• Create the account and Exchange mailbox;
• Set relevant attributes (Job Title, Office Address etc);
• Enable the user for office communicator;
• Set the calendar permissions so that everyone can view the persons calendar;

I chose Powershell as my tool of choice, it’s extremely flexible for stuff like this and most of the management functionality comes out the box with Exchange 2007 and later. I initially used Glen Scales’ EWS module for setting permissions and other bits but as we moved to Exchange 2010 the need for EWS disappeared (Thanks to functionality like Set-MailboxFolderPermissions).

The only third-party software I now use is Quest’s ActiveRoles Management Shell for Active Directory as there doesn’t seem to be a decent way to set custom attributes on a user account. Short of writing my own managed code to do it, or calling another application to make the change Quest’s tool seems to be the best choice.

I eventually came up with the following quick and dirty script to create users, based on the contents of a CSV file it will:

• Create the mailbox (uses New-Mailbox);
• Set attributes on the AD account such as the job title, office address etc;
• Set the default calendar permissions to ‘Reviewer’
• Set attributes on the account, enabling it to use Office Communications Server
• Generate a welcome letter to the user, including the OWA address and other bits of information

The format of the CSV file is as follows:

GivenName,Surname,Password,PhisicalDeliveryLocation,JobTitle
John,Doe,MyFirstPassword123!,London,Test Account

And finally, the PowerShell script itself:

#
# Create user accounts in AD, Exchange and OCS.
# This script will read a CSV file and create user accounts based on that information.
#
# Requirements:
#  [+] http://www.quest.com/powershell/activeroles-server.aspx (For setting
#      attributes on an AD DS account)
#  [+] Exchange Management Console installed (for Powershell stuff, new-mailbox,
#      Get-MailboxDatabase etc).
#
#import-module activedirectory;
Add-PSSnapin Quest.ActiveRoles.ADManagement

$cfgTab = [char]9
$cfgCompany = "NW Traders";
$cfgOCSHomeServer = "CN=LC Services,CN=Microsoft,CN=OCSSRV01,CN=Pools,CN=RTC Service,CN=Services,CN=Configuration,DC=nwtraders,DC=msft"; # OCS Server
$cfgMailDomain = "@nwtraders.msft"; #E-Mail Domain

#=============================================================================
# A series of hash tables for office information.
#=============================================================================
$cfgLondon = @{
  "Address" = "10 Downing Street, London, SW1A 2AA";
  "Telephone" = "+44 2079 250 918";
  "OU" = "OU=London,OU=Europe,OU=Users,DC=NWTRADERS,DC=MSFT";
  "DC" = "LONDON" };

$cfgWashington = @{
  "Address" = "The White House, 1600 Pennsylvania Avenue NW, Washington, DC 20500";
  "Telephone" = "+1 202 456 1414";
   "OU" = "OU=Washington,OU=US,OU=Users,DC=NWTRADERS,DC=MSFT";
  "DC" = "WASHINGTON" };

#=============================================================================
# Creates an array of the above hash tables.
#=============================================================================
$cfgOffices = @{
  "London" = $cfgLondon;
  "Washington" = $cfgWashington;
  };

#=============================================================================
# Displays a select file dialog box, returning the path to a CSV file.
#=============================================================================
function chooseCSVfile
{
	param([string]$Title,[string]$Directory,[string]$Filter="CSV Files (*.csv)|*.csv")
	[System.Reflection.Assembly]::LoadWithPartialName("System.Windows.Forms") | Out-Null
	$openFileDialog = New-Object System.Windows.Forms.OpenFileDialog
	$openFileDialog.InitialDirectory = $Directory
	$openFileDialog.Filter = $Filter
	$openFileDialog.Title = $Title
	$openFileDialog.ShowHelp = $true

	$Show = $openFileDialog.ShowDialog()

	If ($Show -eq "OK")
	{
		Return $openFileDialog.FileName
	}
	Else
	{
		Exit
	}
}

#=============================================================================
# Generate welcome e-mail.
#=============================================================================
Function generateIntroLetter
{
	param( [string]$GivenName, [string]$samAccountName, [string]$Password, [string]$DisplayName, [string]$DomainController )

	$tmpServer = get-mailbox $DisplayName -DomainController $DomainController | select servername
	$tmpOWA = get-OutlookAnywhere -Server $tmpServer.ServerName -DomainController $DomainController -ADPropertiesOnly | select ExternalHostname
	$tmpOWA = "https://" + $tmpOWA.ExternalHostname + "/owa/"

	$rtfBuilder = new-object system.text.stringbuilder 

	# Append RTF header
	$null = $rtfBuilder.Append("{\rtf1\ansi\ansicpg1252\deff0\deflang2057{\fonttbl{\f0\fswiss\fprq2\fcharset0 Calibri;}{\f1\fnil\fcharset0 Calibri;}}")
	$null = $rtfBuilder.Append("`r`n") 

