Configure IT Quick: Get creative about managing Windows user accounts with utilities

Read about the NET and ADDUSERS commands in Windows 2000 that make it easier for you to create, delete, or change hundreds of user accounts.

Into every network administrator’s life, a little tedium must fall. And sooner or later, you'll find yourself faced with the mundane task of creating, deleting, or changing hundreds of user accounts. While nothing exists today to make this job completely effortless, there are utilities in Windows 2000 and in the Windows 2000 Server Resource Kit that can make things a little easier for you.

Adding users to the domain
Several utilities are available that allow you to add users to a domain, each with its own advantages and disadvantages. I’ll cover three of these utilities here. You can modify the examples to fit your own needs.

NET command
The NET command comes standard with any Windows 2000 installation. More specifically, the NET USER command, followed by several arguments, allows you to add users to a workstation, server, or domain. For example, the following command will add a simple user to the domain:
NET USER BSmith password /ADD /DOMAIN

Of course, that doesn’t set many of the account’s options. You can use a more advanced command to specify the user’s name, expiration date, home directory, roaming profile path, logon script, and more. The following command would add the same user to the domain, while specifying the user’s name, home directory, and logon script:

As you can see, this is a fairly flexible command. You could easily create a batch file that would allow you to pass parameters, so that you wouldn’t have to remember all the options every time you executed the command. However, we’re still missing some functionality, such as the ability to add a list of users from an input file.

ADDUSERS command
The ADDUSERS command, a utility that comes with the Windows 2000 Server Resource Kit, takes the NET USER command to the next level. ADDUSERS provides several more options, such as the ability to extract user and group information from a computer or domain and store that information in a file. The file can then be used on a different computer or domain to import those users and groups. To extract the user and group listing from a domain, use the following command:

The results of this command are stored in a comma-delimited file. There are three sections of the file, denoted by [User], [Global], and [Local]. User options included in the file include the account name, user’s full name, password, comment, home drive and directory, roaming profile location, and logon script. You’ll want to edit the file before using it to import to your new domain, as there may be accounts you don’t want included, such as Guest or TsInternetUser. To import these users (and groups) to your new domain, you could use the following command:

You may have noticed by now that neither of the above utilities allows you to specify an Organizational Unit (for Active Directory) in which to create the users. In some environments, it might entail only a small workaround to move these users after the import; in other environments, it could be a big issue. The CREATEUSERS.VBS script works similarly to ADDUSERS but allows you to specify an Organizational Unit. For example, to add the user BSmith to the MyOU Organizational Unit, you could use the following command:
CSCRIPT CREATEUSERS.VBS LDAP://domainname.local/OU=MyOU,DC=domainname,DC=local SAMACCOUNTNAME:BSmith CN:BSmith FULLNAME:"Bob Smith" PASSWORD:password

Or to use an input file to add multiple users to a specific Organizational Unit, use this command:
CSCRIPT CREATEUSERS.VBS LDAP://domainname.local/OU=MyOU,DC=domainname,DC=local /I:userfile.txt

However, if you use this script, you need to be aware of these pitfalls:
  • When adding a single user, the CN: option is required. An error occurs on that option, but the user is still created.
  • The property names you specify vary according to which context you use: LDAP or WinNT.
  • Input files are not delimited but are in the format property1:value1 property2:value2 .… This makes it much more difficult to create your input files, compared to the ADDUSERS utility.
  • When accounts and properties are created, all text is in lowercase.

Deleting users
Although not as common as creating or modifying users (and not nearly as complicated), a situation can arise in which an administrator needs to delete a user or a group of users. For example, a school administrator may need to delete accounts for the graduating class every semester. We can use two of the same utilities mentioned above to accomplish this.

NET command
As with adding users, the NET command isn’t really ideal if you want to delete a list of users using an input file. However, most situations are simple enough to make NET a handy tool. Change the arguments just a little bit, and this command will delete a user from a computer or domain:

ADDUSERS command
Using the same type of input file created for adding users, we can also delete users from a computer or domain using the ADDUSERS command. An excellent example of this is a migration of users from one domain to another. You could use this utility to create a list of users and groups on your old domain, use the utility again to import that list on the new domain, and then use the utility a third time to delete the users and groups on the old domain. The following example illustrates how to delete a list of users from the old domain:

The CREATEUSERS script can’t be used to delete accounts, but the power and flexibility of scripting is still available. With a short primer on scripting in Windows 2000, you can easily create your own script to delete a list of users from a computer or domain. You can also use scripting to change variables in user and group accounts.

How many times have you been assigned one of the following (or similar) tasks?
  • Change the home directory location for all the users in the domain.
  • Disable a large group of accounts.
  • Change passwords for a group of users.
  • Add a list of users to a group.

The MODIFYUSERS.VBS, also included in the Windows 2000 Server Resource Kit, can help you accomplish these tasks. It behaves virtually the same as the CREATEUSERS.VBS script—and it has some of the same pitfalls.

Let’s say that you want to change the home directory location for all the users in the domain. You could execute the following command:
CSCRIPT MODIFYUSERS.VBS WinNT://domainname.local HOMEDIRECTORY:\\newserver\home\%username% /ALL

Or you could create your input file with the accounts and properties that need to be modified and then execute the changes like this:
CSCRIPT MODIFYUSERS.VBS WinNT://domainname.local /I:userlist.txt

Final word
The utilities we've looked at here are really quite powerful. With the scripting capabilities included in Windows 2000, the possibilities are nearly endless. You can find more information on these utilities and the scripting technologies on Microsoft’s Web site:

Editor's Picks

Free Newsletters, In your Inbox