode -eq $true) {
     # reportmode is on, don't do anything
     Write-Host "Permissions not valid for" $homeFolder.Name -backgroundcolor red -foregroundcolor white
     } else {
     # reportmode is off, fix the permissions
     Write-Host "Setting permissions for" $homeFolder.Name -foregroundcolor white -backgroundcolor red
     # Add the user in format DOMAIN\Username
     $username = $domainName + "\" + $homeFolder.Name
     # Grant the user full control
     $accessLevel = "FullControl"
     # Should permissions be inherited from above?
     $inheritanceFlags = "ContainerInherit, ObjectInherit"
     # Should permissions propagate to below?
     $propagationFlags = "None"
     # Is this an Allow/Deny entry?
     $accessControlType = "Allow"
     try {
     # Create the Access Rule
     $accessRule = New-Object System.Security.AccessControl.FileSystemAccessRule($username,$accessLevel,$inheritanceFlags,$propagationFlags,$accessControlType)
     
     # Attempt to apply the access rule to the ACL
     $Acl.SetAccessRule($accessRule)
     Set-Acl $homeFolder $Acl
     # vvvvvvv Possible PS v3+ fix vvvvvvvvv
     # Set-Acl --path $homeFolder -AclObject $Acl
     # ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
     # if it hasn't errored out by now, increment the counter
     $fixedPermissions += 1
     } catch {
     # It failed!
     # Increment the fail count
     $unfixablePermissions += 1
     # and add the folder to the list of failed folders
     $failedFolders += $homeFolder
     }
     } #/if
     } #/if
    } #/foreach
     
    # Print out a summary
     
    Write-Host ""
    Write-Host $goodPermissions "valid permissions"
    Write-Host $badPermissions "permissions needing repair"
    if ($reportMode -eq $false) {Write-Host $fixedPermissions "permissions fixed"}
    if ($unfixablePermissions -gt 0) {
     Write-Host $unfixablePermissions "ACLs could not be repaired."
     foreach ($folder in $failedFolders) {Write-Host " -" $folder}
    }
     
    # Cleanup
    popd
    


  • @NerdyDad said in Creating users:

    @NerdyDad said in Creating users:

    @momurda said in Creating users:

    I have 2 users starting next week, might have to use your script @NerdyDad
    I usually just use the Copy User function in ADUC then fill out the name, make adjustments to group membership.
    That looks essentially like the Copy User option from ADUC, but in PS, and it makes folders and such too.
    I wonder though, are users able to answer these questions about themselves?

    Unfortunately not because the user running the script has to be a domain admin in order to create the new user, add to groups create mailboxes, etc.

    But after thinking about it, would you really want users creating user accounts? What if that user was let go and had created themselves a rouge account that you didn't know about? We still need to be holding the keys to the kingdom, assuming that the kingdom is still safe of course.

    RarityRogueMotivator.jpg



  • @Grey said in Creating users:

    @NerdyDad said in Creating users:

    Full disclosure: It can create folders within network shares. I had to go through the drive (ex c$) in order to create the proper folder. However, I have not yet been able to add permissions to the folders via the script. I've always had to go back and add permissions later on. There is an NTFS add-on module that a third-party individual has written and put out there, but I was never able to get it to working properly.

    I've used this to fix full directories of user home folders. Maybe you can cut out the parts you need for this user creation script?

    #
    # !! This ONLY works in PowerShell v2. !!
    #
    #            Variables
    #
    # Where is the root of the home drives?
    $homeDrivesDir="\\domain.com\userdir$"
    # Report only? ($false = fix problems - aka dangerous mode)
    $reportMode = $false
    # Print all valid directories?
    $verbose = $false
    # What domain are your users in?
    $domainName = "domain.com"
    #
    # #############################################
     
    # Save the current working directory before we change it (purely for convenience)
    pushd .
    # Change to the location of the home drives
    set-location $homeDrivesDir
     
    # Warn the user if we will be fixing or just reporting on problems
    write-host ""
     
    if ($reportMode) {
     Write-Host "Report mode is on. Not fixing problems!"
    } else {
     Write-Host "Report mode is off. Will fix problems!"
    }
     
    write-host ""
     
    # Initialise a few counter variables. Only useful for multiple executions from the same session
    $goodPermissions = $unfixablePermissions = $fixedPermissions = $badPermissions = 0
    $failedFolders = @()
     
    # For every folder in the $homeDrivesDir folder
    foreach($homeFolder in (Get-ChildItem $homeDrivesDir | Where {$_.psIsContainer -eq $true})) {
     
     # dump the current ACL in a variable
     $Acl = Get-Acl $homeFolder
     
     # create a permission mask in the form of DOMAIN\Username where Username=foldername
     #    (adjust as necessary if your home folders are not exactly your usernames)
     $compareString = "*" + $domainName + "\" + $homeFolder.Name + " Allow  FullControl*"
     
