How to Create and Manage AD Users with Terraform

Guillermo Musumeci
11 min readMay 31, 2023

This story will discuss automating Microsoft Active Directory Users with Terraform and the KopiCloud AD API.

This story will use the KopiCloud AD Terraform Provider instead of the HashiCorp Active Directory Provider, as the KopiCloud Provider is production-ready, includes more functionalities, and is more secure.

Also, there are some Terraform resources to manage users, such as:

  • Renaming AD Users
  • Resetting AD User passwords
  • Enabling or disabling AD Users
  • Unlocking AD Users

These resources will work for existing users (created manually) and new users created with Terraform.

They are unavailable in the HashiCorp Active Directory Provider, forcing us to use PowerShell or API calls until now.

These resources are extremely useful for managing service accounts or provisioning AD accounts.

The KopiCloud AD Terraform Provider

This story is part of my KopiCloud AD Terraform Provider series.

I have been deploying Active Directory in AWS, Azure, GCP, and OCI cloud environments for +10 years. I have been using AD since Microsoft launched the public beta in 1999, so this is one of my favorite subjects to write about.

1. Introducing KopiCloud AD API, the API for Microsoft Active Directory and DNS

KopiCloud AD API is a production-ready REST API designed to securely manage Microsoft Active Directory and DNS from custom applications, automation tools, DevOps pipelines, and Terraform.

With KopiCloud AD API, you can:

  • Integrate Microsoft AD and DNS with your applications or scripts.
  • Use our Terraform Provider in your CI/CD pipelines without credentials.
  • Manage AD Users, AD Groups, AD OUs, and AD Computers.
  • Manage DNS Records and DNS Zones.

Visit the KopiCloud AD API website for more details about the REST API and the Terraform Provider at https://adapi.kopicloud.com or explore the Automating Microsoft AD and DNS with Terraform & KopiCloud AD API story.

2. Why KopiCloud AD API?

Here are a few reasons to choose KopiCloud AD API to automate your Active Directory deployments:

  • No official Microsoft API: There is no official Microsoft API, so if you want to automate access to the Active Directory or DNS, you must write your own API or execute PowerShell commands.
  • It is secure: We use authentication tokens instead of using usernames and passwords to access Active Directory or DNS. These tokens can be used for a limited time or forever.
  • We keep a log of everything: Every task or action executed is written in a log, so you know who and when they call any API method. Coming soon, you will be able to forward events to several SIEMs.
  • Automate AD with our Terraform Provider: Create service accounts in AD, create DNS records, create AD Users, create AD Groups, create AD Organization Units, reset AD User passwords, and more.
  • Designed for all kinds of companies: We have plenty of pre-configured security access groups. The API provides many options if you are a small company or a large enterprise with a dedicated security team.
  • Working on both Production or Test Environments: If you are in production, every call is secured using a token, and everything is logged. Or you can disable the token authentication if running in a test environment.
  • Supports DNS actions: other AD providers can only automate Active Directory actions. KopiCloud AD API supports both Microsoft Active Directory and Microsoft DNS actions.

3. Setting Up the KopiCloud AD API Terraform Provider

In your “provider.tf” file, configure the KopiCloud AD Terraform Provider with the host, the URL of your KopiCloud AD API server, and the token, the token generated in the previous step.

terraform {
required_providers {
kopicloud = {
source = "kopicloud-ad-api/ad"
}
}
}

provider "kopicloud" {
host = "https://api.kopicloud.local"
token = "Basic b3NjYWI8UzFsdkyQMVsuD70"
}

Note: For details about the configuration of the KopiCloud AD API Terraform Provider, please check the How to Configure the KopiCloud AD Terraform Provider story.

4. Creating an Active Directory User with Terraform

In the following examples, we will create an AD User with Terraform.

We will use the “kopicloud_user” resource to create, update, or delete an AD user.

Running the “kopicloud_user” resource with theterraform apply command will create or update the AD User and running terraform destroy will remove this AD User from the Active Directory.

Please check the official Manage AD Users in Microsoft Active Directory using the KopiCloud AD Terraform Provider documentation at https://adapihelp.kopicloud.com/terraform/terraform-ad/ad-users.html

Note: Use the optional parameter ShowFields to select user fields to show. This optional argument is a comma-separated string with the name of the fields you want to be returned.

