Speed up onboarding with Active Directory user templates
It’s a common scenario: HR needs you provision a new user quickly because someone forgot to make the request in advance. It helps to do some advance prep work so you can handle these situations efficiently.
When you must drop whatever you’re doing and remember all the correct settings, group memberships, restrictions and all the other details for a new temp, it can lead to a faulty or insecure configuration. This person might work for a department that hasn’t t had a new member in a while. Maybe it’s been a year since you last created a temporary user account. You could copy an existing account, but there is no guarantee that the specific user you’re copying hasn’t been customized due to some extenuating circumstances. This is the type of scenario that could use Active Directory user templates.
Create a user account manually
The usual method to onboard a user via the Active Directory Users and Computers (ADUC) Microsoft Management Console snap-in is to browse to the desired organizational unit (OU) to create a new user. A wizard walks you through a few basic options and creates the account. You then open the account properties and manually populate the remaining fields as a separate action. One hallmark of security and efficiency is repeatable and consistent configurations. When manually populating account settings, you hope you’re getting settings such as login restriction and group memberships correct; maybe you have a checklist. But you still risk mistakes or skipped settings — hence the need for a template.
There are multiple ways to create user accounts in Active Directory. You could use the Active Directory Administrative Center, which is a Windows PowerShell GUI front end, to produce several configurations compared to the ADUC console. Another choice is to use PowerShell cmdlets directly at the command line. You could certainly script the process to achieve a similar result to the ADUC-based templates.
Create an Active Directory user template
The idea behind a template is to create a perfectly configured account that contains the correct settings and then copy it for each new user added to Active Directory.
You make the template account the same way you create a standard account. Select the OU, right-click, select new and then choose User.In the wizard, set the User logon name to something like _salestemplate and set the account First Name value as _sales. By placing the underscore as the first character in these fields, the template account alphabetizes to the top for your convenience. Complete the wizard by setting a password and checking the boxes for User must change password at next logon and Account is disabled so no one can log in as the template user.
Next, double-click the account in the OU to open it. You’ll need to decide on the proper settings based on your organization, but here are a few examples:
- General: Description
- Address: City, State/province, Country/region
- Account: Logon Hours, Log On To
- Profile: Profile, Home folder
- Organization: Job Title, Department, Company, Manager
- Member Of: Group memberships
Settings such as restricted logon hours and logging on to specified workstations can limit access for contractors and other temporary employees or regular employees working in particularly sensitive areas.
The above-listed settings are straightforward. However, pay attention to group and home directory settings specifically.
Manage group memberships
One of the primary benefits of using Active Directory user templates is that group memberships copy to the new accounts. This lends itself to consistency. Since group memberships are one of the main ways of managing access controls for resources, this feature is critical to security. Configure group memberships on the Member Of tab.
Place the template account in all the correct groups. For example, perhaps you’re creating a sales user account template. Sales users need access to sales directories and files, so the account will likely reside in the sales Global Group. In addition, perhaps the sales team regularly accesses the network via VPN, so place the account in the vpn_allowed Global Group. Finally, the company provides the sales team with laptops, so you should add the account to the laptop_users group. Each of these groups helps manage the user account and its resource access. Similar settings would exist for marketing or finance department members, who may not be given laptops or cannot remote in via the VPN. Templates for those accounts will include their own unique group memberships.
Create home directories
Another useful trick that many administrators might not know is integrating the %username% variable into the template. Typically, the organization gives users a home directory on the network. This directory is properly secured and backed up regularly, which is much better than users storing business data on their local workstations. You might manually create this network home folder and setting its NTFS and share permissions, but there is a better way.
First, locate the shared folder on a network drive that stores the home directories for your users or, at least, for the users for whom you’re creating the template account. Make sure you know the Universal Naming Convention path for that share. In this demonstration, the path is DC01homedirs.
As you create your template, select the Profile tab. Enter the following value for the home directory share: DC01homedirs%username%. If you choose OK to create the account and then reopen its properties and check this tab, you’ll discover the %username% variable was replaced by the account name. But that’s not the magic. Browse to the DC01homedirs share and you’ll see a home directory was automatically created with the same username. If you check its permissions, the user is set as the owner with the appropriate authorizations. This variable is a real time-saver that also helps manage your security settings .
In this example, we mapped this share to the H: drive for the users.
In the Profiles tab, there is also an option to store roaming profiles on the network. The %username% trick works for this setting too.
Create a user template for a temporary worker
In this challenge, you will create a template for contractors or temporary employees at your organization.
This scenario assumes you have a Temps OU, a gg_temps Global Group, and a network share at servernamehomedirsso create these objects if necessary. Select the Temps OU and begin the process to create the template account. Name the account _temp-userset a password that never expires, and disable the account during the initial wizard.
Next, open the _temp-user Properties, and configure the following settings in the appropriate tabs:
- Address: 123 Main Street, Anytown, USA 12345
- Account restrictions:
- Logon Hours: Monday-Friday 8am-6pm
- Logon Workstations: Workstation06
- Home directory: Map the servernamehomedirs%username% share to the H: drive letter
- Organization: Manager name
- Group membership: gg_temps Global Group
Save changes and check for the home folder. You should see a home directory for the new _temp-user account.
Finally, create a new temporary user based on the template. Right-click the _temp-user template and select Copy. Go through the wizard using the name user01. Set a password, set change the password on first use and enable the account. Open the new account and verify the address, groups, manager, home and login restrictions settings. Check for the new home directory, too.
Did the settings copy as expected? Carefully review each tab for the appropriate values.
Get familiar with the organizational chart to avoid surprises
When using Active Directory user templates, it helps to be organized and have a plan.
Build the templates for each type of user in your organization. Start by looking at the organizational chart to check the user categories. Next, examine the company security policy to see what types of users need specific settings. For example, you might discover that standard users have restricted login hours, such as 7a.m. to 6 pm Monday through Friday, but executives can sign in any time. The result is a series of different account categories based on settings, which provides you with a list of the templates you need to create and which OUs to store them in.
It isn’t hard to create accounts. But the goal is consistency for security over convenience for efficiency. Finally, be sure to get buy-in from the rest of your team so that everyone uses the templates whenever they create accounts and no one uses the manual process unless necessary.