	# Append RTF color table which will contain all Powershell console colors.
	#$null = $rtfBuilder.Append('{\colortbl ;\red0\green0\blue255;}')
	#$null = $rtfBuilder.Append("`r`n") 

	$null = $rtfBuilder.Append("{\*\generator Msftedit 5.41.21.2509;}\viewkind4\uc1\pard\sa200\sl276\slmult1\f0\fs22 Dear $GivenName,\par")
	$null = $rtfBuilder.Append("`r`n")
	$null = $rtfBuilder.Append("Please find the below access credentials for the NW Traders network. These are the only credentials you should need at NW Traders and will log you into your computer, e-mail account and other systems. As such, they should be kept confidential.\par")
	$null = $rtfBuilder.Append("`r`n")
	$null = $rtfBuilder.Append("\tab Username\tab\tab $samAccountName\line\tab Password\tab\tab $PlainPassword\line\tab Domain\tab\tab\tab NWTRADERS\par")
	$null = $rtfBuilder.Append("`r`n")
	$null = $rtfBuilder.Append("It is highly recommended that you change your password the first time you login. You should be able to use Outlook both in the office and at home, if for some reason that is not available you can access webmail using the following address:\par")
	$null = $rtfBuilder.Append("`r`n")
	$null = $rtfBuilder.Append("\pard\tab{\field{\*\fldinst{HYPERLINK `$tmpOWA`}}{\fldrslt{\ul\cf1 h$tmpOWA}}}\f0\fs22\pard\par")
	$null = $rtfBuilder.Append("\pard\par")
	$null = $rtfBuilder.Append("`r`n")
	$null = $rtfBuilder.Append("If you require support please contact the IT Support team via e-mail, {\field{\*\fldinst{HYPERLINK `mailto:it@nwtraders.msft` }}{\fldrslt{\cf1\ul it@nwtraders.msft}}}\cf0\ulnone\f0\fs22 . Alternatively an increasing number of self-service resources are available on our intranet:\par")
	$null = $rtfBuilder.Append("`r`n")
	$null = $rtfBuilder.Append("\pard\fi720\par")
	$null = $rtfBuilder.Append("\pard\fi720{\field{\*\fldinst{HYPERLINK `http://intranet/`}}{\fldrslt{\ul\cf1 http://intranet/}}}\f0\fs22\par")
	$null = $rtfBuilder.Append("`r`n")
	$null = $rtfBuilder.Append("\pard\sa200\sl276\slmult1\par")
	$null = $rtfBuilder.Append("`r`n")
	$null = $rtfBuilder.Append("Kind Regards,\par")
	$null = $rtfBuilder.Append("`r`n")
	$null = $rtfBuilder.Append("\par")
	$null = $rtfBuilder.Append("`r`n")
	$null = $rtfBuilder.Append("IT Support.\lang9\f1\par")
	$null = $rtfBuilder.Append("`r`n")
	$null = $rtfBuilder.Append("}")

	# Save as RTF File.
	echo $rtfBuilder.ToString() | out-file -Encoding Ascii "$samAccountName.rtf"
}

#=============================================================================
# Displays a list of mailbox databases, which the user needs to choose from.
#=============================================================================
Function chooseMailboxDatabase()
{
	$MbDbase = Get-MailboxDatabase
	$NumOfDB = $MbDbase.Count
	$Number = 0
	$Choice = 0

	If ($NumOfDB -eq $Null)
	{
		Write-Host $MbDbase.Identity
		return $MbDbase.Identity
	}
	else
	{
		foreach ($mbxDB in $MbDbase)
		{
			Write-Host "$Number . " $MbxDB.Identity
			$Number ++
		}
		Write-Host ""
		$Choice = Read-Host "Mailbox Database"
		return $MbDbase[$Choice].Identity
	}
}

#=============================================================================
# Opening user detail list"
#=============================================================================
$FileName = chooseCSVfile -Title "Import an CSV file" -Directory "c:\"
$UserInformation = Import-Csv $FileName

#=============================================================================
# Do some logic about our environment.
#=============================================================================
Foreach ($User in $UserInformation)
{
	$SurName = $User.Surname
	$GivenName = $User.givenName
	$samAccountName = $GivenName + " " + $SurName
	$DisplayName = $SurName + ", " + $GivenName
	$PlainPassword = $User.Password
	$userPrincipalName = $samAccountName + $cfgMailDomain

	#Exchange Specific
	$strMailAddress = $samAccountName -replace " ", ".";
	$strMailAddress += $cfgMailDomain;
	$strMailAlias = $samAccountName -replace " ", ".";