Example: ShowFields=All or ShowFields=* : Return all User Fields

Example: ShowFields=Username,Firstname : Return Only Username and Firstname Fields

Example: ShowFields=Null or Empty : Return Default Fields (Username, Firstname, Lastname, Display_Name, Description, Company, Office, Department, Email_Address)

4.1. Creating a Basic AD User

This is a simple sample for a basic AD User, with name and description:

Username information
Password configuration

Note: you cannot set both change_password_next_logon = true and password_never_expires = true as it is not supported by Active Directory.

This is the Terraform code:

// Create Basic User
resource "kopicloud_user" "test_1" {
username = "mgomez"
password = "P@ssword"
first_name = "Maria"
initials = "T"
last_name = "Gomez"
display_name = "Maria T. Gomez"
description = "Maria T. Gomez"

change_password_next_logon = true
password_never_expires = false
}

output "OUTPUT_new_user_1" {
description = "Created User 1"
value = resource.kopicloud_user.test_1
}

4.2. Creating an AD User with Address and Phone

In the following example, we will create an AD User with an address and phone numbers:

Address Information
Phone Information

This is the Terraform code:

// Create User with Address and Phone
resource "kopicloud_user" "test_1" {
username = "mgomez"
password = "P@ssword"
first_name = "Maria"
initials = "T"
last_name = "Gomez"
display_name = "Maria T. Gomez"
description = "Maria T. Gomez"

city = "Lisbon"
state = "Lisbon"
country = "Portugal"
street = "Av Liberdade 245"
zip_code = "1049"
po_box = "PO BOX 123"

mobile_phone = "+351 123 456 999"
office_phone = "+351 212 333 454"
home_phone = "+351 711 212 786"
}

output "OUTPUT_new_user_1" {
description = "Created User 1"
value = resource.kopicloud_user.test_1
}

4.3. Creating a Manager and Employee AD Users with Company

And now, we will create two users, one manager and one employee, and we will set up company information such as company name, department, and job title.

First, we will create a manager AD User with company information:

// Create Manager User
resource "kopicloud_user" "test_1" {
username = "mgomez"
password = "P@ssword"
first_name = "Maria"
initials = "T"
last_name = "Gomez"
display_name = "Maria T. Gomez"
description = "Maria T. Gomez"

company = "KopiCloud Labs"
department = "Laboratory"
email_address = "mgomez@kopicloud.net"
office = "Level 3, Office 67"
job_title = "Engineering Manager"
}

output "OUTPUT_new_user_1" {
description = "Created User 1"
value = resource.kopicloud_user.test_1
}

Then, we will create the employee AD user and assign the manager to it:

// Create Employee User
resource "kopicloud_user" "test_2" {
depends_on = [kopicloud_user.test_1]

username = "lperes"
password = "P@ssword"
first_name = "Lucia"
last_name = "Peres"
display_name = "Lucia Peres"
description = "Lucia Peres"

company = "KopiCloud Labs"
department = "Laboratory"
email_address = "lperes@kopicloud.net"
office = "Level 3, Office 68"
job_title = "Lab Engineer"
manager = resource.kopicloud_user.test_1.username
}

output "OUTPUT_new_user_2" {
description = "Created User 2"
value = resource.kopicloud_user.test_2
}

4.4. Creating an AD User with a Home Folder

In this section, we will create an AD User with a Home Folder using Local Path:

And this is the Terraform code:

// Create User with a Home Folder
resource "kopicloud_user" "test_1" {
username = "mgomez"
password = "P@ssword"
first_name = "Maria"
initials = "T"
last_name = "Gomez"
display_name = "Maria T. Gomez"
description = "Maria T. Gomez"

home_folder_path = "\\\\fileserver\\home"
}

output "OUTPUT_new_user_1" {
description = "Created User 1"
value = resource.kopicloud_user.test_1
}

Note: for the Universal Naming Convention (UNC) path of servers in the Profile and the RDS variables, use twice backslashes as usual. For example, instead of using \\, use \\\\ and use \\ instead of \.

