• Inside Webster’s Lab: Creating Active Directory Organizational Units, Users, Groups and Computers

    With all the writing I do for my website and customers, I recreate my Windows Server 2012 R2 Active Directory (AD) environment frequently.  I thought I would show you how, in just a few seconds, I recreate my entire AD structure.

    This may come as a shock to some of you but I do not use PowerShell for this task.  Instead, I use built-in Windows utilities that I have been using since probably around 2004.  What I use works, so I see no need to redo it in PowerShell. I only use three Windows utilities:

    • DSAdd
    • DSMod
    • DSQuery

    I have a batch file that does the following:

    • Creates the OUs
    • Creates the security groups
    • Creates the user accounts
    • Adds the user accounts into the security groups
    • Creates the computer accounts

    I pre-create all the computer accounts so when the computers are joined to the domain, they are in the right OU and get the necessary GPOs immediately after the domain join restart.

    The batch file is very simple (to me).

    Note: The batch file contains several “-upn something@domain.com”. These seem to confuse the syntax highlighter I use for WordPress. The highlighter treated everything after the “something@domain.com” as JavaScript and really scrambled the rest of the text. Just in the text below, I changed all the “something@domain.com” to “something at domain.com” just for this article but they are still there in the batch file you can download.

    echo off
    CLS
    
    Echo Create OUs
    Dsadd ou "ou=Lab,dc=LabADDomain,dc=com" -desc "top level OU for Lab"
    
    Dsadd ou "ou=Accounts,ou=Lab,dc=LabADDomain,dc=com" -desc "Accounts top level OU"
    Dsadd ou "ou=Admin,ou=Accounts,ou=Lab,dc=LabADDomain,dc=com" -desc "OU for Admin accounts"
    Dsadd ou "ou=Service,ou=Accounts,ou=Lab,dc=LabADDomain,dc=com" -desc "OU for service accounts"
    Dsadd ou "ou=User,ou=Accounts,ou=Lab,dc=LabADDomain,dc=com" -desc "OU for regular user account"
    
    Dsadd ou "ou=Desktops,ou=Lab,dc=LabADDomain,dc=com" -desc "Desktops top level OU"
    Dsadd ou "ou=Admin,ou=Desktops,ou=Lab,dc=LabADDomain,dc=com" -desc "OU for administrator desktops"
    Dsadd ou "ou=XD76,ou=Desktops,ou=Lab,dc=LabADDomain,dc=com" -desc "OU for regular user desktops"
    
    Dsadd ou "ou=Groups,ou=Lab,dc=LabADDomain,dc=com" -desc "Security Groups top level OU"
    Dsadd ou "ou=Admin,ou=Groups,ou=Lab,dc=LabADDomain,dc=com" -desc "OU for admin security groups"
    Dsadd ou "ou=Desktops,ou=Groups,ou=Lab,dc=LabADDomain,dc=com" -desc "OU for desktop computer security groups"
    Dsadd ou "ou=User,ou=Groups,ou=Lab,dc=LabADDomain,dc=com" -desc "OU for regular user security groups"
    
    Dsadd ou "ou=Servers,ou=Lab,dc=LabADDomain,dc=com" -desc "Servers top level OU"
    Dsadd ou "ou=PVS,ou=Servers,ou=Lab,dc=LabADDomain,dc=com" -desc "OU for PVS servers"
    Dsadd ou "ou=XD76,ou=Servers,ou=Lab,dc=LabADDomain,dc=com" -desc "OU for all other XenDesktop servers"
    
    Echo Create security groups
    Dsadd group "cn=LocalAdmins,ou=Admin,ou=Groups,ou=Lab,dc=LabADDomain,dc=com" -secgrp yes -desc "Group for users who need local admin rights"
    
    Dsadd group "cn=XDUsers,ou=User,ou=Groups,ou=Lab,dc=LabADDomain,dc=com" -secgrp yes -desc "Group for users who need XenDesktop desktop access"
    
    Echo Create user accounts
    Dsadd user "cn=svc_ctxpvs,ou=Service,ou=Accounts,ou=Lab,dc=LabADDomain,dc=com" -samid svc_ctxpvs -upn svc_ctxpvs at LabADDomain.com -fn svc_ctxpvs -display "svc_ctxpvs" -pwd FakePwd -desc "Citrix PVS Service Account" -mustchpwd no -pwdneverexpires yes
    Dsadd user "cn=svc_ctxsqldb,ou=Service,ou=Accounts,ou=Lab,dc=LabADDomain,dc=com" -samid svc_ctxsqldb -upn svc_ctxsqldb at LabADDomain.com -fn svc_ctxsqldb -display "svc_ctxsqldb" -pwd FakePwd -desc "Citrix SQL DBA Service Account" -mustchpwd no -pwdneverexpires yes
    
