Forum / Remote Desktop Manager - PowerShell Repository

Powershell script to create user from AD

  • Create an Issue
  • Cancel

Hello all - we have RDM setup to automatically create accounts in RDM on logon, however I am wanting to create an operations process for onboarding users in our hosting environment. My thought here is to have a process that will create the AD user first - place in the appropriate AD groups > then turn around and create the user in RDM (as they haven't logged in yet) AND set them to the proper role (given I have the groups and roles already set. I will work on creating a UI that will be the 'new user' app that will ask all the right questions, then run the appropriate AD scripts.

I can handle the AD part - and would really like an example of how to create a user in RDM with a role assignment. Just for info - the users are in a different domain/forest than the RDM server is.

thanks!

Clock5 yrs

Hi Jason,


To create users and set them roles you will need the cmdLets New-RDMUser, Set-RDMUserProperty, Add-RDMUserRole, Set-RDMUser

Example:

Here a basic way to create a new user

$newUser = New-RDMUser -Name "LoginName" -CreateSQLServerLogin -IntegratedSecurity

If you decide to create SQL Server login and you don't want integrated security you need to set a password

$newUser = New-RDMUser -Name "LoginName" -CreateSQLServerLogin
$my_secure_password_string = convertto-securestring "password" -asplaintext -force
Set-RDMUserProperty -User $newUser -Property "Password" -Value $my_secure_password_string

If you want to set user permissions

Set-RDMUserProperty -User $newUser -Property "Add" -Value $TRUE
Set-RDMUserProperty -User $newUser -Property "Edit" -Value $TRUE
Set-RDMUserProperty -User $newUser -Property "Delete" -Value $TRUE

To set user permission within a group you need to use Set-RDMUserGroupRights, the parameters are the rights you want to give and of course the user and the group that you get with Get-RDMSecurityGroup or you can create a new one with New-RDMSecurityGroup

$group = Get-RDMSecurityGroup | Where-Object { $_.Name -eq "GroupName" }
Set-RDMUserGroupRights -User $newUser -SecurityGroup $group -View -Add -Edit -Delete

To set a role to an user, you need to get the role with the command Get-RDMRole or create a new one with New-RDMRole

$role = Get-RDMRole | Where-Object { $_.Name -eq "RoleName" }
Add-RDMUserRole -Role $role -User $newUser

The last thing you need to do is to save the user in the datasource with Set-RDMUser

Set-RDMUser -User $newUser

For the complete list of RDM cmdlets you can visit the help at http://help.remotedesktopmanager.com/index.html?powershell_cmdlets.htm

Best regards,
edited by Olivier Désalliers on 3/27/2015
edited by Olivier Désalliers on 3/27/2015

Olivier Désalliers

signaturesignature

Clock5 yrs

So, I was looking at taking this a step further and fully automating the creation of users, security groups, and roles. In setting up our SQL database with tons of user accounts and sessions, we are required to secure each folder of sessions to a specific user, for example in a training scenario where a specific user needs access to a set of equipment that no one else needs access to.

I have been somewhat successful in automating the creation of multiple user accounts thanks to the information in this specific post. The information here definitely helped.

Just to give an idea of the steps I am required to follow:

  • Create security groups for an instructor account and several student accounts
  • Create an instructor account from AD
  • Create a role for only the instructor account - to let the instructor also see the contents of student session folders
  • Create several student accounts from AD
  • Assign View only access for the instructor and students

I have a pretty good script so far which does the trick with some work-arounds though.


What I think will help is if I know what the properties are that I can assign values to for the roles and also set which security groups the instructor account will have access to view. I think I have a general idea, but needed some advice before continuing.

I need the role to provide the member of that role (the instructor account) with the ability to view sessions within its only folder and the sessions in folders for each student. Each student can already view contents of its own folder using a security group. So this role would give the instructor view access to all other student security groups.

The following is the script that I currently have put together, which I believe will create the user accounts and security groups and set View only access. It hasn't been fully tested, but I'm happy to share here.


$bgColor = 'Black'
$fgColor = 'White'
$textColor1 = 'DarkCyan'
$textColor2 = 'Cyan'
$textColor3 = 'Yellow'

function setRDMSecurity {

#Create instructor security group.

$classdata = Import-Csv C:\Scripts\input\trsdeploy.csv | Where-Object {$_.Type -eq 'ClassData'}
$trsuserprefix = $($classdata.TRSUser)
$classsize = $($classdata.Stations)
$instructorgroupname = ''
$instructorgroupname = $($trsuserprefix.ToUpper()) + '_Instructor'

Write-Host -ForegroundColor $textColor2 "`nCreating RDM instructor security group $instructorgroupname..."
$instructorsecgroup = ''
$instructorsecgroup = New-RDMSecurityGroup -Name $instructorgroupname
Set-RDMSecurityGroup $instructorsecgroup

#Create instructor account.

$dc1 = $($classdata.Site)
$instructoracct = ''
$instructoracct = $dc1 + '\' + $trsuserprefix + '_instructor'

Write-Host -ForegroundColor $textColor2 "`nCreating instructor account $instructoracct..."
$newrdminstructor = ''
$newrdminstructor = New-RDMUser -Name $instructoracct -IntegratedSecurity -CreateSQLServerLogin

Set-RDMUserProperty -User $newrdminstructor -Property 'Add' -Value $false
Set-RDMUserProperty -User $newrdminstructor -Property 'Edit' -Value $false
Set-RDMUserProperty -User $newrdminstructor -Property 'Delete' -Value $false

#Give instructor account rights on the instructor security group.

