I coded several php pages that do exactly that. Please don't ask me to share it, because i can't (company policy). However, i suggest you take a look here and do a search on ldap/win* as well. The more you learn about AD, the more you realize how MS works. I don't think you'll like it though. For example, to update the Terminal Server Profile Path for a user, you'll have to use a tool (windows resourcekit) because they simply won't allow you to alter the field via ldap :D Also, certain fields have to be set with escapes, other fields don't. See how inconsistent AD really is? No? You'll find out, i promise. Also you can't change permissions on folders using the newly created user's SID, because AD doesn't recognize it until about 15 minutes have passed. Good luck working with scheduled tasks! :D (i overcome it by dumping all the permission stuff into a batch file and let soon.exe (another reskit tool, iirc) handle it later). Needless to say that this requires apache/php to run on a windows box.
Have i scared you enough? No? Well, then can i also tell you that some stuff pulled from AD has nice accents in them, so you'll need some kind of substr function to deal with that.
But hey, it's lovely once it's working :) In my setup the following can/will be done:
- user gets created (+ email address, account detailed info)
- adds the user to groups
- sets the password of the user (this almost works, just requires a certain certificate to be installed on the domain controller)
- creates home/profile/tsprofile directories
- sets permissions on the dirs
- creates a nice letter to the user that his/her account is created and prints this letter.
As i said, i can't share the entire file(s), but maybe i can help you with certain code, if you have questions. In any case, i wish you good luck :) |
