Active DirectoryMicrosoft TechnologiesWindows Server

Create Users with User Templates in AD

This is one of the features in Active directory which most administrators, system engineers not using in typical networks. Even though this is very small feature it’s very helpful in larger infrastructure systems and will save lot of time, errors with user creation in AD and permissions, membership assign.

Even most not using this, user account templates feature was in place from Windows NT 4.0. In domain environment, we will be able to see many shares similar properties in user accounts. For example if we take users in sales department, almost all will be member of same security groups, distribution groups. So every time when you need to create new sales department user you will need to add these group membership manually. What if users are in 10 groups? How much time it will take to map membership from existing user to new user? If you need to add 10 new users have to follow same procedure? Can we guarantee the system administrator assigned for the task will not miss any? If we delegate control to HR department for account creations will typical Clark can process this complex procedure? Answer for all this questions is use of user account templates for the task.

In AD we can create user template with all common attributes, group memberships and we can use it when we add a new user to AD who will use similar properties.

Let’s look in to the configuration. In my demo I already setup domain contoso.com and in AD there is organization unit called “Sales Department” so everyone in the department will share same properties. Let’s create user account template to use for the task.

To do this right click on the OU and click on New > User

u1

In new user add wizard fill the full name as "Sales User Template" and user name as Sales.Template. Please keep First name, last name empty as its unique. Then Click next to continue.

u2

In next window we can define the password and i have selected options "User must change password at logon" and "Account is disabled options. so every new user account create based on this template will be in disabled mode until its manually enabled. its good practice for user account creation. also user will have option to define his own password at log on. once selection completes click on next to continue.

u3

In next window it gives confirmation about selections and click on "Finish" to create the template in AD.

u4

Even we create user i still need to add some more properties to the template which will be shared among users which will create using this template. To do that right click on user and click on properties.

u5

First i will go to "Member of" tab and using "Add" button will add groups which users will assign to. in my demo i used 3 group membership

All Users, Sales Leads, Sales Users

u6

u7

Then in "Organization" tab i will fill the relevant info for the template.

u8

Then  i will go to the "Account" tab and click on "Logon Hours" button and in pop up i denied sales users log in to network over the weekend.

u9

Then in Profile tab i mapped the Z drive, a common share which will be use by sales department.

u10

Once every thing done, click on "ok' to apply these changes to the template.

u11

Now we have the user template in place. so lets go ahead and add a user based on this template. to do that right click on the "Sales User Template" user we just added and click on "Copy"

u12

In new user wizard fill in the appropriate info, and click on next.

u13

In next window we can see the options we selected on template were already selected ( account disable, user must change password at next log on) and only need to define password and click on next to continue.

u14

In next window it will list the selections and click on finish to create the new sales user.

u15

Now we need to see if this new account have the properties which templates have.

Organization Tab ( Job Title will be shows empty as its unique )

u17

Profile Tab

u18

Account Tab

u19

Member of Tab

u20

so we can see its all worked as expected and saves lot of time and was able to create user with out missing relevant info.

Related posts
Cyber SecurityMicrosoft Entra IDMicrosoft Technologies

Step-by-Step Guide : Process Entra ID Entitlement Management Access Package on-behalf of another user (preview)

Entra ID Entitlement Management access packages enable administrators to offer a self-service…
Read more
Azure servicesMicrosoft Entra IDMicrosoft Technologies

Step-by-Step Guide: Configure Entra ID lifecycle workflow to trigger mover task on user profile changes

The Entra ID lifecycle workflow is a feature of Microsoft Entra ID identity governance and Microsoft…
Read more
Cyber SecurityMicrosoft Entra IDMicrosoft Technologies

Step-by-Step Guide: How to setup Entra ID Restricted management Administrative Units ?

In my previous blog post, I discussed what Entra ID Administrative Units are and how they can be…
Read more
Newsletter
Become a Trendsetter

Sign up and get the best of RebelAdmin, tailored for you.

1 Comment

Leave a Reply

Your email address will not be published. Required fields are marked *