$instructorgroup = ''
$instructorgroup = Get-RDMSecurityGroup | Where-Object {$_.Name -eq $instructorgroupname}
Write-Host -ForegroundColor $textColor2 "`nSetting permissions for $instructoracct on security group $instructorgroupname..."
Set-RDMUserGroupRights -User $newrdminstructor -SecurityGroup $instructorgroup -View:$true -Add:$false -Edit:$false -Delete:$false

#Create a role for the instructor account.

$role = New-RDMRole -Name $instructorgroupname

Set-RDMRoleProperty -Role $role -Property 'Add' -Value $false
Set-RDMRoleProperty -Role $role -Property 'Edit' -Value $false
Set-RDMRoleProperty -Role $role -Property 'Delete' -Value $false


#Create student security group, create student accounts, and assign rights to student security groups.

for( $i=1; $i -le $classsize; $i++ ) {
$studentgroupname = ''
$studentgroupname = $($trsuserprefix.ToUpper()) + '_User' + $i
Write-Host -ForegroundColor $textColor2 "`nCreating RDM student security group $studentgroupname..."
$studentsecgroup = ''
$studentsecgroup = New-RDMSecurityGroup -Name $studentgroupname
Set-RDMSecurityGroup $studentsecgroup

$studentacct = ''
$studentacct = $dc1 + '\' + $trsuserprefix + '_user' + $i
Write-Host -ForegroundColor $textColor2 "`nCreating student account $studentacct..."
$newrdmstudent = ''
$newrdmstudent = New-RDMUser -Name $studentacct -IntegratedSecurity -CreateSQLServerLogin

Set-RDMUserProperty -User $newrdmstudent -Property 'Add' -Value $false
Set-RDMUserProperty -User $newrdmstudent -Property 'Edit' -Value $false
Set-RDMUserProperty -User $newrdmstudent -Property 'Delete' -Value $false

$studentgroup = ''
Do {$studentgroup = Get-RDMSecurityGroup | Where-Object {$_.Name -eq $studentgroupname}} until ($studentgroup)
Write-Host -ForegroundColor $textColor2 "`nSetting permissions for $instructoracct and $studentacct on security group $studentgroupname..."
Set-RDMUserGroupRights -User $newrdminstructor -SecurityGroup $studentgroup -View:$true -Add:$false -Edit:$false -Delete:$false
Set-RDMUserGroupRights -User $newrdmstudent -SecurityGroup $studentgroup -View:$true -Add:$false -Edit:$false -Delete:$false

Write-Host -ForegroundColor $textColor2 "`nSaving user $studentacct..."
Set-RDMUser $newrdmstudent
}

Write-Host -ForegroundColor $textColor2 "`nSaving user $instructoracct..."
Set-RDMUser -User $newrdminstructor

#Add the instructor to the new role.
Add-RDMRoleToUser -Role $role -User $newrdminstructor

#Save the instructor role.
Set-RDMRole $role

}

setRDMSecurity

Clock5 yrs

I tried to use the CMDLETs but getting an error on New-RDMUser -Name "USER" -IntegratedSecurity -CreateSQLServerLogin


Error:
New-RDMUser : A parameter cannot be found that matches parameter name 'Name" .

Is there a bug or did the command change? The Get-Help still shows to use -Name

Clock2 mths


Hello,

What RDM version are you using?

Best regards,



Érica Poirier

signaturesignature

Clock2 mths


Hello,

In fact, if you are using RDM 2019.x, please use the -Login switch instead.

$my_secure_password_string = convertto-securestring "userpassword" -asplaintext -force
$user= New-RDMUser -Login "User" -CreateSQLServerLogin -AuthentificationType "Database" -Email "useraccount@mydomain.com" -Password $my_secure_password_string

Best regards,



Érica Poirier

signaturesignature

Clock2 mths

14.0.4.0

Thanks, I will try 2019.

Clock2 mths


Upgraded to 2019 and that fixed it.

How do I set the User's first and last name? I can set the login ID and email address but do not see a switch for first and last name.

Clock2 mths

Hello,

Once the account has been created, you can set the first and last name like the following sample:


$my_secure_password_string = convertto-securestring "userpassword" -asplaintext -force
$user= New-RDMUser -Login "User" -CreateSQLServerLogin -AuthentificationType "Database" -Email "useraccount@mydomain.com" -Password $my_secure_password_string
$user.FirstName = "John"
$user.LastName = "Doe"
Set-RDMUser $user

Best regards,



Érica Poirier

signaturesignature

Clock2 mths


Thank you again!

Clock2 mths


I am working on a script to Sync users with AD Security groups. It creates new users and groups. Now I am trying to add users to the RDMRoles they are missing from. How to I list which Roles users belong to?

With SecurityGroups I can match them by IDs but Role's IDs don't seem to be listed in a user's groupinfos.

Which commands can help me match users with roles?

Clock2 mths

Hello,

What data source type are you using?

With Devolutions Password Server (DPS), the roles memberships are automatically managed and you don't have to manually assign users to roles.

Best regards,



Érica Poirier

signaturesignature

Clock2 mths

We don't have that feature in RDM. I take it there is no way to pull which Roles users are assigned to with PowerShell?

Clock2 mths

Hello,

Thank you for the information.

It is possible to set the role assignment in the CustomSecurity property of the user object. This property contains XML code and to assign roles, you need to add role's GUID within the <CustomRoles></CustomRoles> tags.

image

Best regards,



Érica Poirier

signaturesignature

Clock2 mths

I was able to figure it out and have a working script now. Thanks for your help!

Clock27 days