	# Attributes.
	$strOffice = $User.PhisicalDeliveryLocation;
	$strTitle = $user.JobTitle;
	$strOU	= $cfgOffices.Get_Item( $strOffice ).Get_Item("OU")
	$strOAddress = $cfgOffices.Get_Item( $strOffice ).Get_Item("Address");
	$strOTel = $cfgOffices.Get_Item( $strOffice ).Get_Item("Telephone");

Write-Host -Foreground Gray "---------------------------------------------------------------"
Write-Host -Foreground Red " "$DisplayName
Write-Host -Foreground Gray "---------------------------------------------------------------"
	Write-Host " Username:"$cfgTab$samAccountName;
	Write-Host " Password:"$cfgTab$PlainPassword;
	Write-Host " Job Title:"$cfgTab$strTitle;
	Write-Host " OU:"$cfgTab$cfgTab$strOU;
	Write-Host " E-Mail:"$cfgTab$strMailAddress
Write-Host -Foreground Gray "---------------------------------------------------------------"
Write-Host ""

	# Choose a mailbox database for this account.
	$mbDatabase = chooseMailboxDatabase
	Write-Host ""
	Write-Host -Foreground Gray "---------------------------------------------------------------"

	# Lets actually create the account now.
	$Password = ConvertTo-SecureString $PlainPassword -AsPlainText -Force

	# Create Exchange mailbox.
	New-Mailbox -Name $DisplayName -Alias $strMailAlias -OrganizationalUnit $strOU -UserPrincipalName $userPrincipalName -SamAccountName $samAccountName -FirstName $GivenName -Initials '' -LastName $SurName -Password $Password -ResetPasswordOnNextLogon $false -Database $mbDatabase -DomainController $cfgOffices.Get_Item( $strOffice ).Get_Item("DC")  | out-null

	# Set Quest Active Directory stuff to use a DC in the local site (mostly).
	# Otherwise trying to make exchange changes in a remote site using a local
	# DC is going to fail, since the account doesn't exist yet.
	Connect-QADService -service $cfgOffices.Get_Item( $strOffice ).Get_Item("DC") | out-null

	# Set attributes on AD DS account.
	Get-QADUser $DisplayName | set-qaduser -oa @{'Office'=$strOffice; 'StreetAddress'=$strOAddress; 'OfficePhone'=$strOTel; 'Company'=$cfgCompany; 'Title'=$strTitle } | out-null

	# Set calendar permissions.
	Set-MailboxFolderPermission -Identity $strMailAddress`:\Calendar -User Default -AccessRights Reviewer -DomainController $cfgOffices.Get_Item( $strOffice ).Get_Item("DC")  | out-null

	# Create the OCS Account.
	Get-QADUser $DisplayName | set-qaduser -oa @{'msRTCSIP-ArchivingEnabled'=0; 'msRTCSIP-FederationEnabled'=$true; 'msRTCSIP-InternetAccessEnabled'=$true; 'msRTCSIP-OptionFlags'=257; 'msRTCSIP-UserEnabled'=$true; 'msRTCSIP-PrimaryHomeServer'=$cfgOCSHomeServer; 'msRTCSIP-PrimaryUserAddress'=("sip:" + $strMailAddress ).ToString() } | out-null

	# Disconnect QADService.
	disconnect-qadservice

	# Generate Welcome e-mail.
	generateIntroLetter -GivenName $GivenName -samAccountName $samAccountName -Password $PlainPassword -DisplayName $DisplayName -DomainController $cfgOffices.Get_Item( $strOffice ).Get_Item("DC")
}

You can expect outlook similar to the below:

---------------------------------------------------------------
  Doe, John
---------------------------------------------------------------
 Username:      John Doe
 Password:      MyFirstPassword123!
 Company:       NW Traders
 Job Title:     Test Account
 OU:            OU=London,OU=Europe,OU=Users,DC=NWTRADERS,DC=MSFT
 E-Mail:        John.Doe@nwtraders.msft
---------------------------------------------------------------

0 .  LONDON
1 .  WASHINGTON

Mailbox Database: 0
---------------------------------------------------------------

You can then send the resulting RTF document to the persons line manager, or whoever should have it for when the employee starts on their first day.

I should note, Andy Grogan (Exchange MVP) has a very similar tool which you might like to take a look at. I gleaned the Open-CSV idea and plagiarised the choose mailbox database code from him.

TF50605: There was an error looking up the SID for OLD-DOMAIN\CCNETNIGHTLYBUILD.

In order to delete the workspace, we need to remap it to a valid user account. Here’s the process to do just that.

Firstly, we should list the workspaces on this computer we’re having problems with (in this case, BUILDSERVER01).

