Home > Scripting > Powershell : Add student users to AD with an excel file

Powershell : Add student users to AD with an excel file


Powershell. or powerHell…well sometimes. I think it has got to do with lack of knowledge about this scripting technique. The more I am working with it the more i am starting to love it. Very powerfull commands to do more with less. Since the migration to exchange 2010 and windows 2008 R2 we are discovering the power of powershell. Now I’ve converted some of my scripts from VBS to powershell. In this article I have created a script to add student users to Active Directory while using a Excel xlsx file and NOT using Quest AD commandlets.

####################################################################
#
PowerShell Script for to add STUDENTS users to Active Directory #
#
#
#
Version: 0.2 #
#
#
#
Requirements: #
#
1. Powershell with Exchange 2010 CMDlets #
#
2. Permissions on Exchange 2010 and Active Directory #
#
3. Excel 2007 Installed #
#
4. Excel file with the following Columns and data: #
#
#
#
Column 1 (A) : Last Name #
#
Column 2 (B) : Middle Name (like van, de, or blank) #
#
Column 3 (C) : First Name #
#
Column 4 (D) : Login Name (like 22222) #
#
Column 5 (E) : Class (like 4K1) #
#
Column 6 (F) : Sector (VMBO, HVWO, PRO) #
#
Column 7 (G) : Password #
#
#
#
Changelog: #
#
0.1 First version Richard #
#
0.2 Add user check Richard #
#
#
#
###################################################################

$strExcelFile = "C:\Scripts\students.xlsx"
$strADDomainName = "domainname.local"
$strDC = "servername"
$strExchangeDB = "EX-DB"
$strExchangeSMTP = "@companyname.nl"

$strADUserLogonScriptHVWO = "Hvwo-student.vbs"
$strADUserProfPathHVWO = "\\servername\Profiles$\studentprofileHvwo"
$strADUserOUHVWO = [ADSI] "LDAP://servername.domainname.local:389/OU=Students,OU=Users,OU=HavoVwo,DC=domainname,DC=local"
$strADUserOUHVWOShort = ",OU=Students,OU=Users,OU=HavoVwo,DC=domainname,DC=local"
$strADUserGroupHVWO = [ADSI] "LDAP://servername.domainname.local:389/CN=Students HavoVwo,OU=Students,OU=groups,OU=HavoVwo,DC=domainname,DC=local"

$strADUserLogonScriptPRO = "Pro-student.vbs"
$strADUserProfPathPRO = "\\servername\Profiles$\studentprofilePro"
$strADUserOUPRO = [ADSI] "LDAP://servername.domainname.local:389/OU=Students,OU=Users,OU=Pro,DC=domainname,DC=local"
$strADUserOUPROShort = ",OU=Students,OU=Users,OU=Pro,DC=domainname,DC=local"
$strADUserGroupPRO = [ADSI] "LDAP://servername.domainname.local:389/CN=Students PRO,OU=Students,OU=groups,OU=Pro,DC=domainname,DC=local"

$strADUserLogonScriptVMBO = "Vmbo-student.vbs"
$strADUserProfPathVMBO = "\\servername\Profiles$\studentprofileVmbo"
$strADUserOUVMBO = [ADSI] "LDAP://servername.domainname.local:389/OU=Students,OU=Users,OU=Vmbo,DC=domainname,DC=local"
$strADUserOUVMBOShort = ",OU=Students,OU=Users,OU=Vmbo,DC=domainname,DC=local"
$strADUserGroupVMBO = [ADSI] "LDAP://servername.domainname.local:389/CN=Students VMBO,OU=Students,OU=groups,OU=Vmbo,DC=domainname,DC=local"

