Bulk add AD users in Active Directory

Bulk add AD users in Active Directory

As September draws around again I need to bulk add AD users (210 new users) to the school Active Directory, this is a pretty simple process, but if you have never done a bulk add before it may seem daunting.

Creating new users on a bulk basis is an 8 step process.  Simply put:

1. Create CSV list of users and properties.
2. Create users using addusers.exe.
3. Create an OU for the users and move them into it.
4. Create intake Security Group
5. Add users to Security Groups using AD
6. Create user home directories.
7. Create a share for each user
8. Test login for new users

In more detail the process is as follows:

Step 1 Create CSV list of users and properties

The [CSV Fields names] required for entering data using addusers are (in this order):

User Name
Full Name
User Description
Home Drive (letter:)
Home Drive Path
Profile Path
Login Script name

The easiest way to create this file is to use Excel, by taking a simple list of the names for import use built in Excel functions i.e CONCATENATE to create the necessary fields then save the file as a CSV see creating an addusers csv file.  The file should for ease of reference be called [intake year].CSV e.g. intake11.CSV

Step 2 Create users using addusers.exe

Addusers.exe is NOT part of Windows Server as a default.  It is however part of the resource kit and so freely available.  Check the file addusers.exe is installed on the machine you are using (look in the Windows system root e.g c:\winnt).  If the file is not there it can be found on Microsoft FTP server (save it to windows system root).

More info on using addusers.exe can be found on the Microsoft support site:

To run the user CSV import, open command prompt and navigate to the folder where the CSV file is saved then run addusers.

Example usage:

C:\>AddUsers domain_name /c intake11.csv /p:e

This is based on the CSV file being called intake11.CSV and saved in the root of C:.  This will create all the users on the AD for [whatever domain_name you use] in the ‘Users’ OU of the domain.  If you do not include the domain name in the above command you will create lots of new users on your local PC!

Step 3 Create an OU for new users and move them into it

From a workstation or server with Admin Pack installed see installing admin pack.  Open AD (Start > Programs > Administrative Tools > Active Directory Users and Computers).  Expand domain view, right click students, click new, Organizational Unit.  Name the OU as year of intake e.g 11.  This will create the new OU.

To move the users:

Select ‘users’ OU > bulk select the new users in the right hand pane > right click > click move > navigate to the OU ([11], just created) select this OU > OK.
Note by default there are some objects in the “users” OU that need to stay there so make sure only the new users just created are moved (sort them first).

Step 4 Create intake Security Group

Each user needs to be added to 2 security groups for Group Policy to function correctly, these are ‘students and intake[yearnn].  You will need to create the security group intake[yearnn].

In AD right click OU ‘Groups’ > click new > Group.  Select type’global’ and ‘security’; name the group as intake[yearnn] e.g intake11.

Step 5 Add new users to Security Groups using AD

Expand OU students and select the new OU e.g. 11.  In the right hand pane select all users > right click > click add to group > in the search window type students;intake11 click OK.

Step 6 Create User Home Directories

Navigate to the studentusers share on the network e.g \\studentdata\student$.  Create a new parent level folder name it as intake year e.g. 11.  Right click the folder and select security tab > deselect the ‘inherit permissions from parent’ (copy permissions) and remove ‘students’ from the permissions list.  Add the intake Security Group e.g. intake11 with ‘list folder contents’ permission only.  Click advanced > double click intake Security Group e.g. intake11 > set the permissions to ‘This folder only’.  Apply > OK.  This assumes that the parent folder (\\studentdata\student$) has full control access for domain admins, read / write permissions for staff and read access for students.

Create the individual homefolders

Create a list of usernames (use Excel and the CSV file used to add users) save the list as 2011users.txt ensuring this file only contains the username column (without the header row).

Open a command prompt and navigate to the folder where you saved 2011users.txt and run a for command:

C:\>for /f %u in (2011users.txt) do md \\studentdata\student$\11\%u

This will create a directory for each user in the list (2011users.txt) in the 11 folder on the  student$ share of the studentdata server.  Obviously if any of these parameters are not correct the command would need to be amended appropriately.

You will need to set the security on the folders you have created this is also an automated task see Managing user home drives (using security.bat) for instructions on this part of the process.

Step 7 Create a SHARE for each user

This step is required as the users may wish to connect to an AD connected Mac or MacBook and this will enable the Mac to (more easily) mount the home folder on login.

Creating shares can be completed from any network connected workstation using the tool RMTSHARE.exe available from Microsoft FTP (save to system root).

These instructions are based on a new intake of 11.

Open a command prompt and navigate to the folder where you saved 2011users.txt and run a for command:

For /f %u in (users.txt) do rmtshare \\studentdata\%u$=e:\students\11\%u /GRANT %u:full /GRANT domain\staff:full /REMARK:”Share for %u”

This will create a hidden share (ending in $) for each user in the 2011users.txt file on the studentdata server using the server’s e: drive folder you created in step 6.  Obviously if your student data is not stored on the server e: drive or the root folder for students is not ‘students’ you will need to amend the command appropriately.  This command will also REMOVE access to the everyone group in share permissions ACL (a VERY good idea) and GRANT full access to both staff and the user in the share permissions tab (without this neither the user nor any staff member will be able to browse to the contents of the folder).  The /REMARK is simply to add a descriptive name for the share which is visible in computer management window (right click My Computer).

Step 8 Test login for new intake

It will not be possible to fully test the functionality of logins for a bulk add users until the folder security has updated, as the users will not have access to their home folders until security.bat has run; see Managing user home drives (using security.bat) to manually set security on these folders before logging in as any selected (new) student and testing the functionality of the login.

Within my school network I have created a scheduled task to ensure file security is correct for all users, so it is possible to wait until the next day to test the login.  This also tests the scheduled task is running and functioning as expected.

bulk add AD users - Nate Allen

Leave a Reply

Your email address will not be published. Required fields are marked *