This is one of the features in Active directory which most administrators, system engineers not using in typical networks. Even though this is very small feature it’s very helpful in larger infrastructure systems and will save lot of time, errors with user creation in AD and permissions, membership assign.
Even most not using this, user account templates feature was in place from Windows NT 4.0. In domain environment, we will be able to see many shares similar properties in user accounts. For example if we take users in sales department, almost all will be member of same security groups, distribution groups. So every time when you need to create new sales department user you will need to add these group membership manually. What if users are in 10 groups? How much time it will take to map membership from existing user to new user? If you need to add 10 new users have to follow same procedure? Can we guarantee the system administrator assigned for the task will not miss any? If we delegate control to HR department for account creations will typical Clark can process this complex procedure? Answer for all this questions is use of user account templates for the task.
In AD we can create user template with all common attributes, group memberships and we can use it when we add a new user to AD who will use similar properties.
Let’s look in to the configuration. In my demo I already setup domain contoso.com and in AD there is organization unit called “Sales Department” so everyone in the department will share same properties. Let’s create user account template to use for the task.
To do this right click on the OU and click on New > User
In new user add wizard fill the full name as "Sales User Template" and user name as Sales.Template. Please keep First name, last name empty as its unique. Then Click next to continue.
In next window we can define the password and i have selected options "User must change password at logon" and "Account is disabled options. so every new user account create based on this template will be in disabled mode until its manually enabled. its good practice for user account creation. also user will have option to define his own password at log on. once selection completes click on next to continue.
In next window it gives confirmation about selections and click on "Finish" to create the template in AD.
Even we create user i still need to add some more properties to the template which will be shared among users which will create using this template. To do that right click on user and click on properties.
First i will go to "Member of" tab and using "Add" button will add groups which users will assign to. in my demo i used 3 group membership
All Users, Sales Leads, Sales Users
Then in "Organization" tab i will fill the relevant info for the template.
Then i will go to the "Account" tab and click on "Logon Hours" button and in pop up i denied sales users log in to network over the weekend.
Then in Profile tab i mapped the Z drive, a common share which will be use by sales department.
Once every thing done, click on "ok' to apply these changes to the template.
Now we have the user template in place. so lets go ahead and add a user based on this template. to do that right click on the "Sales User Template" user we just added and click on "Copy"
In new user wizard fill in the appropriate info, and click on next.
In next window we can see the options we selected on template were already selected ( account disable, user must change password at next log on) and only need to define password and click on next to continue.
In next window it will list the selections and click on finish to create the new sales user.
Now we need to see if this new account have the properties which templates have.
Organization Tab ( Job Title will be shows empty as its unique )
Profile Tab
Account Tab
Member of Tab
so we can see its all worked as expected and saves lot of time and was able to create user with out missing relevant info.