Creating New User without O365 with PowerShell
-
This script pops up a command prompt asking a series of basic questions in order to:
- Create a user
- Sets a password
- Create their network folders
- Create their email address on a local Exchange box
- Add them to a Security Group based upon department (can be modified however you like)
- Prints out an information sheet for you to give to the new user with their required information.
#Imports the AD Import-Module activedirectory #Sets Variables $fn #First Name $ln #Last Name $title $dep #Department $loc #Location $man #Manager $un #Username $officePhone $streetAdd $city $ZIP $fi #First Name Initial, will be used to figure out Username #Getting information $fn = Read-host "First Name?" $ln = Read-Host "Last Name?" $title = Read-Host "Title?" $dep = Read-Host "Department?" $man = Read-Host "Manager (Username)?" $loc = Read-Host "Loc1 or Loc2?" #Finding out the Username $fi = $fn.Substring(0,1) $un = -join ($ln, $fi) #Sets Location information (Module 1.06) if ($loc -eq "Loc1") { #If the user is in Loc1 (Module 1.07) $officePhone = "(999) 999-9999"; $streetAdd = "123 Anywhere Drive"; $city = "YourTown"; $ZIP = "12345"; } Else { #If the user is in Loc2 (Module 1.08) $officePhone = "(987) 654-3210"; $streetAdd = "987 Nothere Blvd"; $city = "Somewhere Else"; $ZIP = "98765"; } #Sets Password $passwd = (Read-Host -AsSecureString "Account Password") $password = ConvertFrom-SecureString -SecureString $passwd $userParams = @{ 'Name' = $un; 'Enabled' = $true; 'AccountPassword' = $passwd; 'UserPrincipalName' = -join ($un, "@<domain>.com"); 'SamAccountName' = $un; 'ChangePasswordAtLogon' = $false; 'GivenName' = $fn; 'Surname' = $ln; 'DisplayName' = -join ($fn," ",$ln); 'Description' = $title; 'OfficePhone' = $officePhone; 'StreetAddress' = $streetAdd; 'City' = $city; 'State' = "Texas"; 'PostalCode' = $ZIP; 'Title' = $title; 'Department' = $dep; 'Company' = '<MyCompany>'; 'Manager' = $man; } #Creates the user in AD New-ADUser @userParams #Wait for the account to be created before doing anything else Start-Sleep -Seconds 10 #Makes the user's network drive, scan folder, and sets the permissions to their folders and files if ($loc -eq "Loc1") { #If the user is in Loc1 New-Item -Name $un -ItemType directory -Path "\\server\folder\" #Creates users network drive New-Item -Name scans -ItemType directory -Path "\\server\folder\$un\" #Creates users scan folder icacls \\<server>\d$\Users\$un\* /grant $un:F /inheritance:e /T } Else { #If the user is in Loc2 New-Item -Name $un -ItemType directory -Path "\\server\folder\" #Creates users network drive New-Item -Name scans -ItemType directory -Path "\\server\folder\$un" #Creates users scan folder icacls \\<server>\d$\Users\$un\* /grant $un:F /inheritance:e /T } #Adds the user to the correct Security Group for permissions and other network drives if ($dep -eq "Accounting"){ Add-ADGroupMember -Identity 'Accounting' -Members $un } #Adds the user to the Accounting Group Elseif ($dep -eq "Customer Service") { Add-ADGroupMember -Identity 'Customer Service' -Members $un } #Adds the user to the Customer Service Group Elseif ($dep -eq "HR") { Add-ADGroupMember -Identity 'Human Resources' -Members $un } #Adds the user to the Human Resources Group Elseif ($dep -eq "Human Resources") { Add-ADGroupMember -Identity 'Human Resources' -Members $un } #Adds the user to the Human Resources Group Elseif ($dep -eq "IT") { Add-ADGroupMember -Identity 'Domain Admins' -Members $un } #Adds the user to the Domain Admins Group for IT Elseif ($dep -eq "Maintenance") { Add-ADGroupMember -Identity 'MaintGroup' -Members $un } #Adds the user to the Maintenance Group Elseif ($dep -eq "Production") { Add-ADGroupMember -Identity 'Production' -Members $un } #Adds the user to the Production Group Elseif ($dep -eq "QA") { Add-ADGroupMember -Identity 'QA Group' -Members $un } #Adds the user to the QA Group Elseif ($dep -eq "Quality Assurance") { Add-ADGroupMember -Identity 'QA Group' -Members $un } #Adds the user to the QA Group Elseif ($dep -eq "Shipping") { Add-ADGroupMember -Identity 'SHIP' -Members $un } #Adds the user to the Shipping Group Else { Add-ADGroupMember -Identity 'Domain Users' -Members $un } #Dumps the user to the Domain Users Group #Connects to the Exchange box, creates the users email account, then disconnects from the Exchange box $mail = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri http://<exchange>/powershell -name <exchange> -Authentication Kerberos -Credential $cred Import-PSSession $mail -WarningAction SilentlyContinue | Out-Null enable-Mailbox -Identity $un -Alias $un -DisplayName (-join($fn,$ln)) #Creates the users mailbox Remove-PSSession -Session $mail #Disconnects from the Exchange box $manfn = Get-ADUser $man -Properties GivenName | select GivenName #Gets the managers first name $manln = Get-ADUser $man -Properties SurName | select SurName #Gets the managers last name #Create a report of the User's information $report = "Hello $fn $ln, From the IT Department, welcome to <MyCompany>. We are here to help you connect to the resources that you need for your job. If you need assistance with technology, please feel