Home  Tutorials  Active Directory


Management of test accounts in an Active Directory production domain - Part I: Creation of test accounts (EN)

Active Directory test accounts are supposed to be created only in test environments. However, this may not be true in some cases where a new integration or update of a solution / software is in progress: Test accounts may be required to do the needed tests and checks in the production environment.

Unfortunately, Active Directory administrators may forget to remove test accounts after the end of tests. This is because they can be located under different Organizational Units and it may be difficult to identify them.

In order to have a clear Life Cycle and an ease of management of test accounts, the following scripts were created:

Management of test accounts in an Active Directory production domain - Part I: Creation of test accounts
Management of test accounts in an Active Directory production domain - Part II: Notification about expiry for test accounts
Management of test accounts in an Active Directory production domain - Part III: Removal of test accounts

Management of test accounts in an Active Directory production domain - Part I: Creation of test accounts

To create test accounts, you can use the following Powershell script.

The input of the script is:
  1. The First Name of the test account
  2. The sAMAccountName of the test account
  3. The password of the test account
  4. The description of the test account
  5. The e-mail address of the requester for the creation of the test account (example: owner@contoso.msft)
  6. The expiry date of the test account (You can set the account to expire after a maximum of six (6) months)
Once the input is specified, the script will do the following tasks:

  1. It will create the new test account under the default Organizational Unit dedicated for test accounts
  2. It will set a flag for test accounts by updating the value of info attribute: The value will be "User-TestAccount Owner: owner@contoso.msft"
  3. It will set the expiry date of the test account
  4. It will send an e-mail notification to the creator of the test account and the global Active Directory administrator
Before using the script, you need to update the following variables:
  • $domaindnsname: Specify the DNS name of the domain you use
  • $domainnetbiosname: Specify the NetBIOS name of the domain you use
  • $server: Specify the DNS name of the DC to use for the creation of test accounts
  • $defaulttestaccountsOU: Specify the Distinguished Name of the Organizational Unit to be used as the default location for Active Directory test accounts
  • $smtpserver: Specify the DNS name of the SMTP server to use for sending e-mail notifications
  • $noreplymail: Specify the SMTP address to use to send e-mail notifications
  • $globalADadminmail: Specify the e-mail address of the global Active Directory administrator
###############################################################
# Test_Account_Creation_v1.0.ps1
# Version 1.0
# MALEK Ahmed - 30 / 03 / 2013
###################

##################
#--------Config
##################
$domaindnsname = "contoso.msft"
$domainnetbiosname = "CONTOSO"
$server = "DCProd.contoso.msft"
$defaulttestaccountsOU = "OU=Test_Accounts,DC=Contoso,DC=msft"
$smtpserver = "mail.contoso.msft"
$noreplymail = "no-reply@contoso.msft"
$globalADadminmail = "administrator@contoso.msft"

##################
#--------Main
##################
cls
#Prompting the user to provide the test account details
$usernameAD = ([Environment]::UserDomainName).ToString() + "\" + ([Environment]::UserName).ToString()
$applicationname = Read-Host 'What is the test account First name?'
while ($applicationname -eq $null)
{
$applicationname = Read-Host '[WRONG VALUE] What is the test account First name?'
}
$testaccountname = Read-Host 'What is the test account samaccountname?'
while ($testaccountname -eq $null)
{
$testaccountname = Read-Host '[WRONG VALUE] What is the test account samaccountname?'
}
$password = Read-Host 'What is the test account password?'
while ($password -eq $null)
{
$password = Read-Host '[WRONG VALUE] What is the test account password?'
}
$description = Read-Host 'What is the test account description?'
while ($description -eq $null)
{
$description = Read-Host '[WRONG VALUE] What is the test account description?'
}
$Userrequester = Read-Host 'What is the requester e-mail address?'
while (($Userrequester -eq $null) -OR ($Userrequester -notlike "*@*"))
{
$Userrequester = Read-Host '[WRONG VALUE] What is the requester e-mail address?'
}
import-module activedirectory
#Identify user e-mail address
$User = get-aduser ([Environment]::UserName).ToString() -Properties Mail -Server $server
$accountcreator = $User.mail
$User = $null
$expiry = Read-Host 'The account will expire after how many months (Supported values: 1-6)?'
while (!(($expiry.ToUpper() -eq "1") -OR ($expiry -eq "2") -OR ($expiry -eq "3") -OR ($expiry -eq "4") -OR ($expiry -eq "5") -OR ($expiry -eq "6")))
{
$expiry = Read-Host '[WRONG VALUE] The account will expire after how many months (Supported values: 1-6)?'
}
$samaccountname = $testaccountname.Trim()
#Preparing the userprincipalname value
$userprincipalname = $testaccountname.Trim()+$domaindnsname
#Fomatting the First Name
$fn = $applicationname
#Fomatting the Last Name
$ln = "test account"
#Preparing the Display Name
$displayname = $fn + " "+ $ln
#Preparing the Common Name
$commonname = $displayname
#Preparing the user OU
$OU= $defaulttestaccountsOU
#Preparing the Distinguished Name
$userDN = "CN=" + $commonname + "," + $OU
#User Creation
$usercreation = dsadd user $userDN -samid $samaccountname -fn $fn -ln $ln -display $displayname -upn $userprincipalname -pwd $password -mustchpwd no -desc $description -disabled no -s $server
#Set AD attributes
$User = get-aduser $samaccountname -Properties info -Server $server
$User.info = "User-TestAccount Owner: " + $Userrequester.ToString()
Set-ADUser -instance $user -Server $server
$expireafter = 30 * [int]$expiry
dsmod user $User.distinguishedname -acctexpires $expireafter

