W16 Lab Series: Part 1 - Active Directory Users and Groups

I’ve decided to call this lab series "W16" - W for WFA and 16 for 2016. Since every post in the series isn’t necessarily going to have any/much WFA in, didn’t make sense to call it WFA Lab Series.

Firstly, we need some Active Directory user accounts and groups set up. I’m not going to automate this setup with WFA, they’re pretty much one offs. Having said that, it might be useful being able to add/remove users from the storageusers and storageadmins groups in the future, as new storage admins come and go - one for a future post...

PowerShell Commands to Create Desired Users and Groups (on a Windows Server 2008 R2 Domain Controller)

Note: The commands come mostly from the post How to Create a Fat Token which wasn’t a well viewed post, with just 75 pageviews so far for this November 2015 post - I guess it’s a very niche requirement knowing how to create fat Kerberos tokens for testing purposes... In fairness, many of my posts struggle to get 100 pageviews, and that doesn’t matter one jot - if I was in the business of wanting to get lots of pageviews, I’d do a p*rno blog/site!


Import-Module ActiveDirectory
[String]$OUPATH = "DC=lab,DC=priv"
$Password = Read-Host  -AsSecureString
New-ADOrganizationalUnit -Name "~Users"
New-ADOrganizationalUnit -Name "~Groups"
New-ADuser -Name "WFA" -AccountPassword $Password -path "OU=~Users,$OUPATH"
New-ADuser -Name "OCUM" -AccountPassword $Password -path "OU=~Users,$OUPATH"
New-ADuser -Name "StorageAdmin" -AccountPassword $Password -path "OU=~Users,$OUPATH"
New-ADuser -Name "12345678-adm" -AccountPassword $Password -path "OU=~Users,$OUPATH"
New-ADuser -Name "StorageUser" -AccountPassword $Password -path "OU=~Users,$OUPATH"
New-ADuser -Name "12345678" -AccountPassword $Password -path "OU=~Users,$OUPATH"
Enable-ADaccount -Identity "WFA"
Enable-ADaccount -Identity "OCUM"
Enable-ADaccount -Identity "StorageAdmin"
Enable-ADaccount -Identity "12345678-adm"
Enable-ADaccount -Identity "StorageUser"
Enable-ADaccount -Identity "12345678"
Set-ADUser -Identity "WFA" -PasswordNeverExpires $TRUE
Set-ADUser -Identity "OCUM" -PasswordNeverExpires $TRUE
Set-ADUser -Identity "StorageAdmin" -PasswordNeverExpires $TRUE
Set-ADUser -Identity "StorageUser" -PasswordNeverExpires $TRUE
New-ADGroup -Name StorageAdmins -GroupScope global -path "OU=~Groups,$OUPATH"
New-ADGroup -Name StorageUsers -GroupScope global -path "OU=~Groups,$OUPATH"
Add-ADGroupMember -Identity "StorageAdmins" -Members "WFA"
Add-ADGroupMember -Identity "StorageAdmins" -Members "OCUM"
Add-ADGroupMember -Identity "StorageAdmins" -Members "StorageAdmin"
Add-ADGroupMember -Identity "StorageAdmins" -Members "12345678-adm"
Add-ADGroupMember -Identity "StorageUsers"  -Members "StorageUser"
Add-ADGroupMember -Identity "StorageUsers"  -Members "12345678"
Add-ADGroupMember -Identity "DnsAdmins"     -Members "WFA"


Table: Users, their group, and their purpose
Regards the user login being a number, I think this convention makes a lot of sense. For instance, you might have 100 John Smiths in your corporation, so a first character of first name + surname convention for login name, doesn’t really work. Some other user naming conventions, like CCCFFSS, where CCC is a company country code, FF is first two characters of first name, SS is first two characters of surname, can produce unfortunate results (think what becomes of Anna Altwood or Cuba Ntini for instance).

Note: Adding WFA to "DnsAdmins" will be explained more in the next post.

Comments