4.5. Creating an AD User with a Home Folder Connected to Drive

In this section, we will create an AD User with a Home Folder using Disk Drive and Folder:

And this is the Terraform code:

// Create User with a Home Folder
resource "kopicloud_user" "test_1" {
username = "mgomez"
password = "P@ssword"
first_name = "Maria"
initials = "T"
last_name = "Gomez"
display_name = "Maria T. Gomez"
description = "Maria T. Gomez"

home_folder_directory = "\\\\fileserver\\home"
home_folder_drive = "U:"
}

output "OUTPUT_new_user_1" {
description = "Created User 1"
value = resource.kopicloud_user.test_1
}

Note: for the Universal Naming Convention (UNC) path of servers in the Profile and the RDS variables, use twice backslashes as usual. For example, instead of using \\, use \\\\ and use \\ instead of \.

4.6. Creating an AD User with a Profile

In this section, we will create an AD User with a Profile Path and/or Logon Script:

And this is the Terraform code:

// Create User with a Home Folder
resource "kopicloud_user" "test_1" {
username = "mgomez"
password = "P@ssword"
first_name = "Maria"
initials = "T"
last_name = "Gomez"
display_name = "Maria T. Gomez"
description = "Maria T. Gomez"

profile_path = "\\\\server\\profile\\user"
profile_logon_script = "\\\\server\\script\\logon-user.cmd"
}

output "OUTPUT_new_user_1" {
description = "Created User 1"
value = resource.kopicloud_user.test_1
}

Note: for the Universal Naming Convention (UNC) path of servers in the Profile and the RDS variables, use twice backslashes as usual. For example, instead of using \\, use \\\\ and use \\ instead of \.

4.7. Creating an AD User with Remote Desktop Services (RDS) Profile

In this section, we will create an AD User with Remote Desktop Services (RDS) Profile:

RDS Settings Part 1
RDS Settings Part 2

4.7.1. Creating an AD User with RDS Home Folder User Profile

To configure the Profile Path setting (1) in the Remote Desktop Services (RDS) User Profile, use this code:

// Create RDS User with RDS Home Folder Local Path
resource "kopicloud_user" "test_1" {
username = "mgomez"
password = "P@ssword"
first_name = "Maria"
initials = "T"
last_name = "Gomez"
display_name = "Maria T. Gomez"
description = "Maria T. Gomez"

rds_profile_path = "\\\\rdsserver\\userprofile"
}

output "OUTPUT_new_user_1" {
description = "Created User 1"
value = resource.kopicloud_user.test_1
}

4.7.2. Creating an AD User with RDS Home Folder Local Path

To configure the Local Path setting (2) in the Remote Desktop Services (RDS) Home Folder, use this code:

// Create RDS User with RDS Home Folder Local Path
resource "kopicloud_user" "test_1" {
username = "mgomez"
password = "P@ssword"
first_name = "Maria"
initials = "T"
last_name = "Gomez"
display_name = "Maria T. Gomez"
description = "Maria T. Gomez"

rds_connect_drive = false
rds_home_folder_path = "c:\\rdsserver\\homefolder1"
}

output "OUTPUT_new_user_1" {
description = "Created User 1"
value = resource.kopicloud_user.test_1
}

4.7.3. Creating an AD User with Deny/Allow AD User Log On to RDS Session Host Server

To configure the Deny this user permissions to log on to Remote Desktop Session Host Server setting (3), use this code:

// Create RDS User with RDS Home Folder Local Path
resource "kopicloud_user" "test_1" {
username = "mgomez"
password = "P@ssword"
first_name = "Maria"
initials = "T"
last_name = "Gomez"
display_name = "Maria T. Gomez"
description = "Maria T. Gomez"

rds_allow_logon = true
}

output "OUTPUT_new_user_1" {
description = "Created User 1"
value = resource.kopicloud_user.test_1
}

4.7.4. Creating an AD User with RDS Home Folder Connected to a Drive

To configure the Connect Drive to Home Folder setting (4) in the Remote Desktop Services (RDS) Home Folder, use this code:

// Create RDS User with RDS Home Folder Local Path
resource "kopicloud_user" "test_1" {
username = "mgomez"
password = "P@ssword"
first_name = "Maria"
initials = "T"
last_name = "Gomez"
display_name = "Maria T. Gomez"
description = "Maria T. Gomez"

rds_connect_drive = true
rds_home_folder_drive = "R:"
rds_home_folder_path = "\\\\rdsserver\\homefolder"
}

output "OUTPUT_new_user_1" {
description = "Created User 1"
value = resource.kopicloud_user.test_1
}

5. Enabling and Disabling Existing AD User

In this section, we will use the Terraform “kopicloud_user_enable_account” resource to enable AD Users and the “kopicloud_user_disable_account” resource to disable AD Users, even users not created using Terraform code.

