When you need to create a few user accounts for new hires, or create a group to allow access to a newly added network resource, you'll probably find the User Manager for Domains administration tool perfectly adequate. However, when your boss E-mails you a spreadsheet containing 1,500 employee names and asks you to create new user accounts for each of them, you may be dismayed at the prospect of doing the job manually with User Manager for Domains.
Fortunately, User Manager for Domains' New User option isn't the only way to create user accounts and groups. In this article, we'll explain three techniques that make it easier to add multiple new accounts and groups to a workstation, server, or your domain's Security Accounts Manager (SAM) database.
First, we'll show you how to create user account templates to use with User Manager for Domains. Then we'll explain NET USER (not to be confused with NET USE), a powerful NT command-line utility that lets you create user accounts with batch files. Finally, we'll tell you about ADDUSERS, a command-line utility from the Windows NT Server Resource Kit that lets you automate the creation of new user accounts and groups. Of course, you'll need Administrator privileges to implement these techniques.
User account templatesYou'll find that user account templates are most useful for occasionally adding new users to a department or user type requiring the same network privileges, as often occurs in the case of new hires. A user account template is simply a dummy account that you create for the sole purpose of copying to create new user accounts. When you copy a user account template (or any other account), the new account will inherit all the template's settings and properties except for the Full Name and the Account Disabled setting. Therefore, you'll want to create a template for each department or user type.
To create a user account template, open User Manager for Domains and access the SAM for the Primary Domain controller, member server, or workstation to which you want to add user accounts. Then select the New User option from the User menu and the New User dialog box will appear. Enter a name for the template in the User Name field. We recommend that you add an underscore (_) character to the beginning of the template's name. Because the underscore is a non-alphabetic character, the template will appear at or near the top of the Username list in the main User Manager for Domains dialog box. This placement allows you to readily identify the dummy account as a user account template.
Then complete the Description field and configure all other settings and properties that you want to copy to new user accounts. Add the dummy account to the appropriate global and local groups. Be sure to select the Account Disabled option as shown in Figure A. New accounts that you create by copying the template won't inherit this option selection, but selecting it in the template will prevent someone from using the dummy account to log on to the domain or local computer.
Figure A: When you create a user account template, be sure to select the Account Disabled option to prevent someone from using the template to log on to a computer or domain.
After configuring the dummy account, click the Add button to add the account to the SAM. Then you're ready to create new accounts by opening User Manager for Domains, selecting the dummy account, and choosing Copy… from the User menu. In the resulting account, fill out the Username and Full Name fields, then click the Add button.
NET USERIf you love the convenience, power, and speed of NT's command prompt, you'll want to learn how to use NT's NET USER command to create, delete, or modify user accounts. Because NET USER is a command-line utility, you can use it in simple batch files to perform administration tasks automatically. Listing A shows the syntax for the NET USER command. Tables A and B show the parameters and options respectively for the NET USER command. As you can see, the command
NET USER CHARLES /ADD /HOMEDIR:C: \USERS \CHARLES adds a new account to the local SAM database. The username is Charles and the home directory is located in the path C:\USERS\CHARLES.
Listing A: The NET USER command's syntax
NET USER [username [password | *] [options]] [/DOMAIN]
username {password | *} /ADD [options] [/DOMAIN]
username [/DELETE] [/DOMAIN]
To use the NET USER command in a batch file, replace the username parameter with the batch file parameter %1, as shown in the NEWUSER.BAT file in Listing B. Using this parameter allows you specify the username as a command argument. Entering the command
NEWUSER RUTH
will add a new account to the local SAM database with the username Ruth and a home directory located in the path C:\USERS\RUTH.
Table A: NEW USER command parameters
| Options | Description |
| Username | Names the user account to add, delete, modify, or view. The name can have as many as 20 characters. |
| Password | Assigns or changes a password for the user account. A password must satisfy the minimum length set with the /MINPWLEN option of the NET ACCOUNTS command. It can have as many as 14 characters. |
| * | Produces a prompt for the password. The password is not displayed when you type it at a password prompt. |
| /DOMAIN | Performs the operation on the primary domain controller of the current domain. This parameter applies only to Windows NT Workstation computers that are members of a Windows NT Server domain. By default, Windows NT Server computers perform operations on the primary domain controller. |
| /ADD | Adds a user account to the user accounts database. |
| /DELETE | Removes a user account from the user accounts database. |
Table B: NEW USER command options
| Option | Description |
| /ACTIVE:{YES | NO} | Activates or deactivates the account. If the account is inactive, the user cannot access the server. The default is YES. |
| /COMMENT:"text" | Provides a descriptive comment about the user account (maximum of 48 characters). Enclose the text in quotation marks. |
| /COUNTRYCODE:nnn | Uses the operating system country code to implement the specified language files for help and error messages. A value of 0 signifies the default country code. |
