A. The simple answer is to use the net user
addnew.bat net user %1 password /add /homedir:\\
\users\%1 /scriptpath:login.bat /domain net localgroup " " %1 /add repeat for local groups net group " " %1 /add /domain repeat for global groups xcopy \\ \users\template \\ \users\%1 /e nltest /sync /server:BDCname repeat for all BDCs you might be authenticating to sleep 20 cacls \\ \users\%1 /e /r Everyone remove the everyone permission to the directory cacls \\ \users\%1 /g %1:F /e cacls \\ \users\%1 /g Administrators:F /e
The nltest commands are needed as otherwise it fails to do the cacls command, since the user account does not exist on the BDC to which you are authenticating as only the PDC has been updated.