For this Quick PowerShell post, I am going to cover something that I am learning to expand my skill set – Microsoft Identity Manager (MIM) 2016. I want to briefly cover different ways to create user accounts needed for a best practice installation of MIM. First, we will start with Microsoft’s code from the DOCS page, then cover a couple of variations I’ve seen as well as modified version of the script to help tailor the script to your needs.
Microsoft Code
Source – MIM Deployment – Set up a domain
import-module activedirectory $sp = ConvertTo-SecureString "Pass@word1" –asplaintext –force New-ADUser –SamAccountName MIMINSTALL –name MIMMA Set-ADAccountPassword –identity MIMINSTALL –NewPassword $sp Set-ADUser –identity MIMINSTALL –Enabled 1 –PasswordNeverExpires 1 New-ADUser –SamAccountName MIMMA –name MIMMA Set-ADAccountPassword –identity MIMMA –NewPassword $sp Set-ADUser –identity MIMMA –Enabled 1 –PasswordNeverExpires 1 New-ADUser –SamAccountName MIMSync –name MIMSync Set-ADAccountPassword –identity MIMSync –NewPassword $sp Set-ADUser –identity MIMSync –Enabled 1 –PasswordNeverExpires 1 New-ADUser –SamAccountName MIMService –name MIMService Set-ADAccountPassword –identity MIMService –NewPassword $sp Set-ADUser –identity MIMService –Enabled 1 –PasswordNeverExpires 1 New-ADUser –SamAccountName MIMSSPR –name MIMSSPR Set-ADAccountPassword –identity MIMSSPR –NewPassword $sp Set-ADUser –identity MIMSSPR –Enabled 1 –PasswordNeverExpires 1 New-ADUser –SamAccountName SharePoint –name SharePoint Set-ADAccountPassword –identity SharePoint –NewPassword $sp Set-ADUser –identity SharePoint –Enabled 1 –PasswordNeverExpires 1 New-ADUser –SamAccountName SqlServer –name SqlServer Set-ADAccountPassword –identity SqlServer –NewPassword $sp Set-ADUser –identity SqlServer –Enabled 1 –PasswordNeverExpires 1 New-ADUser –SamAccountName BackupAdmin –name BackupAdmin Set-ADAccountPassword –identity BackupAdmin –NewPassword $sp Set-ADUser –identity BackupAdmin –Enabled 1 -PasswordNeverExpires 1 New-ADUser –SamAccountName MIMpool –name BackupAdmin Set-ADAccountPassword –identity MIMPool –NewPassword $sp Set-ADUser –identity MIMPool –Enabled 1 -PasswordNeverExpires 1
A couple of things to note in the above code:
- The password will be the same for each account created
- A lot of duplicate code is used
- Names of the service accounts are not custom and may not fit into a naming system
Another Take – Condensed
Included in the comments was a nice consolidated script to help condense how much code is needed to do the same as the Microsoft script:
import-module activedirectory
$sp = ConvertTo-SecureString "Pass@word1" –asplaintext –force
$users = @("MIMINSTALL", "MIMMA", "MIMSync", "MIMService","MIMSSPR","SharePoint","SqlServer","BackupAdmin","MIMpool")
$users | % {
New-ADUser –SamAccountName $_ –name $_
Set-ADAccountPassword –identity $–NewPassword $sp
Set-ADUser –identity $–Enabled 1 –PasswordNeverExpires 1
}
This takes Microsoft’s code and reduces it from 29 lines to 8. Nicely done. It has a couple of remaining issues:
- Password is still the same for each account
- Names of the service accounts are not custom and may not fit into a naming system
What can be done to enhance this script?
Custom Iteration
I making changes, the customizations will add lines, but it adds functionality and comments to help others understand what the script is for. The script also asks if you want to use your standard password, standard naming or use custom names and/or password.
Write-host "-------------------------------------" -ForegroundColor Green
Write-host " MIM Account Creation Script" -ForegroundColor Green
Write-host "-------------------------------------" -ForegroundColor Green
Write-host ""
Write-host ""
# Import AD Module
Import-Module ActiveDirectory
# Standard MIM User and Password
$Users = @("MIMINSTALL", "MIMMA", "MIMSync", "MIMService","MIMSSPR","SharePoint","SqlServer","BackupAdmin","MIMpool")
# Loop for all users
Foreach ($USer in $Users) {
# Account Name
Write-host "Do you want to use the standard name for the $User account? [s or c]: " -ForegroundColor Yellow -NoNewline
$AccountAnswer = Read-Host
If ($AccountAnswer -eq 'c') {
Write-host "What account name do you want to use: " -ForegroundColor Yellow -NoNewline
$AccountName = Read-Host
} Else {
$AccountName = $User
}
# Password Creation
Write-host "Do you want to use the standard password for the $User account? [s or c]: " -ForegroundColor Yellow -NoNewline
$PasswordAnswer = Read-Host
# Set password to something custom
If ($PasswordAnswer -eq 'c') {
Write-host "Please enter a new password to be used with this account: " -ForegroundColor Yellow -NoNewLine
$SecurePassword = Read-Host -AsSecureString
# $SecurePassword = ConvertTo-SecureString $Password –asplaintext –force
} Else {
$SecurePassword = ConvertTo-SecureString "!th1sISs3cur3#" –asplaintext –force
}
# Account Creation
Try {
$Check = Get-ADUser $AccountName -ErrorAction STOP
} Catch {
$Check = $Null
}
If ($Check -eq $Null) {
New-ADUser -Enabled $True –SamAccountName $AccountName –name $AccountName -PasswordNeverExpires 1 -AccountPassword $SecurePassword
# Set-ADAccountPassword –identity $NewPassword $SecurePassword
# Set-ADUser –identity $–Enabled 1 –PasswordNeverExpires 1
} Else {
Write-host ' '
Write-host "User Account " -ForegroundColor White -NoNewline
Write-host "$AccountName " -ForegroundColor Green -NoNewline
Write-host "already exists and will not be created." -ForegroundColor White
Write-host ' '
}
Write-host '-----------------------------------------------------------------------' -ForegroundColor Green
Write-host ' '
}
Conclusion
As you can see, the script provides a better experience and allows for customization for your naming conventions and passwords. As always, test code provided here in a lab before just copying and pasting.