| /EXPIRES:{date | NEVER} | Causes the account to expire on a certain date if one is set. NEVER sets no time limit on the account. An expiration date is in the form mm/dd/yy or dd/mm/yy, depending on the country code. Months can be a number, spelled out, or abbreviated with three letters. Year can be two or four numbers. Use slashes(/) (no spaces) to separate parts of the date. |
| /FULLNAME:"name" | Gives a user's full name (rather than a username). Enclose the name in quotation marks. |
| /HOMEDIR:pathname | Sets the path for the user's home directory. The path must exist. |
| /HOMEDIRREQ:{YES | NO} | Specifies whether a home directory is required. If a home directory is required, use the /HOMEDIR option to specify the directory. |
| /PASSWORDCHG:{YES | NO} | Specifies whether users can change their own password. The default is YES. |
| /PASSWORDREQ:{YES | NO} | Specifies whether a user account must have a password. The default is YES. |
| /PROFILEPATH[:path] | Sets a path for the user's logon profile. |
| /SCRIPTPATH:pathname | Gives the location of the user's logon script. |
| /TIMES:{times | ALL} | Gives the hours during which the user is allowed to log on. TIMES is expressed as day[-day][,day[-day]],time[-time][,time [-time]], limited to one-hour increments. Days can be spelled out or abbreviated Hours can be 12- or 24-hour notation. For 12-hour notation, use am, pm, a.m., or p.m. ALL means a user can always log on, and a blank value means a user can never log on. Separate day and time entries with a comma, and separate multiple day and time entries with a semicolon. |
| /USERCOMMENT:"text" | Lets an administrator add or change the User Comment for the account. |
| /WORKSTATIONS:{computername[,...] | *} | Lists as many as eight computers from which a user can log on to the network. If /WORKSTATIONS has no list or if the list is *, the user can log on from any computer. |
Listing B: NEWUSER.BAT
NET USER %1 /ADD /HOMEDIR:C: \USERS \%1
The two previously described techniques require some manual input and are best suited for the occasional creation of accounts. If you need to create a large number of user accounts, or even groups, you'll want a way to fully automate the process. Fortunately, the Windows NT 4.0 Server Resource Kit's ADDUSERS command-line utility lets you create user accounts and groups from a comma-delimited file containing account and group information. You'll find ADDUSERS very useful when you want to create new accounts from information stored in a Microsoft Excel document. Listing C shows the command syntax for ADDUSERS, and Table C lists and describes the utility's command parameters.
Please note: You should always be careful when erasing user accounts via ADDUSERS as it isn't possible to re-create the user account with the same SID (Security ID). But don't worry—the /e parameter of ADDUSERS cannot erase NT's built-in default accounts, such as Administrator.Listing C: ADDUSERS command syntax
ADDUSERS [ \\computername ] [{ /c | /d | /e } filename] [/s:x] [/?]
Table C: ADDUSERS command parameters
| Option | Description |
| computername | Indicates the computer on which you want to create user accounts or from which you want to write user accounts. If you don't specify a computer name, ADDUSERS will use the local computer by default. |
| filename | Indicates the comma-delimited input/output file that ADDUSERS will use for data. |
| /c | Creates user accounts, local groups, and global groups as specified by filename. |
| /d | Dumps user accounts, local groups, and global groups to filename. |
| /e | Deletes user accounts as specified by filename. |
| /s:x | Changes the character used for separating fields in the file, where x is the new character for separating fields. If this option isn't specified, the default separator, a comma, will be used. |
| /? | Displays syntax and usage information. |
The data file that you use with ADDUSERS must follow the format shown in Listing D. We've found that the best way to create the data file in the proper format is to first use ADDUSERS to dump a small SAM database into a comma-delimited file and then import that file into Microsoft Excel. To do so, open a command prompt or Run dialog box and enter the command
ADDUSERS /D addtemp.txt
to dump the local computer's SAM database into the comma-delimited file named addtemp.txt. Then open Microsoft Excel, choose Open from the File menu, and select addtemp.txt. The Text Import Wizard Step 1 of 3 dialog box will then appear. Click the Next button, and in the resulting Text Import Wizard Step 2 of 3 dialog box, select the Comma option in the Delimiters section. Then click the Next button, and click the Finish button in the resulting Text Import Wizard Step 3 of 3 dialog box (without making any additional changes to this dialog box).
Microsoft Excel will then display the addtemp.txt file in the correct data file format, as shown in Figure B. As you can see, Column C is blank—the ADDUSERS utility doesn't dump password information into data files. However, you can specify password information in this column when using the data file to create accounts with ADDUSERS. Make the necessary changes to the template and save it under another name as a tab-delimited text file (the same as comma-delimited in Microsoft Excel). You can then use this file to create new accounts and groups with ADDUSERS.
Figure B: Importing an ADDUSERS data file will help you set up a properly formatted template for creating new ADDUSERS data files.
Listing D: The ADDUSERS data file format
[Users]
<User Name>,<Full Name>,<Password>,<Home Drive>,<Home Path>,<Profile>,<Script>
[Global]
<Global Group Name>,<Comment>,<UserName>, ...
[Local]
<Local Group Name>,<Comment>,<UserName>, ...
Why create several or a dozen or a thousand user accounts "by hand" in User Manager for Domains when you can use simple techniques and utilities to automate the process? In this article, we showed you three methods for creating user accounts. We discussed user account templates, the NET USER command, and the Windows NT Server Resource Kit's ADDUSERS utility.
Copyright © 1998, ZD
Inc. All rights reserved. ZD Journals and the ZD Journals logo are trademarks of ZD
Inc. Reproduction in whole or in part in any form or medium without
express written permission of ZD Inc. is prohibited. All other product
names and logos are trademarks or registered trademarks of their
respective owners.