Important: Enabling and Disabling AD Users is ONLY available in the KopiCloud AD Terraform Provider.

5. 1. Enabling an Existing AD User

To enable an existing AD User with Terraform, use the following code:

# Enable AD User Account
resource "kopicloud_user_enable_account" "test" {
username = "guillermo"
}

# Enabled AD User Account Result
output "OUTPUT_user_enable_account" {
description = "AD User Enabled"
value = resource.kopicloud_user_enable_account.test
}

5. 2. Disabling an Existing AD User

To disable an existing AD User with Terraform, use the following code:

# Disable AD User Account
resource "kopicloud_user_disable_account" "test" {
username = "guillermo"
}

# Disabled AD User Account Result
output "OUTPUT_user_disable_account" {
description = "AD User Disabled"
value = resource.kopicloud_user_disable_account.test
}

6. Rename AD User

Here, we will introduce the Terraform “kopicloud_user_rename_account” resource, allowing us to rename AD Users created manually or using Terraform code.

Important: Renaming AD Users is ONLY available in the KopiCloud AD Terraform Provider.

Here is the Terraform code:

// Rename AD User
resource "kopicloud_user_rename_account" "test" {
username = "tf_service_account"
new_username = "tfsvc"
}

// AD User Rename Result
output "OUTPUT_user_rename" {
description = "Rename AD User"
value = resource.kopicloud_user_rename_account.test
}

7. Reset AD User Password

The Terraform “kopicloud_user_password_reset” resource allows us to reset the password of AD Users created manually or using the Terraform code.

This resource is extremely useful to reset service account passwords or provision new or existing accounts created outside Terraform.

Important: Reset AD User Password is ONLY available in the KopiCloud AD Terraform Provider.

Here is the Terraform code:

// Reset Password for an AD User
resource "kopicloud_user_password_reset" "test" {
username = "labsvcaccount"
new_password = "N3wP@ssw0rd"

change_password_next_logon = false
}

// AD User Password Reset Result
output "OUTPUT_user_password_reset" {
description = "User Password Reset"
value = resource.kopicloud_user_password_reset.test
}

8. Unlock AD User

The Terraform “kopicloud_user_unlock_account” resource allows us to unlock AD Users created manually or using Terraform code.

Important: Unlock AD User is ONLY available in the KopiCloud AD Terraform Provider.

Here is the Terraform code:

// Unlock AD User
resource "kopicloud_user_unlock_account" "test" {
username = "labtestuser"
}


// Unlock AD User Result
output "OUTPUT_user_unlock_account" {
description = "AD User Unlock"
value = resource.kopicloud_user_unlock_account.test
}

9. List AD Users

In this final section, we will use the data “kopicloud_user_list” to list AD users using Terraform code.

List All AD Users:

# Get All AD Users
data "kopicloud_user_list" "test_all" { }

Get All AD Users Inside an OU:

data “kopicloud_user_list” “test_ou” {
ou_path = "DC=kopicloud,DC=local"
}

In future stories, we will explore the KopiCloud AD Terraform Provider in detail.

Explore full code examples to manage AD Users with Terraform in the KopiCloud AD API repo https://github.com/KopiCloud-AD-API/terraform-kopicloud-ad-api-users and the KopiCloud AD Laboratory API repo https://github.com/KopiCloud-AD-API/lab-terraform-kopicloud-ad-api-user

Visit the KopiCloud AD API website for more details about the REST API and the Terraform Provider at https://adapi.kopicloud.com

And that’s all, folks. If you liked this story, please show your support by 👏 this story. Thank you for reading!

--

--

Guillermo Musumeci
Guillermo Musumeci

Written by Guillermo Musumeci

Certified AWS, Azure & GCP Architect | HashiCorp Ambassador | Terraform SME | KopiCloud Founder | ex-AWS | Entrepreneur | Book Author | Husband & Dad of ✌

No responses yet