     # if the permission mask is in the ACL
     if ($Acl.AccessToString -like $compareString) {
     
     # everything's good, increment the counter and move on.
     if ($verbose) {Write-Host "Permissions are valid for" $homeFolder.Name -backgroundcolor green -foregroundcolor white}
     $goodPermissions += 1
     
     } else {
     # Permissions are invalid, either fix or report
     # increment the number of permissions needing repair
     $badPermissions += 1
     # if we're in report mode
     if ($reportMode -eq $true) {
     # reportmode is on, don't do anything
     Write-Host "Permissions not valid for" $homeFolder.Name -backgroundcolor red -foregroundcolor white
     } else {
     # reportmode is off, fix the permissions
     Write-Host "Setting permissions for" $homeFolder.Name -foregroundcolor white -backgroundcolor red
     # Add the user in format DOMAIN\Username
     $username = $domainName + "\" + $homeFolder.Name
     # Grant the user full control
     $accessLevel = "FullControl"
     # Should permissions be inherited from above?
     $inheritanceFlags = "ContainerInherit, ObjectInherit"
     # Should permissions propagate to below?
     $propagationFlags = "None"
     # Is this an Allow/Deny entry?
     $accessControlType = "Allow"
     try {
     # Create the Access Rule
     $accessRule = New-Object System.Security.AccessControl.FileSystemAccessRule($username,$accessLevel,$inheritanceFlags,$propagationFlags,$accessControlType)
     
     # Attempt to apply the access rule to the ACL
     $Acl.SetAccessRule($accessRule)
     Set-Acl $homeFolder $Acl
     # vvvvvvv Possible PS v3+ fix vvvvvvvvv
     # Set-Acl --path $homeFolder -AclObject $Acl
     # ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
     # if it hasn't errored out by now, increment the counter
     $fixedPermissions += 1
     } catch {
     # It failed!
     # Increment the fail count
     $unfixablePermissions += 1
     # and add the folder to the list of failed folders
     $failedFolders += $homeFolder
     }
     } #/if
     } #/if
    } #/foreach
     
    # Print out a summary
     
    Write-Host ""
    Write-Host $goodPermissions "valid permissions"
    Write-Host $badPermissions "permissions needing repair"
    if ($reportMode -eq $false) {Write-Host $fixedPermissions "permissions fixed"}
    if ($unfixablePermissions -gt 0) {
     Write-Host $unfixablePermissions "ACLs could not be repaired."
     foreach ($folder in $failedFolders) {Write-Host " -" $folder}
    }
     
    # Cleanup
    popd
    

    I'm going have to play with that one next week. Thanks. :-)



  • @NerdyDad said in Creating users:

    Try this out. It pops up with a command prompt to ask you a few questions to get started. Once the questions are answered, it takes care of most everything else. When it is done, it should spit out a piece of paper for you to give to the new employee with the information that they need.

    I sterilized it so that you could use it in your company.

    #Imports the AD & NTFS Modules (Module 1.02)
    Import-Module activedirectory
    Import-Module MSOnline
    
    #Sets Variables (Module 1.03)
    $fn #First Name
    $ln #Last Name
    $title
    $dep #Department
    $loc #Location
    $man #Manager
    $un #Username
    $officePhone
    $streetAdd
    $city
    $ZIP
    $fi #First Name Initial, will be used to figure out Username
    
    #Getting information (Module 1.04)
    Write-Host "I need some information from you first. Answer the following questions to get started."
    $fn = read-host "First Name?"
    $ln = Read-Host "Last Name?"
    $title = Read-Host "Title?"
    $dep = Read-Host "Department?"
    $man = Read-Host "Manager (Username)?"
    $loc = Read-Host "<location>?"
    
    #Finding out the Username (Module 1.05)
    $fi = $fn.Substring(0,1)
    $un = -join ($ln, $fi)
    
    #Sets Location information (Module 1.06)
    if ($loc -eq "Loc1") { #If the user is in Loc1 (Module 1.07)
        $officePhone = "(999) 999-9999";
        $streetAdd = "123 Anywhere Drive";
        $city = "YourTown";
        $ZIP = "12345";
    }
    Else { #If the user is in Loc2 (Module 1.08)
        $officePhone = "(987) 654-3210";
        $streetAdd = "987 Nothere Blvd";
        $city = "Somewhere Else";
        $ZIP = "98765";
    }
    
    #Sets Password (Module 1.09)
    $passwd = (Read-Host -AsSecureString "Account Password")
    $password = ConvertFrom-SecureString -SecureString $passwd
    