#Notification
$wshShell =  new-object –comobject “wscript.shell”
$successmessage = ("dsadd succeeded:"+$userDN -replace " ","").trim().ToUpper()
$usercreationupper = ($usercreation -replace " ","").trim().ToUpper()

$information = "SAMACCOUNTNAME = " + $samaccountname + "`r`n`r`n"
$information += "Password = " + $password
if ($usercreationupper -eq $successmessage)
{
$wshShell.Popup("The test account for " + $displayname + " was created.", 0, "[SUCCESS] The test account for " + $displayname + " was created.", 48);
$mailbody = "AD Login = " + $domainnetbiosname + "\" + $samaccountname + "`r`n`r`n"
$mailbody += "Password = " + $password + "`r`n`r`n"
$mailbody += "The account will expire after " + $expiry + " months`r`n`r`n"
$mailbody += "`r`n`r`n"
$mailbody += "The creation was done by " + $usernameAD
#Notification about the script execution
$Receiver=($accountcreator).ToString()
$msg = new-object Net.Mail.MailMessage
$smtp = new-object Net.Mail.SmtpClient($smtpServer)
$msg.From = $noreplymail
$msg.To.Add($Receiver)
$msg.cc.Add($globalADadminmail)
$msg.Subject =  "[SUCCESS] The test account for " + $displayname + " was created."
$msg.Body = $mailbody
$smtp.Send($msg)
}
else
{
$wshShell.Popup("The test user account " + $displayname + " was not created", 0, "[ERROR] The test user account " + $displayname + " was not created", 48);
#Notification about the script execution
$Receiver=($accountcreator).ToString()
$msg = new-object Net.Mail.MailMessage
$smtp = new-object Net.Mail.SmtpClient($smtpServer)
$msg.From = $noreplymail
$msg.To.Add($Receiver)
$msg.cc.Add($globalADadminmail)
$msg.Subject = "[ERROR] The user " + $displayname + " was not created"
$mailbody += "Debugging: First Name: "+ $fn + ", Last Name: " + $ln + ", samaccountname:" + $samaccountname + ", password:" + $password + ", Description: " + $description + " `r`n`r`n"
$mailbody += "The creation attempt was done by " + $usernameAD
$msg.Body = $mailbody
$msg.Priority = [System.Net.Mail.MailPriority]::High
$smtp.Send($msg)
}

Verified on the following platforms


 Windows 10 No
 Windows Server 2012 No
 Windows Server 2012 R2 No
 Windows Server 2008 R2 Yes
 Windows Server 2008 No
 Windows Server 2003 No
 Windows 8
 No
 Windows 7 No
 Windows Vista No
 Windows XP No
 Windows 2000 No

This script is tested on these platforms by the author. It is likely to work on other platforms as well. If you try it and find that it works on another platform, please add a note to the script discussion to let others know.

Disclaimer
 
The sample scripts are not supported under any Microsoft standard support program or service. The sample scripts are provided AS IS without warranty of any kind. Microsoft further disclaims all implied warranties including, without limitation, any implied warranties of merchantability or of fitness for a particular purpose. The entire risk arising out of the use or performance of the sample scripts and documentation remains with you. In no event shall Microsoft, its authors, or anyone else involved in the creation, production, or delivery of the scripts be liable for any damages whatsoever (including, without limitation, damages for loss of business profits, business interruption, loss of business information, or other pecuniary loss) arising out of the use of or inability to use the sample scripts or documentation, even if Microsoft has been advised of the possibility of such damages.