free to contact us at either the help page, which is set as your home page in Internet Explorer, email us at helpdesk@<MyCompany>.com, or call us at extension 4357. Below you will find your information so that you can login to the network and get started: Your username is <domain>\$un Your password is Your email address is $fn$ln@<MyCompany>.com Your phone number is $officePhone Ext. It is suggested that you change your password to something that you can remember but difficult enough that somebody else cannot figure out. The requirement is only 6 characters, but we do advise on making it longer, throw some numbers and special characters in there as well to make it stronger. Best advice would be to use a pass-PHRASE instead of a pass-WORD. Your computer should already be setup with your email loaded and your network drives. At <MyCompany>, we use Microsoft Outlook as the email client. Depending on what department you are in will depend on what drives you have available. Generally, everybody will have an F: drive and a G: drive. The F: drive is your network folder. Place in there the documents that you feel you cannot do your job without. In the F: drive will be a scan folder. When you go to the Xerox to scan in documents, then you will find them in your scan folder. The G: drive is a company-wide shared folder. As for your department drives, it would be best to talk with $($manfn.name), your supervisor/manager about the nature and uses of these drives. The use of the equipment and resources provided are a privilege to you for use and should not be taken advantage of. There are measures set in place that allows us to manage the network. Do not assume that there is any personal privacy on this network. The only privacy that you can assume is for the nature of your work. All information (including emails, documents, spreadsheets, pictures, etc.) contained on the equipment provided and on the network is the sole property of <MyCompany>. If you have problems with your equipment or network resources, please feel free to ask. We do not mind helping, but we cannot help if we do not know, so please ask! Sincerely, Your IT Department" if ($loc -eq "Loc1") { Write-Output $report | Out-Printer \\server\Printer } Else { Write-Output $report | Out-Printer \\server\Printer }A part of the NerdyDad's PowerShell Scripts Series
-
Attempted to use a 3rd party PS Module called NTFSSecurity from TechNet or GitHub. Imported the module and received a number of errors.
Add-Type : Could not load file or assembly 'file:///C:\Users\baldwinj\Documents\WindowsPowerShell\Modules\NTFSSecurity\Security2.dll' or one of its dependencies. Operation is not supported. (Exception from HRESULT: 0x80131515) At C:\Users\baldwinj\Documents\WindowsPowerShell\Modules\NTFSSecurity\NTFSSecurity.Init.ps1:75 char:1 + Add-Type -Path $PSScriptRoot\Security2.dll + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (:) [Add-Type], FileLoadException + FullyQualifiedErrorId : System.IO.FileLoadException,Microsoft.PowerShell.Commands.AddTypeCommand Add-Type : Could not load file or assembly 'file:///C:\Users\baldwinj\Documents\WindowsPowerShell\Modules\NTFSSecurity\PrivilegeControl.dll' or one of its dependencies. Operation is not supported. (Exception from HRESULT: 0x80131515) At C:\Users\baldwinj\Documents\WindowsPowerShell\Modules\NTFSSecurity\NTFSSecurity.Init.ps1:76 char:1 + Add-Type -Path $PSScriptRoot\PrivilegeControl.dll -ReferencedAssembli ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (:) [Add-Type], FileLoadException + FullyQualifiedErrorId : System.IO.FileLoadException,Microsoft.PowerShell.Commands.AddTypeCommand Add-Type : Could not load file or assembly 'file:///C:\Users\baldwinj\Documents\WindowsPowerShell\Modules\NTFSSecurity\ProcessPrivileges.dll' or one of its dependencies. Operation is not supported. (Exception from HRESULT: 0x80131515) At C:\Users\baldwinj\Documents\WindowsPowerShell\Modules\NTFSSecurity\NTFSSecurity.Init.ps1:77 char:1 + Add-Type -Path $PSScriptRoot\ProcessPrivileges.dll + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (:) [Add-Type], FileLoadException + FullyQualifiedErrorId : System.IO.FileLoadException,Microsoft.PowerShell.Commands.AddTypeCommand Import-Module : Could not load file or assembly 'file:///C:\Users\baldwinj\Documents\WindowsPowerShell\Modules\NTFSSecurity\NTFSSecurity.dll' or one of its dependencies. Operation is not supported. (Exception from HRESULT: 0x80131515) At line:1 char:1 + Import-Module NTFSSecurity + ~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (:) [Import-Module], FileLoadException + FullyQualifiedErrorId : System.IO.FileLoadException,Microsoft.PowerShell.Commands.ImportModuleCommandAnybody have any suggestions on getting this to work? I'm not familiar enough with PowerShell to be able to fix this.
-
icacl is looking promising so far.
https://technet.microsoft.com/en-us/library/cc753525(v=ws.11).aspx
https://ss64.com/nt/icacls.html -
Inserted a new line of code at line 82 & 87 to read as follows:
icacls \\<server>\d$\Users\$un\* /grant $un:F /inheritance:e /TThis line grants the new employee full access to their network folder and subfolders and items.
