UW NetIDs

Scripted Account Creation

Use a script to create a domain account in a specified domain and OU, add that account to a specified group, set various properties of the account (including a randomized password), and set an altsecid name mapping for the u.washington.edu realm to enable cross-realm authentication. For an example of such a script, right click go here and download this one. This example script runs on an IIS server and is intended to be accessed by each potential user in order to create their account. Each user proves who they are by authenticating to their UWNetID with pubcookie. You could easily modify this script to create a list of UWNetIDs or for some other specific purpose.

How-to

Pre-Requisites:

• IIS Server with SSL. If you have control over both web server and clients, you could use a self-issued certificate for this purpose and install your root CA certificate on your client machines. If you wish, UW Technology can provide you with a server certificate and root CA that you could use for this purpose. Contact win2kinfo@u if you would like more information on getting such a certificate.
• Pubcookie 2.6 or later installed on your IIS server

Installation

• Step 1 - Place the script in a directory that has been protected by pubcookie using the UWNETID authentication type.
• Step 2 - Customize the script to suit your situation. You'll have to at least change the domain, user container, and group. These can be set at the beggining of the main script. You'll also probably wish to modify the Welcome_User subroutine.
• Step 3 - In the Internet Services Manager, change the anonymous user for the directory containing the script to be a domain user that has permission to create users and modify groups in your target container. UW Technology recommends that you create a new account for this purpose with no other privileges. On your website, this account should only have read privileges.
• Step 4 - Direct your users to this page or call it from another form or link.

Usage

When a user is directed to the script, they will be authenticated through the pubcookie system. After authentication, the domain account is automatically created with no further intervention.