    Dsadd user "cn=User1,ou=User,ou=Accounts,ou=Lab,dc=LabADDomain,dc=com" -samid User1 -upn User1 at LabADDomain.com -fn User1 -display "User1" -pwd FakePwd -desc "User1 PvD" -mustchpwd no -pwdneverexpires yes
    Dsadd user "cn=User2,ou=User,ou=Accounts,ou=Lab,dc=LabADDomain,dc=com" -samid User2 -upn User2 at LabADDomain.com -fn User2 -display "User2" -pwd FakePwd -desc "User2 PvD" -mustchpwd no -pwdneverexpires yes
    Dsadd user "cn=User3,ou=User,ou=Accounts,ou=Lab,dc=LabADDomain,dc=com" -samid User3 -upn User3 at LabADDomain.com -fn User3 -display "User3" -pwd FakePwd -desc "User3 PvD" -mustchpwd no -pwdneverexpires yes
    
    Echo Add user accounts to security groups
    Rem all users in the Lab/Accounts/User OU get added to the XDUsers security group
    dsquery user "ou=User,ou=Accounts,ou=Lab,dc=LabADDomain,dc=com" -limit 0 | dsmod group "cn=XDUsers,ou=User,ou=Groups,ou=Lab,dc=LabADDomain,dc=com" -chmbr -c
    
    Rem any user in the Lab/Accounts/User OU that has PvD in the description gets added to the LocalAdmins security group
    dsquery user "ou=User,ou=Accounts,ou=Lab,dc=LabADDomain,dc=com" -desc "*PvD*" -limit 0 | dsmod group "cn=LocalAdmins,ou=Admin,ou=Groups,ou=Lab,dc=LabADDomain,dc=com" -chmbr -c
    
    Echo Create computer accounts
    Dsadd computer "cn=PVS76,ou=PVS,ou=Servers,ou=Lab,dc=LabADDomain,dc=com" -samid PVS76 -desc "PVS76"
    
    Dsadd computer "cn=XD76,ou=XD76,ou=Servers,ou=Lab,dc=LabADDomain,dc=com" -samid XD76 -desc "XD76"
    Dsadd computer "cn=Director,ou=XD76,ou=Servers,ou=Lab,dc=LabADDomain,dc=com" -samid Director -desc "Director"
    Dsadd computer "cn=StoreFront,ou=XD76,ou=Servers,ou=Lab,dc=LabADDomain,dc=com" -samid StoreFront -desc "StoreFront"
    Dsadd computer "cn=SQL,ou=XD76,ou=Servers,ou=Lab,dc=LabADDomain,dc=com" -samid SQL -desc "SQL"
    
    echo on
    

    The results of running the batch file.

    Note: In the text below, I also had to change all the “something@domain.com” to “something at domain.com” just for this article but they are still there in the batch file you can download.

