A step-by-step guide to creating an Active Directory (AD) user template
Creation of Active Directory (AD) accounts is a relatively simple process. That said, it can be tedious when adding hundreds of users to your system. Additionally, you may assign newly created users to the wrong AD group with more privileges than necessary. This can cause users to bypass mandatory workflows on enterprise platforms, reducing business productivity. It also exposes the data to potential bad actors.
One way to mitigate risk to your company’s data is to simplify the account creation process. This makes your life easier when adding users and at the same time ensures that you don’t create security issues. You can even use user template accounts to reduce human error when setting up each AD user. This prevents you from assigning AD users to the wrong domains in multi-site companies or those with outdated AD lists.
A template account is a user account that serves as a template for other accounts you create. New accounts inherit all AD group memberships assigned to the template account. In this article, I will show you how to create an account template and new user accounts based on it.
How to create a new template
To create an AD user template, follow these steps:
- Open the Active Directory Users and Computers console
- Right click on the User folder and select the New | User context menu commands
- Enter a user login name when prompted and click Next
- Enter a password and click Next. The password you provide will protect the model account against unauthorized logins. That said, it will not be copied to new accounts created from your template.
- Click on Finish
- Right-click on the new account once you’ve created the account template, then select the Properties context menu command. This opens the template account properties dialog
- Select the Member of and add the model account to all required AD groups
- Click on OKAY to complete the process
Now let’s find out how to create new users from an AD template.
How to create new users from a template
Once you’ve created an account template, you can use it to create new user accounts. This saves you time by properly setting up each user’s accounts. In a small business you can do this well for a handful of users, but doing it for hundreds in a large enterprise will inevitably lead to errors. To create a user account from your template:
- Right-click on your account template and select it Copy context menu command
- Enter the name of the user you want to create in the Copy User from Object dialog box that appears, then click Next
- Enter a password for the new user and click Next
- Click on Finish. You created the new user account in a way that mimics the pattern
Now that you know how to create new users from a template, let’s learn about best practices for a template account.
3 Model Account Best Practices
Model accounts are easy to create. That said, there are some best practices you should keep in mind when using them.
1. Map the models to your business unit (OU) structure
Typically, you want to create templates anywhere you have user accounts. For example, if you have created an organizational unit for each department, you will probably want to create one or more models in each organizational unit. Remember that when you create a user account from a template, a new account is added in the same OU where the template resides.
2. Consider model names carefully
When creating model accounts, you must consider their names. This is due to several different reasons. The first is that AD does not allow duplicate usernames. So, if you have multiple OUs with models in each, you cannot have a model named “Model” in each OU. Even though the models are in separate OUs, they are still in the same domain, so they must have unique names.
Another reason is that even if you only have one OU, you will probably create multiple models. Using a naming convention for your templates can make it easier to track template creation. You can also adequately define the purpose of each template.
Finally, the Active Directory Users and Computers console lists user accounts in alphabetical order. If you frequently create user accounts, it’s a good idea to give your account templates names that make them appear at the top of the list. After all, you never want to scroll through a long list of users looking for an account template.
3. Protect your model accounts with a strong password
Passwords you assign to a template account will never propagate to accounts you created from a template. That said, it is still important to use a strong password. Template accounts have rights assigned to them (in the form of group memberships). Thus, they need protection against unauthorized logins, just like you would protect any other account.
AD template accounts can help simplify the process of creating user accounts. Your templates can also improve your overall security. Administrators don’t have to worry about accidentally assigning users to the wrong groups when creating accounts. User profiles and permissions also don’t need to be set up every time.
Carefully review your templates to make sure you never mistakenly add access to groups that users don’t need to belong to. It requires planning and testing on a test system before implementation and then never changes. You can also map templates to your OU for each department to easily secure and segregate users.
Keep in mind that cybercriminals want user credentials to increase permissions and gain access to different areas of your business. To avoid this, make sure to provide a strong AD password.
Want to learn more about AD and how to manage your company’s users? Read it FAQs and Resources headings below!
Do account templates work in an Azure AD environment?
Yes, you can create templates in Azure Active Directory. That said, it’s worth noting that Microsoft 365 includes its template functionality. Go to the Active Users screen and click User Templates, then click Add Template to create a new template.
Are AD attributes copied from a template account to new accounts created from the template?
Whether or not Active Directory (AD) attributes are copies of accounts created from a template depends on how the template was created. If you create an account template in the AD console, the only attributes copied are user group memberships. Conversely, if you create a template in Microsoft 365other attributes such as Department, Office and Address are also copied.
Is using account templates associated with scalability issues?
The process used to create a user account from a template is not that different from creating a user account from scratch. In short, using a template is probably not the best option if you need to create a large number of accounts. In these situations, you will usually be better create the accounts from powershell.
Should I deactivate a template account to prevent anyone from logging into it?
While you can deactivate an account template, it’s usually best to leave the account enabled. Indeed, if you deactivate a model account, all accounts generated from the model will also be deactivated. You can, of course, manually activate these accounts. That said, it’s more convenient to leave the model enabled.
Can I use templates to create user accounts that will expire on a specific date?
Yes. If you need to create multiple accounts must expire on the same date, you can shorten the process by creating an account template and giving it an expiration date. Accounts created from the template will then have the same expiration date. Remember that user and model accounts will expire on the specified date.
TechGenix: Article on Granting Access to AD Guest Users
TechGenix: Article on importing users into AD
Learn more about importing users into Active Directory.
TechGenix: Article on Connecting Microsoft 365 AD Users to Azure AD
TechGenix: Assessing Your AD Risks Article
Learn more about assess your Active Directory risks.