C:\>tf workspaces /owner:* /server:http://tfs-server:8080 | findstr BUILDSERVER01
Workspace		Owner				Computer	Comment
----------------------- ------------------------------- --------------- -------------------------------
BUILDSERVER01		saCCNetNightly			BUILDSERVER01	Temporary CruiseControl.NET Wo
BUILDSERVER01		OLD-DOMAIN\CCNETNIGHTLYBUILD	BUILDSERVER01 	Temporary CruiseControl.NET Wo
BUILDSERVER01		saCCNetNightly			BUILDSERVER01

We may as well attempt to delete the workspace, though the process is likely to fail as it wont be able to resolve the SID if the domain is no longer available.

C:\>tf workspace /delete /server:http://tfs-server:8080 BUILDSERVER01;OLD-DOMAIN\CCNETNIGHTLYBUILD
TF50605: There was an error looking up the SID for OLD-DOMAI\CCNETNIGHTLYBUILD.

At this point, we need to open up the TfsVersionControl table and manually point the workspaces to a valid identity. The first stage is to identify the ID of the missing account:

SELECT IdentityId FROM tfsVersionControl.tbl_Identity WHERE (DisplayName LIKE 'OLD-DOMAIN\CCNETNIGHTLYBUILD')

Now that we have the ID, we can locate the workspaces the owner has on the server we’re having problems with.

SELECT WorkspaceId, OwnerId, WorkspaceName FROM tfsVersionControl.tbl_Workspace WHERE (OwnerId = 311) AND (Computer = 'BUILDSERVER01')

We should now update the tfsVersionControl.tbl_Workspace table with a valid IdentityId from the tfsVersionControl.tbl_Identity table. Once that’s done, try the delete command again:

C:\>tf workspace /delete /server:http://tfs-server:8080 "BUILDSERVER01;Dave Hope"
A deleted workspace cannot be recovered.
Workspace 'BUILDSERVER01;Dave Hope' on server 'http://tfs-server:8080' has 0 pending change(s).
Are you sure you want to delete the workspace? (Yes/No) Yes

And hey presto, the workspace is gone.

I came across a product called Likewise, the free open-source version is available in the standard Ubuntu repositories. Here’s a quick guide for how to get up and running with likewise-open.

Firstly, install Likewise.

$ sudo aptitude install likewise-open

The final part of the installation will prompt you for some information about your Active Directory domain. If you need to change the settings you enter here run dpkg-reconfigure krb5-config.

The second screen asks you for an administrative domain controler where password changes will occur.

With the installation complete we now need to join the system to the Active Directory domain, this is accomplished with one simple command.

$ sudo domainjoin-cli join NWTRADERS.MSFT Administrator

I then wanted domain admins to be able to use sudo. This can easily be achieved by adding the following to the end of the /etc/sudoers file.

%NWTRADERS\\domain^admins ALL=(ALL) ALL

So I thought I’d document the process should anyone else find themselves in a similar situation. To do most of the below, you’ll need to be an Enterprise Admin.

1. Remove all the DNS entries for the missing DCs and the child domain. Make sure you get the GUID entries too.
2. Fire up ntdsutil and follow the below steps. When you select a server to connect to, connect to the operation master.
   ntdsutil: metadata cleanup
metadata cleanup:
metadata cleanup: connections
server connections:
server connections: connect to server london.nwtraders.msft
Binding to london ...
Connected to london using credentials of locally logged on user
server connections:
server connections: quit
metadata cleanup:
metadata cleanup: select operation target
select operation target:
select operation target: list domains
Found 2 domain(s)
0 - DC=nwtraders,DC=msft
1 - DC=child,DC=nwtraders,DC=msft
select operation target:
select operation target: select domain 1
No current site
Domain - DC=child,DC=nwtraders,DC=msft
No current server
No current Naming Context
select operation target:
select operation target: quit
metadata cleanup:
metadata cleanup: remove selected domain


   Depending on the exact situation, you may get an error about needing to remove a server first (Sorry, I can’t recall the exact error). If you do, there’s an extra step you need to undertake first.

   ntdsutil: metadata cleanup
metadata cleanup:
metadata cleanup: connections
server connections:
server connections: connect to server london.nwtraders.msft
Binding to london ...
Connected to london using credentials of locally logged on user
server connections:
server connections: quit
metadata cleanup:
metadata cleanup: select operation target
select operation target:
select operation target: list sites
Found 1 site(s)
0 - CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=nwtraders,DC=msft
select operation target:
select operation target: select site
Site - CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=nwtraders,DC=msft
No current domain
No current server
No current Naming Context
select operation target:
select operation target: list servers in site
Found 1 server(s)
0 - CN=brisbane,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=nwtraders,DC=msft
select operation target: select server 0

   Then repeat the first process to remove the server (remove selected server).

3. Open up Active Directory Sites And Services and remove any stranded servers.