####################################################################
#
FUNCTIONS #
#
###################################################################
function addHVWOuser {
#check if user exists
$Status = (Check-ADUser -username $strADUserAlias).Status
If ($Status -eq 1) {Write-Host "User:" $strADUserAlias "allready exists!"}
Else {
#create user with settings
$newUser = $strADUserOUHVWO.Create("user",$CN)
$newUser.put("sAMAccountName", $strADUserAlias)
$newUser.put("GivenName", $strADUserFirstName)
$newUser.put("SN", $strADUserLastName)
$newUser.put("displayName", $strADUserFullName)
$newUser.put("initials", $strADUserInitials)
$newUser.put("description", $strADUserDiscription)
$newUser.put("profilePath", $strADUserProfPathHVWO)
$newUser.put("scriptPath", $strADUserLogonScriptHVWO)
$newUser.put("userPrincipalName", $strADUserPrincipalName)
$newUser.SetInfo()
$newUser.PsBase.Invoke("SetPassword", $strADUserPassword)
$newUser.PsBase.InvokeSet("AccountDisabled", $false)
$newUser.SetInfo()
#Set password never expires
New-Variable ADS_UF_DONT_EXPIRE_PASSWD 0x10000 -Option Constant
[
int]$flag=$newUser.useraccountcontrol[0]
$newUser.useraccountcontrol=$flag -bor $ADS_UF_DONT_EXPIRE_PASSWD
$newUser.SetInfo()
#Set password cannot be changed
set-passwordchange $newUser.distinguishedname -deny
#wait for user to be created
Start-Sleep -Seconds 10
#Add user to AD Group
$strADUserGroupHVWO.add("LDAP://" + $strDC + "." + $strADDomainName + ":389/" + $CN + $strADUserOUHVWOShort)
#create mailbox and configure mailbox settings
Enable-Mailbox -Identity $strADUserFullName -Alias $strADUserAlias -Database $strExchangeDB -PrimarySmtpAddress $strADUserEmailAddress -ActiveSyncMailboxPolicy 'Default' -DomainController $strDC
Set-CASMailbox -Identity
$strADUserFullName -MAPIEnabled $false -POPEnabled $false -ImapEnabled $false –ActiveSyncEnabled $false -DomainController $strDC
Set-Mailbox -Identity
$strADUserFullName -HiddenFromAddressListsEnabled $true -DomainController $strDC
}
}
function addPROuser {
#check if user exists
$Status = (Check-ADUser -username $strADUserAlias).Status
If ($Status -eq 1) {Write-Host "User:" $strADUserAlias "allready exists!"}
Else {
#create user with settings
$newUser = $strADUserOUPRO.Create("user",$CN)
$newUser.put("sAMAccountName", $strADUserAlias)
$newUser.put("GivenName", $strADUserFirstName)
$newUser.put("SN", $strADUserLastName)
$newUser.put("displayName", $strADUserFullName)
$newUser.put("initials", $strADUserInitials)
$newUser.put("description", $strADUserDiscription)
$newUser.put("profilePath", $strADUserProfPathPRO)
$newUser.put("scriptPath", $strADUserLogonScriptPRO)
$newUser.put("userPrincipalName", $strADUserPrincipalName)
$newUser.SetInfo()
$newUser.PsBase.Invoke("SetPassword", $strADUserPassword)
$newUser.PsBase.InvokeSet("AccountDisabled", $false)
$newUser.SetInfo()
#Set password never expires
New-Variable ADS_UF_DONT_EXPIRE_PASSWD 0x10000 -Option Constant
[
int]$flag=$newUser.useraccountcontrol[0]
$newUser.useraccountcontrol=$flag -bor $ADS_UF_DONT_EXPIRE_PASSWD
$newUser.SetInfo()
#Set password cannot be changed
set-passwordchange $newUser.distinguishedname -deny
#wait for user to be created
Start-Sleep -Seconds 10
#Add user to AD Groups
$strADUserGroupPRO.add("LDAP://" + $strDC + "." + $strADDomainName + ":389/" + $CN + $strADUserOUPROShort)
$strADUserGroupVMBO.add("LDAP://" + $strDC + "." + $strADDomainName + ":389/" + $CN + $strADUserOUPROShort)
#create mailbox and configure mailbox settings
Enable-Mailbox -Identity $strADUserFullName -Alias $strADUserAlias -Database $strExchangeDB -PrimarySmtpAddress $strADUserEmailAddress -ActiveSyncMailboxPolicy 'Default' -DomainController $strDC
Set-CASMailbox -Identity