    Echo Create OUs
    Create OUs
    Dsadd ou "ou=Lab,dc=labaddomain,dc=com" -desc "top level OU for Lab"
    dsadd succeeded:ou=Lab,dc=labaddomain,dc=com
    Dsadd ou "ou=Accounts,ou=Lab,dc=labaddomain,dc=com" -desc "Accounts top level OU"
    dsadd succeeded:ou=Accounts,ou=Lab,dc=labaddomain,dc=com
    Dsadd ou "ou=Admin,ou=Accounts,ou=Lab,dc=labaddomain,dc=com" -desc "OU for Admin accounts"
    dsadd succeeded:ou=Admin,ou=Accounts,ou=Lab,dc=labaddomain,dc=com
    Dsadd ou "ou=Service,ou=Accounts,ou=Lab,dc=labaddomain,dc=com" -desc "OU for service accounts"
    dsadd succeeded:ou=Service,ou=Accounts,ou=Lab,dc=labaddomain,dc=com
    Dsadd ou "ou=User,ou=Accounts,ou=Lab,dc=labaddomain,dc=com" -desc "OU for regular user account"
    dsadd succeeded:ou=User,ou=Accounts,ou=Lab,dc=labaddomain,dc=com
    Dsadd ou "ou=Desktops,ou=Lab,dc=labaddomain,dc=com" -desc "Desktops top level OU"
    dsadd succeeded:ou=Desktops,ou=Lab,dc=labaddomain,dc=com
    Dsadd ou "ou=Admin,ou=Desktops,ou=Lab,dc=labaddomain,dc=com" -desc "OU for administrator desktops"
    dsadd succeeded:ou=Admin,ou=Desktops,ou=Lab,dc=labaddomain,dc=com
    Dsadd ou "ou=XD76,ou=Desktops,ou=Lab,dc=labaddomain,dc=com" -desc "OU for regular user desktops"
    dsadd succeeded:ou=XD76,ou=Desktops,ou=Lab,dc=labaddomain,dc=com
    Dsadd ou "ou=Groups,ou=Lab,dc=labaddomain,dc=com" -desc "Security Groups top level OU"
    dsadd succeeded:ou=Groups,ou=Lab,dc=labaddomain,dc=com
    Dsadd ou "ou=Admin,ou=Groups,ou=Lab,dc=labaddomain,dc=com" -desc "OU for admin security groups"
    dsadd succeeded:ou=Admin,ou=Groups,ou=Lab,dc=labaddomain,dc=com
    Dsadd ou "ou=Desktops,ou=Groups,ou=Lab,dc=labaddomain,dc=com" -desc "OU for desktop computer security groups"
    dsadd succeeded:ou=Desktops,ou=Groups,ou=Lab,dc=labaddomain,dc=com
    Dsadd ou "ou=User,ou=Groups,ou=Lab,dc=labaddomain,dc=com" -desc "OU for regular user security groups"
    dsadd succeeded:ou=User,ou=Groups,ou=Lab,dc=labaddomain,dc=com
    Dsadd ou "ou=Servers,ou=Lab,dc=labaddomain,dc=com" -desc "Servers top level OU"
    dsadd succeeded:ou=Servers,ou=Lab,dc=labaddomain,dc=com
    Dsadd ou "ou=PVS,ou=Servers,ou=Lab,dc=labaddomain,dc=com" -desc "OU for PVS servers"
    dsadd succeeded:ou=PVS,ou=Servers,ou=Lab,dc=labaddomain,dc=com
    Dsadd ou "ou=XD76,ou=Servers,ou=Lab,dc=labaddomain,dc=com" -desc "OU for all other XenDesktop servers"
    dsadd succeeded:ou=XD76,ou=Servers,ou=Lab,dc=labaddomain,dc=com
    Echo Create security groups
    Create security groups
    Dsadd group "cn=LocalAdmins,ou=Admin,ou=Groups,ou=Lab,dc=labaddomain,dc=com" -secgrp yes -desc "Group for users who need local admin rights"
    dsadd succeeded:cn=LocalAdmins,ou=Admin,ou=Groups,ou=Lab,dc=labaddomain,dc=com
    Dsadd group "cn=XDUsers,ou=User,ou=Groups,ou=Lab,dc=labaddomain,dc=com" -secgrp yes -desc "Group for users who need XenDesktop desktop access"
    dsadd succeeded:cn=XDUsers,ou=User,ou=Groups,ou=Lab,dc=labaddomain,dc=com
    Echo Create user accounts
    Create user accounts
    Dsadd user "cn=svc_ctxpvs,ou=Service,ou=Accounts,ou=Lab,dc=labaddomain,dc=com" -samid svc_ctxpvs -upn svc_ctxpvs at labaddomain -fn svc_ctxpvs -display "svc_ctxpvs" -pwd FakePwd -desc "Citrix PVS Service Account" -mustchpwd no -pwdneverexpires yes
    dsadd succeeded:cn=svc_ctxpvs,ou=Service,ou=Accounts,ou=Lab,dc=labaddomain,dc=com
    Dsadd user "cn=svc_ctxsqldb,ou=Service,ou=Accounts,ou=Lab,dc=labaddomain,dc=com" -samid svc_ctxsqldb -upn svc_ctxsqldb at labaddomain -fn svc_ctxsqldb -display "svc_ctxsqldb" -pwd FakePwd -desc "Citrix SQL DBA Service Account" -mustchpwd no -pwdneverexpires yes
    dsadd succeeded:cn=svc_ctxsqldb,ou=Service,ou=Accounts,ou=Lab,dc=labaddomain,dc=com
    Dsadd user "cn=User1,ou=User,ou=Accounts,ou=Lab,dc=labaddomain,dc=com" -samid User1 -upn User1 at labaddomain -fn User1 -display "User1" -pwd FakePwd -desc "User1 PvD" -mustchpwd no -pwdneverexpires yes
    dsadd succeeded:cn=User1,ou=User,ou=Accounts,ou=Lab,dc=labaddomain,dc=com
    Dsadd user "cn=User2,ou=User,ou=Accounts,ou=Lab,dc=labaddomain,dc=com" -samid User2 -upn User2 at labaddomain -fn User2 -display "User2" -pwd FakePwd -desc "User2 PvD" -mustchpwd no -pwdneverexpires yes
    dsadd succeeded:cn=User2,ou=User,ou=Accounts,ou=Lab,dc=labaddomain,dc=com
    Dsadd user "cn=User3,ou=User,ou=Accounts,ou=Lab,dc=labaddomain,dc=com" -samid User3 -upn User3 at labaddomain -fn User3 -display "User3" -pwd FakePwd -desc "User3 PvD" -mustchpwd no -pwdneverexpires yes
    dsadd succeeded:cn=User3,ou=User,ou=Accounts,ou=Lab,dc=labaddomain,dc=comEcho Add user accounts to security groups
    Add user accounts to security groups
    Rem all users in the Lab/Accounts/User OU get added to the XDUsers security group
    dsquery user "ou=User,ou=Accounts,ou=Lab,dc=labaddomain,dc=com" -limit 0 | dsmod group "cn=XDUsers,ou=User,ou=Groups,ou=Lab,dc=labaddomain,dc=com" -chmbr -c
    dsmod succeeded:cn=XDUsers,ou=User,ou=Groups,ou=Lab,dc=labaddomain,dc=com
    Rem any user in the Lab/Accounts/User OU that has PvD in the description gets added to the LocalAdmins security group
    dsquery user "ou=User,ou=Accounts,ou=Lab,dc=labaddomain,dc=com" -desc "*PvD*" -limit 0 | dsmod group "cn=LocalAdmins,ou=Admin,ou=Groups,ou=Lab,dc=labaddomain,dc=com" -chmbr -c
    dsmod succeeded:cn=LocalAdmins,ou=Admin,ou=Groups,ou=Lab,dc=labaddomain,dc=com
    Echo Create computer accounts
    Create computer accounts
    Dsadd computer "cn=PVS76,ou=PVS,ou=Servers,ou=Lab,dc=labaddomain,dc=com" -samid PVS76 -desc "PVS76"
    dsadd succeeded:cn=PVS76,ou=PVS,ou=Servers,ou=Lab,dc=labaddomain,dc=com
    Dsadd computer "cn=XD76,ou=XD76,ou=Servers,ou=Lab,dc=labaddomain,dc=com" -samid XD76 -desc "XD76"
    dsadd succeeded:cn=XD76,ou=XD76,ou=Servers,ou=Lab,dc=labaddomain,dc=com
    Dsadd computer "cn=Director,ou=XD76,ou=Servers,ou=Lab,dc=labaddomain,dc=com" -samid Director -desc "Director"
    dsadd succeeded:cn=Director,ou=XD76,ou=Servers,ou=Lab,dc=labaddomain,dc=com
    Dsadd computer "cn=StoreFront,ou=XD76,ou=Servers,ou=Lab,dc=labaddomain,dc=com" -samid StoreFront -desc "StoreFront"
    dsadd succeeded:cn=StoreFront,ou=XD76,ou=Servers,ou=Lab,dc=labaddomain,dc=com
    Dsadd computer "cn=SQL,ou=XD76,ou=Servers,ou=Lab,dc=labaddomain,dc=com" -samid SQL -desc "SQL"
    dsadd succeeded:cn=SQL,ou=XD76,ou=Servers,ou=Lab,dc=labaddomain,dc=com
    echo on
    C:\>
    

    And the results in AD.

    Figure 1
    Figure 1
    Figure 2
    Figure 2
    Figure 3
    Figure 3
    Figure 4
    Figure 4
    Figure 5
    Figure 5
    Figure 6
    Figure 6
    Figure 7
    Figure 7
    Figure 8
    Figure 8
    Figure 9
    Figure 9
    Figure 10
    Figure 10
    Figure 11
    Figure 11

    And there you have the very quick and very simple way I can create and recreate my AD lab structure.  To delete the structure, I just right-click the top level Lab OU and select delete as shown in Figure 12.

    Figure 12
    Figure 12

    Click Yes to the popup shown in Figure 13.

    Figure 13
    Figure 13

    Select Use Delete Subtree server control and click Yes as shown in Figure 14.

    Figure 14
    Figure 14

    And in less than the blink of an eye, the Lab OU structure is removed from AD as shown in Figure 15.

    Figure 15
    Figure 15

    Since DSAdd OU does not have a parameter to set the Protect this OU from accidental deletion flag, it is very simple to delete the Lab OU tree and run the batch file to recreate the Lab OU structure whenever I need to have a clean (re)starting point.

    I hope this very quick and simple process helps you out.

    Thanks

    Webster

    About Carl Webster

    Webster is a Sr. Solutions Architect for Choice Solutions, LLC and specializes in Citrix, Active Directory and Technical Documentation. Webster has been working with Citrix products for many years starting with Multi-User OS/2 in 1990.

    View all posts by Carl Webster

    to “Inside Webster’s Lab: Creating Active Directory Organizational Units, Users, Groups and Computers”

    1. Robert Jaudon Says:

      That is a nice little batch script!!! I just have to ask…have you thought about converting it to PS? Thanks for posting…I always find your information very valuable. Keep up the good work.
      Rob

      Reply

    Leave a Reply