Microsoft

Build Your Skills: Addusers makes it easy to manipulate multiple Windows accounts

Use the Addusers.exe utility to create a large number of accounts.


Among the many tasks an administrator has to perform is creating user accounts. This is usually an ongoing job, with just a handful of accounts created at a time. However, on occasion, admins will find themselves tasked with creating an entire group of accounts. While day-to-day creation of a new user account is probably best left to the standard administrative tools, such as User Manager (in Windows NT) or Computer Manager (Windows 2000), using that method to create a large number of accounts is tedious, time-consuming, and inefficient.

Microsoft has included a utility called Addusers.exe in the resource kits for both Windows NT and Windows 2000 that assist with the creation of many users at once. The concept behind the utility is simple: The administrator supplies the utility with a comma-delimited file in a specific format, and the utility will create the users as specified. Addusers can also be used to transfer accounts from one machine to another or even between domains using certain command-line options. We're going to take a look at the various ways to use this tool to streamline user account creation.

Working with the command
Addusers is a command-line utility only; there is no GUI associated with it. It is simply called from the command line with specific options and either an input or an output filename. Here is the command-line syntax and options for Addusers:
addusers {/c|/d{:u}|/e} filename [/t][/s:x]
[/?] [\\computername|domainname] [/p:{l|c|e|d}]


Table A provides an explanation of these options and switches.

Table A
Option Explanation
/c This creates the accounts that are specified in
the input file provided.
/d: This writes the accounts on the current system
to the filename specified on the command line.
/d:{filename}:u This is the same as /d: except that the accounts
are written to the file in Unicode text format.
/p:{cdel} These are account creation options.
l (L) Users do not have to change
passwords at next login.
c User cannot change passwords.
d Account is created as disabled.
e Password never expires—
automatically enabled ‘l’.
/e This option allows you to erase users in bulk by
erasing all of the user accounts listed in the
data file.
/s:x The ‘x’ represents the delimiter that will be used
in the data file.
/t This sets the Terminal Services user property
and is used in conjunction with /c or /d.
/? This gets help.

Since the purpose of Addusers is to automate the handling of user accounts, it is important to be familiar with the structure of the data file that the utility uses. The easiest way to get a look at the structure is to dump the contents of a user database to a file.

For this example, I copied Addusers.exe to the c:\winnt directory (so that it is in my PATH) on a Windows 2000 server in my lab, which also happens to be a domain controller. There are not very many user accounts in this domain, so it will be easy to see how the utility works.

To dump all of the accounts to a data file, I will issue the following command:
addusers /d: accounts.txt

When this command is issued, I see the output in Listing A on my screen.

When run on my lab domain controller, this command produces the file Accounts.txt, shown in Listing B. As you can see, there are three distinct sections in this data file: the user section, the global section, and the local section. Let's take a closer look at each one.

User section
This is a list of the user names that will be acted upon, depending on the options specified. The following line from the User section in Listing B shows how a user entry appears in the file:
Administrator,,,Built-in account for administering
the computer/domain,,,,


Table B shows how this translates into user account variables.

Table B
Username Administrator
Full Name {blank}
Password {blank}
Comment Built-in account for administering
the computer/domain
HomeDriveandPath {blank}
Profile {blank}
Script {blank}

Notice that certain fields, including the password, are blank. The password field is blank by design, as there would be major security implications if passwords could be dumped this easily out of the user database. Also note that each line has to end with the file’s delimiter character, which in this case is a comma.

Global section
The global section has to do with groups rather than users and defines which groups will be created at the global level. Again, I've taken an example of a line from Listing B:
Domain Admins,Designated administrators of the
domain,Administrator,root,


Table C shows how it translates into group variables.

Table C
GlobalGroupName Domain admins
Comment Designated administrators
of the domain
UserName Administrator
UserName Root
{ additional user names }

Local section
The local section also works with groups, but instead of working at the domain level, it works at the local system level. This section essentially works the same as the global groups section, as we can see with its example from Listing B:
Administrators,Administrators have complete and unrestricted
access to the computer/domain,SLOWE\Administrator,SLOWE\
slowe,SLOWE\NetShowServices,SLOWE\Enterprise
Admins,SLOWE\Domain Admins,


The translation of the variables appears in Table D.

Table D
LocalGroupName Administrators
Comment Administrators have complete
and unrestricted access
to the computer/domain
UserName SLOWE\Administrator
UserName SLOWE\slowe
{ additional user names }

Creating new accounts
Now, let's use Addusers to create a few accounts—users, global groups, and local groups. You can manually create the file Addusers uses, or you can create it automatically by using a SQL query from a database that houses the user information. A few years ago, I used to create hundreds of student user accounts by extracting user IDs out of the central student database, creating custom passwords, and then using Novell’s UIMPORT utility to import the users into Novell Directory Services. Addusers can work in a similar fashion.

For an example, I will use the input file in Listing C. Notice that I have placed passwords in this file, and I decided to use a period character as the delimiter rather than a comma. I will create the accounts so that the users do not have to change their password at the next logon.

To import the file, I will issue this command:
addusers /p:l /s:. /c import.txt

Listing D shows the screen output results of this command.

To determine whether the accounts were properly created, I will open the Active Directory Users and Computers utility (in Windows 2000). Figure A shows the list of users and groups that were created. You will notice that everything was properly created, and you can compare the details to the variables specified in Listing C.

Figure A
Verify user creation in Active Directory Users and Computers


Delete accounts
Addusers also makes it simple to remove user accounts at will. I will now delete the accounts that I just created. When deleting accounts, you probably won't know the passwords for the users you are removing, but that is okay. All you need is their user names; Addusers does the rest.

My data file, named Delete.txt, is shown in Listing E. To perform the delete based on this file, I issue this command:
addusers /e delete.txt

Listing F shows the results of this command.

Summary
As you can see, Addusers has the potential to save you considerable time and effort when you're creating, modifying, or deleting users in bulk. For some organizations, such as educational institutions that have to deal with a huge turnover of users a couple times a year, this utility can be a lifesaver. For corporations that need to move users between domains, Addusers can make the process much easier, allowing the user accounts to be easily copied between systems. Your organization may find other valuable uses for it, as well.

Editor's Picks

Free Newsletters, In your Inbox