$strADUserFullName -MAPIEnabled $false -POPEnabled $false -ImapEnabled $false –ActiveSyncEnabled $false -DomainController $strDC
Set-Mailbox -Identity
$strADUserFullName -HiddenFromAddressListsEnabled $true -DomainController $strDC
}
}
function addVMBOuser {
#check if user exists
$Status = (Check-ADUser -username $strADUserAlias).Status
If ($Status -eq 1) {Write-Host "User:" $strADUserAlias "allready exists!"}
Else {
#create user with settings
$newUser = $strADUserOUVMBO.Create("user",$CN)
$newUser.put("sAMAccountName", $strADUserAlias)
$newUser.put("GivenName", $strADUserFirstName)
$newUser.put("SN", $strADUserLastName)
$newUser.put("displayName", $strADUserFullName)
$newUser.put("initials", $strADUserAlias)
$newUser.put("description", $strADUserDiscription)
$newUser.put("profilePath", $strADUserProfPathVMBO)
$newUser.put("scriptPath", $strADUserLogonScriptVMBO)
$newUser.put("userPrincipalName", $strADUserPrincipalName)
$newUser.SetInfo()
$newUser.PsBase.Invoke("SetPassword", $strADUserPassword)
$newUser.PsBase.InvokeSet("AccountDisabled", $false)
$newUser.Put("pwdLastSet", 0)
$newUser.SetInfo()
#Set password never expires
New-Variable ADS_UF_DONT_EXPIRE_PASSWD 0x10000 -Option Constant
[
int]$flag=$newUser.useraccountcontrol[0]
$newUser.useraccountcontrol=$flag -bor $ADS_UF_DONT_EXPIRE_PASSWD
$newUser.SetInfo()
#Set password cannot be changed
set-passwordchange $newUser.distinguishedname -deny
#wait for user to be created
Start-Sleep -Seconds 10
#Add user to AD Group
$strADUserGroupVMBO.add("LDAP://" + $strDC + "." + $strADDomainName + ":389/" + $CN + $strADUserOUVMBOShort)
#create mailbox and configure mailbox settings
Enable-Mailbox -Identity $strADUserFullName -Alias $strADUserAlias -Database $strExchangeDB -PrimarySmtpAddress $strADUserEmailAddress -ActiveSyncMailboxPolicy 'Default' -DomainController $strDC
Set-CASMailbox -Identity
$strADUserFullName -MAPIEnabled $false -POPEnabled $false -ImapEnabled $false –ActiveSyncEnabled $false -DomainController $strDC
Set-Mailbox -Identity
$strADUserFullName -HiddenFromAddressListsEnabled $true -DomainController $strDC
}
}
Function Set-PasswordChange {
Param([string]$dn=$(Throw "You must specify a user's DN"),
[
switch]$Deny)
#only run if user distinguishedname was found
[ADSI]$user="LDAP://" + $strDC + "." + $strADDomainName + ":389/" + $dn
[
Guid]$guid="ab721a53-1e2f-11d0-9819-00aa0040529b"
$everyone = [System.Security.Principal.SecurityIdentifier]"S-1-1-0"
$self = [System.Security.Principal.SecurityIdentifier]"S-1-5-10"
$EveryoneDeny = New-Object System.DirectoryServices.ActiveDirectoryAccessRule ($Everyone,"ExtendedRight","Deny",$guid)
$EveryoneAllow = New-Object System.DirectoryServices.ActiveDirectoryAccessRule ($Everyone,"ExtendedRight","Allow",$guid)
$SelfDeny = New-Object System.DirectoryServices.ActiveDirectoryAccessRule ($self,'ExtendedRight','Deny',$guid)
$SelfAllow = New-Object System.DirectoryServices.ActiveDirectoryAccessRule ($self,'ExtendedRight','Allow',$guid)#Pick the right rules depending on whether $perm is set to Allow or Deny
if ($Deny) {
$SelfRule = $SelfDeny
$EveryoneRule = $EveryoneDeny
}
else
{
$SelfRule = $SelfAllow
$EveryoneRule = $EveryoneAllow
}
#The ModifyAccessRuleMethod requires an object to use for its output
New-Variable r
if (!($User.psbase.ObjectSecurity.ModifyAccessRule('Reset',$SelfRule,[ref]$r))) {
Write-Host "Failed to modify access rule for SELF"
Return
}
If (!($User.psbase.ObjectSecurity.ModifyAccessRule('Reset',$EveryoneRule,[ref]$r))) {
Write-Host "Failed to modify access rule for EVERYONE"
Return
}
# changes were made so commit them
$user.psbase.commitchanges()
}
Function Check-ADUser {
#search for user in AD
Param ($Username)
$ADRoot = [ADSI]''
$ADSearch = New-Object System.DirectoryServices.DirectorySearcher($ADRoot)
