Powershell script to create user from AD

Hi Jason,


To create users and set them roles you will need the cmdLets New-RDMUser, Set-RDMUserProperty, Add-RDMUserRole, Set-RDMUser

Example:

Here a basic way to create a new user

$newUser = New-RDMUser -Name "LoginName" -CreateSQLServerLogin -IntegratedSecurity
If you decide to create SQL Server login and you don't want integrated security you need to set a password

$newUser = New-RDMUser -Name "LoginName" -CreateSQLServerLogin
$my_secure_password_string = convertto-securestring "password" -asplaintext -force
Set-RDMUserProperty -User $newUser -Property "Password" -Value $my_secure_password_string
If you want to set user permissions

Set-RDMUserProperty -User $newUser -Property "Add" -Value $TRUE
Set-RDMUserProperty -User $newUser -Property "Edit" -Value $TRUE
Set-RDMUserProperty -User $newUser -Property "Delete" -Value $TRUE
To set user permission within a group you need to use Set-RDMUserGroupRights, the parameters are the rights you want to give and of course the user and the group that you get with Get-RDMSecurityGroup or you can create a new one with New-RDMSecurityGroup

$group = Get-RDMSecurityGroup | Where-Object { $_.Name -eq "GroupName" }
Set-RDMUserGroupRights -User $newUser -SecurityGroup $group -View -Add -Edit -Delete
To set a role to an user, you need to get the role with the command Get-RDMRole or create a new one with New-RDMRole

$role = Get-RDMRole | Where-Object { $_.Name -eq "RoleName" }
Add-RDMUserRole -Role $role -User $newUser
The last thing you need to do is to save the user in the datasource with Set-RDMUser

Set-RDMUser -User $newUser
For the complete list of RDM cmdlets you can visit the help at http://help.remotedesktopmanager.com/index.html?powershell_cmdlets.htm

Best regards,
edited by Olivier Désalliers on 3/27/2015
edited by Olivier Désalliers on 3/27/2015

So, I was looking at taking this a step further and fully automating the creation of users, security groups, and roles. In setting up our SQL database with tons of user accounts and sessions, we are required to secure each folder of sessions to a specific user, for example in a training scenario where a specific user needs access to a set of equipment that no one else needs access to.

I have been somewhat successful in automating the creation of multiple user accounts thanks to the information in this specific post. The information here definitely helped.

Just to give an idea of the steps I am required to follow:

I have a pretty good script so far which does the trick with some work-arounds though.


What I think will help is if I know what the properties are that I can assign values to for the roles and also set which security groups the instructor account will have access to view. I think I have a general idea, but needed some advice before continuing.

I need the role to provide the member of that role (the instructor account) with the ability to view sessions within its only folder and the sessions in folders for each student. Each student can already view contents of its own folder using a security group. So this role would give the instructor view access to all other student security groups.

The following is the script that I currently have put together, which I believe will create the user accounts and security groups and set View only access. It hasn't been fully tested, but I'm happy to share here.


$bgColor = 'Black'
$fgColor = 'White'
$textColor1 = 'DarkCyan'
$textColor2 = 'Cyan'
$textColor3 = 'Yellow'

function setRDMSecurity {

#Create instructor security group.

$classdata = Import-Csv C:\Scripts\input\trsdeploy.csv | Where-Object {$_.Type -eq 'ClassData'}
$trsuserprefix = $($classdata.TRSUser)
$classsize = $($classdata.Stations)
$instructorgroupname = ''
$instructorgroupname = $($trsuserprefix.ToUpper()) + '_Instructor'

Write-Host -ForegroundColor $textColor2 "`nCreating RDM instructor security group $instructorgroupname..."
$instructorsecgroup = ''
$instructorsecgroup = New-RDMSecurityGroup -Name $instructorgroupname
Set-RDMSecurityGroup $instructorsecgroup

#Create instructor account.

$dc1 = $($classdata.Site)
$instructoracct = ''
$instructoracct = $dc1 + '\' + $trsuserprefix + '_instructor'

Write-Host -ForegroundColor $textColor2 "`nCreating instructor account $instructoracct..."
$newrdminstructor = ''
$newrdminstructor = New-RDMUser -Name $instructoracct -IntegratedSecurity -CreateSQLServerLogin

Set-RDMUserProperty -User $newrdminstructor -Property 'Add' -Value $false
Set-RDMUserProperty -User $newrdminstructor -Property 'Edit' -Value $false
Set-RDMUserProperty -User $newrdminstructor -Property 'Delete' -Value $false

#Give instructor account rights on the instructor security group.

$instructorgroup = ''
$instructorgroup = Get-RDMSecurityGroup | Where-Object {$_.Name -eq $instructorgroupname}
Write-Host -ForegroundColor $textColor2 "`nSetting permissions for $instructoracct on security group $instructorgroupname..."
Set-RDMUserGroupRights -User $newrdminstructor -SecurityGroup $instructorgroup -View:$true -Add:$false -Edit:$false -Delete:$false

#Create a role for the instructor account.

