Creating a User
To create a user in Active Directory Domain Services, create a user object in the domain container of the domain where you want to place the user. Users can be created at the root of the domain, within an organizational unit, or within a container.
When you create a user object, you must also set the attributes, listed in the following table, to set the object as a legal user that is recognized by Active Directory Domain Services and the Windows Security system.
Attribute | Description |
---|---|
cn | Specifies the name of the user object in the directory. This will be the object's relative distinguished name (RDN). |
sAMAccountName | Specifies a string that is the name used to support clients and servers from a previous version of Windows. The sAMAccountName should be less than 20 characters to support clients from a previous version of Windows. The sAMAccountName must be unique among all security principal objects within the domain. You should perform a query against the domain to verify that the sAMAccountName is unique within the domain. sAMAccountName is an optional attribute. The server will create a random sAMAccountName value if none is specified. |
You can also set other attributes. The following user attributes are set with default values if you do not explicitly set them at creation time.
Attribute | Description |
---|---|
accountExpires | Specifies when the account will expire. The default is TIMEQ_FOREVER, which indicates that the account will never expire. |
nTSecurityDescriptor | A security descriptor is created based on specific rules. For more information, see How Security Descriptors are Set on New Directory Objects. |
objectCategory | Specifies the user category. The default is "Person". |
name | Specifies the user name. The default is the value set for cn. |
pwdLastSet | Specifies when the user last set the password. The default is zero, which indicates that the user must change the password at next logon. |
userAccountControl | Contains values that determine several logon and account features for the user. By default, the following flags are set:
|
memberOf | Specifies the group or groups that the user is a direct member of. The default is "Domain Users". |
A user is created by binding to the desired container and then using one of the following methods. The cn and sAMAccountName attributes must be set before the user is committed to the server.
Method | Description |
---|---|
IADsContainer.Create | The cn attribute is taken from the bstrRelativeName parameter. The new user must be committed by calling IADs.SetInfo or the object will not be created. For more information, see Example Code for Creating a User. |
IDirectoryObject::CreateDSObject | The cn attribute is taken from the pszRDNName parameter. The new user is committed when CreateDSObject is called. For more information, see Example Code for Creating a User. |
DirectoryEntries.Add | The cn attribute is taken from the name parameter. The new user object must be committed by calling DirectoryEntry.CommitChanges or the object will not be created. For more information, see Adding Directory Objects. |
The new user must be committed to the server before any attributes other than cn and sAMAccountName can be modified. This is because the user account does not actually exist until the user is committed. If an attribute is retrieved or modified for an object that does not exist on the server, an error will occur. This includes calling the IADsUser.SetPassword method. For example, the following sequence would be followed when creating a user with IADsContainer.Create:
- Call IADsContainer.Create to create the user in the local cache with the specified cn.
- Set the sAMAccountName attribute to the desired value with the IADs.Put method.
- Now modify other attributes, such as userAccountControl. This restriction also applies to the ADSI properties, such as IADsUser.AccountDisabled, and methods such as IADsUser.SetPassword.
- Call IADs.SetInfo to commit the new user to the server.
When a new user account is created, it is disabled by default. The account must be enabled manually or programmatically. To programmatically enable a user account, remove the ADS_UF_ACCOUNTDISABLE flag from the userAccountControl attribute.
When a new user account is created, the userAccountControl attribute for the account automatically has the UF_PASSWD_NOTREQD flag set, which indicates that no password is required for the account. If the security policies of the domain that the account is created in requires a password for all user accounts, then the UF_PASSWD_NOTREQD flag must be removed from the userAccountControl attribute for the account.