Windows NT administrators can certainly create user accounts using Microsoft’s
GUI admin tool, User Manager for Domains . Try it for 1000 new accounts
or for 10 new accounts on each of 100 new member servers. If you want to know
how an ex-unix administrator would do it, or how a commandline oriented old fart
would do it, or how someone interested in free time would do it, check out the
addusers.exe utility in the Windows NT Server Resource
Kit or in the Windows 2000 Server Resource Kit.
You can get a comma-delimited file with a list of user accounts and group
from a domain, member server or workstation. The file can be used to duplicate
or recreate the accounts / groups on other servers. It is also valuable
documentation and a beginning point for scripting. To generate a file with all
user accounts and group in a domain:
addusers \\domaincontroller /d extractfile.txt
You use /c parameter to read an addusers extract to create accounts /
groups. As an example, lets say you want to merge two domains or move accounts
from one domain to another:
- Log on as Administrator to the machine that has the accounts you wish to
copy.
- Create a comma-separated file containing details of all accounts and groups
by running the following command.
addusers /d
filename
- In this example, you are not duplicating global or local groups, so edit the
comma-separated file to remove the [Global] and [Local] sections and their contents.
- Copy the edited file to the PDC of the domain where you want to create the
accounts.
- Login as administrator to the PDC of the domain where you want to create the
accounts.
- Run the following command:
addusers /c
filename
This creates the accounts.
To get a list of all the addusers parameters, issue the following command
addusers /?
The addusers syntax is:
AddUsers {/c|/d{:u}|/e} filename [/s:x] [/?]
[\\computername|domainname] [/p:{l|c|e|d}]
where:
\\computername – is the computer where you want to
create user accounts or from which you want to write user accounts. If you do
not specify computername, AddUsers uses the local computer by default.
domainname – this option can be used in place of
computername. If this option is used, then Addusers queries the PDC of the
domain specified.
/c – Creates user accounts, local groups, and global
groups as specified by filename.
/d{:u} – Dumps user accounts, local groups, and
global groups to the specified file name. The (:u) is an optional switch that
causes current accounts to be written to the specified file in Unicode text
format. Choosing to dump current user accounts does not save the account’s
passwords or any security information for the accounts. To back up security
information for accounts, a Tape Backup should be used. Note: Password
information is not saved in a user account dump and if you use the same file to
create accounts, all passwords of newly created accounts will be empty. All
created users are required to change their password at logon by default.
/e – Erases the user accounts specified in the file
name. CAUTION: Be careful when erasing user accounts, as it is not possible to
recreate the user account with the same SID. This option, however, cannot erase
built-in accounts.
filename – The comma-delimited input/output file that
AddUsers uses for data.
/s:x – This a optional switch that changes the
character used for separating fields in the file. The x should be replaced with
the new character to be used for separating fields. For example, /s:~ would make
the field-separation character the “~” (tilde). If this option is not specified,
the default separator, a comma, is used.
/? – Displays a help screen.
The newer version of Addusers.exe is available in the Windows NT 4.0 Resource
Kit, Supplement 3 or later, has added a /p switch. This switch increases
functionality when creating new users with AddUsers.exe in Windows NT.
/p: – Sets account creation options. It can be used
along with any combination of the following options:
l – Users do not have to change passwords at next
logon.
c – Users cannot change passwords.
e – Passwords never expire. (implies l option)
d – Accounts disabled.
If you do not have access to the Windows NT Server Resource Kit or the
Windows 2000 Server Resource Kit, an alternative available on every Windows NT
workstations is the net localgroup command. The core
options include /domain which says to perform the task a domain controller of
the current domain; /add which says to add a group or user; and /delete which
says to remove a group or user. Experiment with the command on your workstation
before attempting domain changes. To get the full list of parameters, issue the
following command
net help localgroup
