A. The simple answer is to use the net user
net user %1 password /add /homedir:\\
\users\%1 /scriptpath:login.bat /domain
net localgroup "
" %1 /add
repeat for local groups
net group "
" %1 /add /domain
repeat for global groups
\users\template \\ \users\%1 /e
nltest /sync /server:BDCname
repeat for all BDCs you might be authenticating to
\users\%1 /e /r Everyone
remove the everyone permission to the directory
\users\%1 /g %1:F /e
\users\%1 /g Administrators:F /e
The nltest commands are needed as otherwise it fails to do the cacls command, since the user account does not exist on the BDC to which you are authenticating as only the PDC has been updated.