$role = New-RDMRole -Name $instructorgroupname

Set-RDMRoleProperty -Role $role -Property 'Add' -Value $false
Set-RDMRoleProperty -Role $role -Property 'Edit' -Value $false
Set-RDMRoleProperty -Role $role -Property 'Delete' -Value $false


#Create student security group, create student accounts, and assign rights to student security groups.

for( $i=1; $i -le $classsize; $i++ ) {
$studentgroupname = ''
$studentgroupname = $($trsuserprefix.ToUpper()) + '_User' + $i
Write-Host -ForegroundColor $textColor2 "`nCreating RDM student security group $studentgroupname..."
$studentsecgroup = ''
$studentsecgroup = New-RDMSecurityGroup -Name $studentgroupname
Set-RDMSecurityGroup $studentsecgroup

$studentacct = ''
$studentacct = $dc1 + '\' + $trsuserprefix + '_user' + $i
Write-Host -ForegroundColor $textColor2 "`nCreating student account $studentacct..."
$newrdmstudent = ''
$newrdmstudent = New-RDMUser -Name $studentacct -IntegratedSecurity -CreateSQLServerLogin

Set-RDMUserProperty -User $newrdmstudent -Property 'Add' -Value $false
Set-RDMUserProperty -User $newrdmstudent -Property 'Edit' -Value $false
Set-RDMUserProperty -User $newrdmstudent -Property 'Delete' -Value $false

$studentgroup = ''
Do {$studentgroup = Get-RDMSecurityGroup | Where-Object {$_.Name -eq $studentgroupname}} until ($studentgroup)
Write-Host -ForegroundColor $textColor2 "`nSetting permissions for $instructoracct and $studentacct on security group $studentgroupname..."
Set-RDMUserGroupRights -User $newrdminstructor -SecurityGroup $studentgroup -View:$true -Add:$false -Edit:$false -Delete:$false
Set-RDMUserGroupRights -User $newrdmstudent -SecurityGroup $studentgroup -View:$true -Add:$false -Edit:$false -Delete:$false

Write-Host -ForegroundColor $textColor2 "`nSaving user $studentacct..."
Set-RDMUser $newrdmstudent
}

Write-Host -ForegroundColor $textColor2 "`nSaving user $instructoracct..."
Set-RDMUser -User $newrdminstructor

#Add the instructor to the new role.
Add-RDMRoleToUser -Role $role -User $newrdminstructor

#Save the instructor role.
Set-RDMRole $role

}

setRDMSecurity

I tried to use the CMDLETs but getting an error on New-RDMUser -Name "USER" -IntegratedSecurity -CreateSQLServerLogin


Error:
New-RDMUser : A parameter cannot be found that matches parameter name 'Name" .

Is there a bug or did the command change? The Get-Help still shows to use -Name

Hello,

What RDM version are you using?

Best regards,

Hello,

In fact, if you are using RDM 2019.x, please use the -Login switch instead.

$my_secure_password_string = convertto-securestring "userpassword" -asplaintext -force
$user= New-RDMUser -Login "User" -CreateSQLServerLogin -AuthentificationType "Database" -Email "useraccount@mydomain.com" -Password $my_secure_password_string
Best regards,

14.0.4.0

Thanks, I will try 2019.

Upgraded to 2019 and that fixed it.

How do I set the User's first and last name? I can set the login ID and email address but do not see a switch for first and last name.

Hello,

Once the account has been created, you can set the first and last name like the following sample:


$my_secure_password_string = convertto-securestring "userpassword" -asplaintext -force
$user= New-RDMUser -Login "User" -CreateSQLServerLogin -AuthentificationType "Database" -Email "useraccount@mydomain.com" -Password $my_secure_password_string
$user.FirstName = "John"
$user.LastName = "Doe"
Set-RDMUser $userBest regards,

Thank you again!

I am working on a script to Sync users with AD Security groups. It creates new users and groups. Now I am trying to add users to the RDMRoles they are missing from. How to I list which Roles users belong to?

With SecurityGroups I can match them by IDs but Role's IDs don't seem to be listed in a user's groupinfos.

Which commands can help me match users with roles?

Hello,

What data source type are you using?

With Devolutions Password Server (DPS), the roles memberships are automatically managed and you don't have to manually assign users to roles.

Best regards,

We don't have that feature in RDM. I take it there is no way to pull which Roles users are assigned to with PowerShell?

Hello,

Thank you for the information.

It is possible to set the role assignment in the CustomSecurity property of the user object. This property contains XML code and to assign roles, you need to add role's GUID within the <CustomRoles></CustomRoles> tags.



Best regards,

I was able to figure it out and have a working script now. Thanks for your help!