$SAMAccountName = "$Username"
$ADSearch.Filter = "(&(objectClass=user)(sAMAccountName=$SAMAccountName))"
$Result = $ADSearch.FindAll()
If($Result.Count -eq 0)
{
#Write-Host "No such user on the Server" | Out-Null
$Status = "0"
}
Else
{
#Write-Host "User exist on the Server" | Out-Null
$Status = "1"
}
$Results = New-Object Psobject
$Results | Add-Member Noteproperty Status $Status
Write-Output $Results
}
####################################################################
#
MAIN SCRIPT #
#
###################################################################
#
Open COM object, start Excel, open Excel File with workbook
$objExcel = New-Object -Comobject Excel.Application
$objExcel.Visible = $True
$objExcelWorkbook = $objExcel.Workbooks.Open($strExcelFile)#First Row contains header, so start with row 2
$objExcelCurrentRow = 2#Loop through excel file and add users with specific settings
do
{
$strADUserLastName = $objExcel.Cells.Item($objExcelCurrentRow,1).Value()
$strADUserMiddleName = $objExcel.Cells.Item($objExcelCurrentRow,2).Value()
$strADUserFirstName = $objExcel.Cells.Item($objExcelCurrentRow,3).Value()
#convert System.double to string value (needed because studentname ia a number)
[string] $strADUserAlias = $objExcel.Cells.Item($objExcelCurrentRow,4).Value()
$strADUserClass = $objExcel.Cells.Item($objExcelCurrentRow,5).Value()
$strADUserSector = $objExcel.Cells.Item($objExcelCurrentRow,6).Value()
$strADUserPassword = $objExcel.Cells.Item($objExcelCurrentRow,7).Value()
If ($strADUserMiddleName -eq $Null) {$strADUserFullName = $strADUserLastName + ", " + $strADUserFirstName} Else {$strADUserFullName = $strADUserLastName + ", " + $strADUserMiddleName + ", " + $strADUserFirstName}
$strADUserDiscription = $strADUserSector + " Class " + $strADUserClass + " (" + $strADUserFullName + ")"
$strADUserPrincipalName = $strADUserAlias + "@" + $strADDomainName
$strADUserEmailAddress = $strADUserAlias + $strExchangeSMTP
$strADUserInitials = $strADUserAlias
$CN = "CN=" + $strADUserAlias
If ($strADUserSector -eq "HVWO") {addHVWOuser}
If ($strADUserSector -eq "PRO") {addPROuser}
If ($strADUserSector -eq "VMBO") {addVMBOuser}
$objExcelCurrentRow++
}
until ($strADUserLastName -eq $Null)#Close Excel Workbook and Excel and cleanup with .Net Framework
$objExcelWorkbook.Close()
$objExcel.Quit()
$Null = & {
[
Runtime.Interopservices.Marshal]::ReleaseComObject($objExcel)
[
Runtime.Interopservices.Marshal]::ReleaseComObject($objExcelWorkbook)
}
GC]::Collect()
####################################################################
#
END MAIN SCRIPT #
#
###################################################################

[

I think this code can easily be followed. If any questions arise or if you have usefull additions or comments don’t hesitate to comment.

About these ads
  1. Danny
    February 8, 2012 at 2:54 pm

    The piece that should set the password never expires doesn’t work I changed it to this:

    $currentUAC = [int]($newUser.userAccountCOntrol.ToString())
    $newUAC = $currentUAC -bor 65536
    $newUser.put(“userAccountControl”,$newUAC)
    $newUser.SetInfo()

    • February 14, 2012 at 8:51 am

      THX for the feedback Danny.

  2. October 7, 2012 at 12:08 am

    Do you have an example of the spreadsheet you used?

    • October 8, 2012 at 9:32 am

      Check your mail.

      • michael ellis
        December 3, 2012 at 7:46 am

        Can you please send me the spreadsheet example?

      • December 14, 2012 at 3:11 pm

        CYM

  3. Alan Whitehouse
    December 12, 2012 at 11:42 pm

    I would love to see a copy of that spreadsheet as well if I could. Thanks.

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

%d bloggers like this: