Creating Active Directory (AD) accounts is a relatively simple process. That said, it can be tedious when adding hundreds of users to your system. Moreover, you can assign newly created users to an incorrect AD group with more privileges than needed. This can lead to users bypassing mandatory workflows on business platforms, reducing business productivity. It also exposes data to potential bad actors.
One way to mitigate risks to your business’s data is to simplify the account creation process. This makes your life easier when adding users and simultaneously ensures you aren’t creating security challenges. You can even use user template accounts to reduce human error configuring each AD user. This stops you from assigning AD users to incorrect domains in multi-site companies or those with deprecated AD lists.
A template account is a user account that serves as a model for other accounts you create. New accounts inherit any AD group memberships assigned to the template account. In this article, I’ll show you how to create a template account and new user accounts based on it.
How to Create a New Template
To create an AD user template, follow these steps:
- Open the Active Directory Users and Computers console
- Right-click on the User folder and select the New | User commands from the shortcut menus
- Enter a user login name when prompted and click Next
- Enter a password and click Next. The password you provide will protect the template account against unauthorized logins. That said, it won’t be copied to new accounts created from your template
- Click Finish
- Right-click on the new account once you create the template account, and select the Properties command from the shortcut menu. This opens the template account’s properties dialog box
- Select the Member Of tab and add the template account to any required AD groups
- Click OK to complete the process
Now, let’s discover how to create new users from an AD template.
How to Create New Users from a Template
Once you‘ve created a template account, you can use it to create new user accounts. This saves you time configuring accounts correctly for each user. In an SME, you may do this correctly for a handful of users, but doing it for hundreds in a larger enterprise will inevitably lead to errors. To create a user account from your template:
- Right-click on your template account and select the Copy command from the shortcut menu
- Enter the name of the user you want to create in the Copy Object User dialog box that pops up, and click Next
- Enter a password for the new user and click Next
- Click Finish. You’ve created the new user account in a way that mimics the template
Now that you know how to create new users from a template, let’s discover the best practices for a template account.
3 Template Account Best Practices
Template accounts are easy to create. That said, you should keep in mind some best practices for operating them.
1. Map Templates to Your Operational Unit (OU) Structure
As a general rule, you want to create templates anywhere you have user accounts. For example, if you’ve created an OU for each department, you’ll likely want to create one or more templates in each OU. Remember that when you create a user account from a template, a new account is added in the same OU where the template resides.
2. Consider Template Names Carefully
When creating template accounts, you need to consider their names. This is due to a few different reasons. The first is that AD doesn’t allow duplicate user names. Thus, if you have multiple OUs with templates in each, you can’t have a template named “Template” in each OU. Even though the templates are in separate OUs, they’re still in the same domain, so they must have unique names.
Another reason is that even if you only have a single OU, you’ll likely create multiple templates. Using a naming convention for your templates can make it easier to track template creation. You can also adequately define what purpose each template has.
Finally, the Active Directory Users and Computers console list user accounts alphabetically. If you frequently create user accounts, it’s a good idea to give your template accounts names that cause them to appear at the top of the list. After all, you never want to scroll through a long list of users looking for a template account.
3. Protect Your Template Accounts with a Strong Password
Passwords you assign to a template account will never be propagated to accounts you created from a template. That said, it’s still important to use a strong password. Template accounts have rights assigned to them (in the form of group memberships). Thus, they need protection against unauthorized logins just as you would protect any other account.
AD template accounts can help to simplify the process of creating user accounts. Your templates can also improve your overall security. That’s because admins don’t have to worry about accidentally assigning users to incorrect groups when creating accounts. User profiles and permissions also don’t have to be configured each time.
Consider your templates carefully to ensure you never incorrectly add access to groups that users don’t need to be in. This takes planning and testing on a test system before implementation, and then never changes. You can also map templates to your OU for each department to secure and segregate users easily.
Keep in mind that cybercriminals want user credentials to escalate permissions and access different areas of your business. To avoid this, ensure you provide a strong AD password.
Interested in learning more about AD and how you can manage your company’s users? Read the FAQ and Resources sections below!
Do template accounts work in an Azure AD environment?
Yes, you can create templates in Azure Active Directory. That said, it’s worth noting that Microsoft 365 includes its template feature. Go to the Active Users screen and click on User Templates, followed by Add Template to create a new template.
Are AD attributes copied from a template account to new accounts created from the template?
Whether or not Active Directory (AD) attributes are copies of accounts created from a template depends on how the template was created. If you create a template account in the AD console, the only attributes copied are user group memberships. Conversely, if you create a template in Microsoft 365, other attributes like Department, Office, and Street Address are also copied.
Is using template accounts associated with any scalability issues?
The process used to create a user account from a template isn’t all that different from creating a user account from scratch. In short, using a template probably isn’t the best option if you need to create large numbers of accounts. In those situations, you’ll usually be better off creating the accounts from PowerShell.
Should I disable a template account to prevent anyone from logging into it?
While you can disable a template account, it’s usually better to leave the account enabled. That’s because if you disable a template account, any accounts generated from the template will also be disabled. You can, of course, manually enable these accounts. That said, it’s more convenient just to leave the template enabled.
Can I use templates to create user accounts that will expire on a particular date?
Yes. If you need to create several accounts set to expire on the same date, you can shortcut the process by creating a template account and assigning it an expiration date. Accounts created from the template will then have the same expiration date. Remember, both the user and template accounts will expire on the specified date.
TechGenix: Article on Granting AD Guest Users Access
TechGenix: Article on Importing Users into AD
Read more about importing users into Active Directory.
TechGenix: Article on Connecting Microsoft 365 AD Users to Azure AD
TechGenix: Article on Assessing Your AD Risks
Read more about assessing your Active Directory risks.