Creating New IIS User on Active Directory with Powershell

March 2nd, 2010 admin Posted in Hosting & IIS7, Windows Powershell, Windows Server | No Comments »

Creates a new user on Active Directory, sets “Password never expires” and changes primary group of user.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36

Function Add-IISUser
{
Param ($Username, $Password)
 
    $ADDomain = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
    $ADDomainName = $ADDomain.Name
    $ADServer = ($ADDomain.InfrastructureRoleOwner.Name.Split(".")[0])
    $FQDN = "DC=" + $ADDomain.Name -Replace("\.",",DC=")
    $ADDomain = [ADSI] "LDAP://$ADServer/$FQDN"
    $CustomerOU = [ADSI] "LDAP://$CustomerOU,$FQDN"
    $User = [ADSI] "LDAP://CN=$Username,$CustomerOU,$FQDN"
    $PrincipalName = $Username + "@" + $ADDomainName
    $AddADUser = $CustomerOU.Create("User","CN=$Username")
    $AddADUser.Put("Description", "$Username")
    $AddADUser.Put("sAMAccountName", "$Username")
    $AddADUser.Put("userPrincipalName", "$PrincipalName")
    $AddADUser.Put("DisplayName", "$Username")
    $AddADUser.SetInfo()
    $AddADUser.SetPassword($Password)
    $AddADUser.SetInfo()
    $AddADUser.Psbase.Invokeset("AccountDisabled", "False")
    $AddADUser.SetInfo()
    $AddADUser.Put("userAccountControl", "65536")
    $AddADUser.SetInfo()
    $DomainNC = ([ADSI]"LDAP://RootDSE").DefaultNamingContext
    $DomainUsers = [ADSI]"LDAP://CN=Domain Users,CN=Users,$DomainNC"
    $DomainUsers.GetInfoEx(@("primaryGroupToken"), 0)
    $OldGroupToken = $DomainUsers.Get("primaryGroupToken")
    $DomainGuests = [ADSI]"LDAP://CN=IIS_USERS,CN=Users,$DomainNC"
    $DomainGuests.GetInfoEx(@("primaryGroupToken"), 0)
    $NewGroupToken = $DomainGuests.Get("primaryGroupToken")
    $DomainGuests.Add([String]($AddADUser.AdsPath))
    $AddADUser.Put("primaryGroupId", $NewGroupToken)
    $AddADUser.SetInfo()
    $DomainUsers.Remove([String]($AddADUser.AdsPath))
}

Our new Primary Group is IIS_USERS as you see. You can change that group name.

Tags: , ,


You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

AddThis Social Bookmark Button

Leave a Reply

«
»