1

I am Bulk creating AD users from the commandline (dsadd) and whilst doing so am setting the homedir and homedrv to a DFS location. I observe when I create the user with all these settings via the GUI (dsa.msc) that the homedrv gets created on the DFS share with all the permissions set correctly. But when using dsadd, the folder is not created. How can I replicate this GUI behaviour via the commandline when creating the user?

I don't really want to rely on logon scripts to set it up. Do I have to use mkdir and cacls and something else to give the user Ownership? Or maybe I am missing something easy.

Any help much appreciated!

Ryan Fisher
  • 2,228
  • 16
  • 13

4 Answers4

2

My answers below will probably give you enough of a skeleton of a script to make what you want happen:

You can end up with a nice little provisioning script that creates the roaming profile directory, the redirected folder / home directories, and adds the appropriate attributes / group memberships to AD to make it all happen.

I disagree strongly with the Microsoft "preferred" method of granting the user permissions such that Windows automatically creates these various directories. The permissions that get added to these automatically-created directories are decidedly sub-optimal, and I believe there's a strong denial-of-service attack potential by letting users have unfettered write access to top-level folders in such hierarchies.

Community
  • 1
Evan Anderson
  • 141,881
  • 20
  • 196
  • 331
1

Generally I'd script this and read the list of user names/etc from a spreadsheet or txt file. There are plenty of sample scripts around the web for user creation, but have a look here to get started.

One thing about the Home Folder property: you might find that there's less admin overhead for you in the longer term if you abandon that as a bad idea (I've a sneaking suspicion that it may only exist in AD for legacy NT4 compatibility, and that it's not really intended to be used in a fully native AD implementation) and use Folder Redirection with Group Policies instead.

For folder creation I've quite successfully used xcacls in the past.

Maximus Minimus
  • 8,987
  • 2
  • 23
  • 36
  • I find the per-user home folder attribute handy. Folder redirection can use the user's specified home folder as a destination. That can be very nice insofar as you can specify the location per-user, then have a single GPO that applies Folder Redirection policy and, because the folder location is specified per-user, effectively can redirect user folders to multiple servers. W/o that mechanism, you'd be forced to either use group membership in the Folder Redirection policy, or multiple OUs / GPO filtering and multiple Folder Redirection policies to redirect folders to multiple server computers. – Evan Anderson Oct 19 '09 at 20:06
  • It's worth noting that you *are* introducing another point of failure to user desktop experience by redirecting the folders to servers. Network/Server issues can cause data-loss, you have to handle Laptops differently, etc. Ultimately still worth doing IMHO, but there other considerations to keep in mind. That's probably one reason that mapped drives rather than Folder Redirection is still so prevalent. – Ryan Fisher Apr 01 '10 at 17:48
0

Checkout the commandline verison of admodify.net called admod. It allows bulk changes to AD and it's scriptable. I've got such a script, let me know if you are interested.

JamesBarnett
  • 1,129
  • 8
  • 12
0

See the second comment in this link for some extra info:

http://www.servernewsgroups.net/group/microsoft.public.windows.server.active_directory/topic18338.aspx

Mojeska
  • 166
  • 4