    $userParams = @{ #(Module 1.10)
    	'Name' = $un;
    	'Enabled' = $true;
    	'AccountPassword' = $passwd; 
    	'UserPrincipalName' = -join ($un, "@mycompany.com");
    	'SamAccountName' = $un;
    	'ChangePasswordAtLogon' = $false;
    	'GivenName' = $fn;
    	'Surname' = $ln;
    	'DisplayName' = -join ($fn, " ", $ln);
    	'Description' = $title;
    	'OfficePhone' = $officePhone;
    	'StreetAddress' =  $streetAdd;
    	'City' = $city;
    	'State' = "Texas";
    	'PostalCode' = $ZIP;
    	'Title' = $title;
    	'Department' = $dep;
    	'Company' = 'MyCompany';
    	'Manager' = $man;
    }
    
    #Creates the user in AD (Module 1.11)
    New-ADUser @userParams
    
    #Wait for the account to be created before doing anything else (Module 1.12)
    Start-Sleep -Seconds 10
    
    #Makes the user's network drive, scan folder, and sets the permissions to their folders and files (Module 1.13)
    if ($loc -eq "Loc1") { #If the user is in Loc1 (Module 1.14)
    New-Item -Name $un -ItemType directory -Path "\\server\folder\" #Creates users network drive
    New-Item -Name scans -ItemType directory -Path "\\server\folder\$un\" #Creates users scan folder
    }
    Else { #If the user is in Loc2 (Module 1.15)
    New-Item -Name $un -ItemType directory -Path "\\server\folder\" #Creates users network drive
    New-Item -Name scans -ItemType directory -Path "\\server\folder\$un" #Creates users scan folder
    }
    
    #Adds the user to the correct Security Group for permissions and other network drives
    if ($dep -eq "Accounting"){ #(Module 1.16)
    Add-ADGroupMember -Identity 'Accounting' -Members $un #(Module 1.17)
    } #Adds the user to the Accounting Group
    Elseif ($dep -eq "Customer Service") { #(Module 1.18)
    Add-ADGroupMember -Identity 'Customer Service' -Members $un #(Module 1.19)
    } #Adds the user to the Customer Service Group
    Elseif ($dep -eq "Executives") { #(Module 1.20)
    Add-ADGroupMember -Identity 'Executives' -Members $un #(Module 1.21)
    } #Adds the user to the Executives Group
    Elseif ($dep -eq "HR") { #(Module 1.22)
    Add-ADGroupMember -Identity 'Human Resources' -Members $un #(Module 1.23)
    } #Adds the user to the Human Resources Group
    Elseif ($dep -eq "Human Resources") { #(Module 1.24)
    Add-ADGroupMember -Identity 'Human Resources' -Members $un #(Module 1.25)
    } #Adds the user to the Human Resources Group
    Elseif ($dep -eq "IT") { #(Module 1.26)
    Add-ADGroupMember -Identity 'Domain Admins' -Members $un #(Module 1.27)
    } #Adds the user to the Domain Admins Group for IT
    Elseif ($dep -eq "Maintenance") { #(Module 1.28)
    Add-ADGroupMember -Identity 'MaintGroup' -Members $un #(Module 1.29)
    } #Adds the user to the Maintenance Group
    Elseif ($dep -eq "Production") { #(Module 1.30)
    Add-ADGroupMember -Identity 'Production' -Members $un #(Module 1.31)
    } #Adds the user to the Production GroupHR
    Elseif ($dep -eq "QA") {  #(Module 1.32)
    Add-ADGroupMember -Identity 'QA Group' -Members $un #(Module 1.33)
    } #Adds the user to the QA Group
    Elseif ($dep -eq "Quality Assurance") {  #(Module 1.34)
    Add-ADGroupMember -Identity 'QA Group' -Members $un #(Module 1.35)
    } #Adds the user to the QA Group
    Elseif ($dep -eq "Shipping") {  #(Module 1.36)
    Add-ADGroupMember -Identity 'SHIP' -Members $un #(Module 1.37)
    } #Adds the user to the Shipping Group
    Else { #(Module 1.38)
    Add-ADGroupMember -Identity 'Domain Users' -Members $un #(Module 1.39)
    } #Dumps the user to the Domain Users Group
    
    $manfn = Get-ADUser $man -Properties Name | select Name #Gets the manager's name (Module 1.40)
    
    #Creates a report of the User's information
    $report = "Hello $fn $ln,
    
    From the IT Department, welcome to <MyCompany>.   We 
    are here to help you connect to the resources that you need for 
    your job.   If you need assistance with technology, please feel 
    free to contact us at either the help page, which is set as your 
    home page in Internet Explorer, email us at 
    [email protected]<MyCompany>.com, or call us at extension 4357.
    
    Below you will find your information so that you can login to 
    the network and get started:
    
    Your username is domain\$un
    Your password is 
    Your email address is [email protected]<MyCompany>.com
    Your phone number is $officePhone Ext. 
    
    It is suggested that you change your password to something that 
    you can remember but difficult enough that somebody else cannot 
    figure out.   The requirement is only 6 characters, but we do 
    advise on making it longer, throw some numbers and special 
    characters in there as well to make it stronger.   Best advice 
    would be to use a pass-PHRASE instead of a pass-WORD.
    
    Your computer should already be setup with your email loaded and 
    your network drives.   At <MyCompany>, we use Microsoft 
    Outlook as the email client.   Depending on what department you 
    are in will depend on what drives you have available.   
    Generally, everybody will have an F: drive and a G: drive.   The 
    F: drive is your network folder.   Place in there the documents 
    that you feel you cannot do your job without.   In the F: drive 
    will be a scan folder.   When you go to the Xerox to scan in 
    documents, then you will find them in your scan folder.   The G: 
    drive is a company-wide shared folder.  As for your department 
    drives, it would be best to talk with $($manfn.name), 
    your supervisor/manager, about the nature and uses of these drives.
    
    The use of the equipment and resources provided are a privilege 
    to you for use and should not be taken advantage of.   There are 
    measures set in place that allows us to manage the network.   Do 
    not assume that there is any personal privacy on this network.   
    The only privacy that you can assume is for the nature of your 
    work.   All information (including emails, documents, 
    spreadsheets, pictures, etc.) contained on the equipment 
    provided and on the network is the sole property of Standard 
    Meat Company.
    
    If you have problems with your equipment or network resources, 
    please feel free to ask.   We do not mind helping, but we cannot 
    help if we do not know, so please ask! 
    
    Sincerely,
    
    
    Your IT Department"
    
    if ($loc -eq "Loc1") { #(Module 1.43)
    Write-Output $report | Out-Printer
    }
    Else { #(Module 1.44)
    Write-Output $report | Out-Printer \\server\'Xerox WorkCentre 4260'
    }
    
    #Waiting for AD & Azure to Synchronize, which synchronizes every 30 minutes (Module 1.45)
    Write-host "Waiting..."
    Start-Sleep -Seconds 1800
    
    #Connect to O365 and licenses the user
    Connect-MsolService #(Module 1.46)
    Set-MsolUserLicense -UserPrincipalName (-join($un,'@<MyCompany>.com')) -AddLicenses #(Module 1.47)
    
    #Connects to the Exchange box, creates the users email account, then disconnects from the Exchange box
    $mail = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -AllowRedirection -Authentication Basic -Credential $cred #(Module 1.48-Part 1)
    Import-PSSession $mail -WarningAction SilentlyContinue | Out-Null #(Module 1.48-Part 2)
    enable-Mailbox -Identity $un -Alias $un -DisplayName (-join($fn,$ln)) #Creates the users mailbox (Module 1.49)
    IF ($dep -eq "Executives") { #(Module 1.50)
    Set-Mailbox (-join($un,'@<MyCompany>.com')) -ProhibitSendQuota 19.5GB -ProhibitSendReceiveQuota 20GB -IssueWarningQuota 19GB #Sets the mailbox size in Exchange Online so that the user isn't using all 50 GB of storage (Module 1.51)
    } #If they are an executive, then they get 20 GB of mailbox space
    elseif ($dep -eq "IT") { #(Module 1.52)
    Set-Mailbox (-join($un,'@<MyCompany>.com')) #(Module 1.53)
    } #IT gets the full mailbox, of course 
    else { #(Module 1.54)
    Set-Mailbox (-join($un,'@<MyCompany>.com')) -ProhibitSendQuota 9.5GB -ProhibitSendReceiveQuota 10GB -IssueWarningQuota 9GB #Sets the mailbox size in Exchange Online so that the user isn't using all 50 GB of storage (Module 1.55)
    } #Otherwise, everybody else gets 10 GB of mailbox space
    Remove-PSSession -Session $mail #Disconnects from the Exchange box (Module 1.56)
    

    This is a great script, especially if you have users frequently cycling in and out of the company. Also a good base to expand from, or customize to make it fit many environments.

    Something that stuck out in the script for me was that the homeDirectory AD attribute wasn't being used (unless I missed it). When you set that, AD automatically does permissions appropriately for the users home drive or home directory. It works well with DFS or DFSR.

    Edit: I use the following format for "homeDirectory": \\DOMAIN\Namespace\HomeDrives\%username%
    Path can be whatever works, above is just what happens to be for that case.


Log in to reply
 

Looks like your connection to MangoLassi was lost, please wait while we try to reconnect.