A. The simple answer is to use the net user
net user %1 password /add /homedir:\\
net localgroup "
repeat for local groups
net group "
repeat for global groups
nltest /sync /server:BDCname
repeat for all BDCs you might be authenticating to
remove the everyone permission to the directory
The nltest commands are needed as otherwise it fails to do the cacls command, since the user account does not exist on the BDC to which you are authenticating as only the PDC has been updated.