Creating a User (Windows)

To create a user in Active Directory Domain Services, create a user object in the domain container of the domain where you want to place the user. Users can be created at the root of the domain, within an organizational unit, or within a container.

When you create a user object, you must also set the attributes, listed in the following table, to set the object as a legal user that is recognized by Active Directory Domain Services and the Windows Security system.

Attribute	Description
cn	Specifies the name of the user object in the directory. This will be the object's relative distinguished name (RDN).
sAMAccountName	Specifies a string that is the name used to support clients and servers from a previous version of Windows. The sAMAccountName should be less than 20 characters to support clients from a previous version of Windows. The sAMAccountName must be unique among all security principal objects within the domain. You should perform a query against the domain to verify that the sAMAccountName is unique within the domain. Beginning with Windows Server 2003, sAMAccountName is an optional attribute. The server will create a random sAMAccountName value if none is specified.

Attribute

Description

Specifies the name of the user object in the directory. This will be the object's relative distinguished name (RDN).

sAMAccountName

Specifies a string that is the name used to support clients and servers from a previous version of Windows. The sAMAccountName should be less than 20 characters to support clients from a previous version of Windows.

The sAMAccountName must be unique among all security principal objects within the domain. You should perform a query against the domain to verify that the sAMAccountName is unique within the domain.

Beginning with Windows Server 2003, sAMAccountName is an optional attribute. The server will create a random sAMAccountName value if none is specified.

You can also set other attributes. The following user attributes are set with default values if you do not explicitly set them at creation time.

Attribute	Description
accountExpires	Specifies when the account will expire. The default is TIMEQ_FOREVER, which indicates that the account will never expire.
nTSecurityDescriptor	A security descriptor is created based on specific rules. For more information, see How Security Descriptors are Set on New Directory Objects.
objectCategory	Specifies the user category. The default is "Person".
name	Specifies the user name. The default is the value set for cn.
pwdLastSet	Specifies when the user last set the password. The default is zero, which indicates that the user must change the password at next logon.
userAccountControl	Contains values that determine several logon and account features for the user. By default, the following flags are set: UF_ACCOUNTDISABLE - The account is disabled. UF_PASSWD_NOTREQD - No password is required. UF_NORMAL_ACCOUNT - Default account type that represents a typical user.
memberOf	Specifies the group or groups that the user is a direct member of. The default is "Domain Users".

A user is created by binding to the desired container and then using one of the following methods. The cn and sAMAccountName attributes must be set before the user is committed to the server.

Method	Description
IADsContainer.Create	The cn attribute is taken from the bstrRelativeName parameter. The new user must be committed by calling IADs.SetInfo or the object will not be created. For more information, see Example Code for Creating a User.
IDirectoryObject::CreateDSObject	The cn attribute is taken from the pszRDNName parameter. The new user is committed when CreateDSObject is called. For more information, see Example Code for Creating a User.
DirectoryEntries.Add	The cn attribute is taken from the name parameter. The new user object must be committed by calling DirectoryEntry.CommitChanges or the object will not be created. For more information, see Adding Directory Objects.

The new user must be committed to the server before any attributes other than cn and sAMAccountName can be modified. This is because the user account does not actually exist until the user is committed. If an attribute is retrieved or modified for an object that does not exist on the server, an error will occur. This includes calling the IADsUser.SetPassword method. For example, the following sequence would be followed when creating a user with IADsContainer.Create:

Call IADsContainer.Create to create the user in the local cache with the specified cn.
Set the sAMAccountName attribute to the desired value with the IADs.Put method.
Call IADs.SetInfo to commit the new user to the server.
Now modify other attributes, such as userAccountControl. This restriction also applies to the ADSI properties, such as IADsUser.AccountDisabled, and methods such as IADsUser.SetPassword.
Call IADs.SetInfo again to commit any modified attributes to the server.

When a new user account is created, it is disabled by default. The account must be enabled manually or programmatically. To programmatically enable a user account, remove the ADS_UF_ACCOUNTDISABLE flag from the userAccountControl attribute.

When a new user account is created, the userAccountControl attribute for the account automatically has the UF_PASSWD_NOTREQD flag set, which indicates that no password is required for the account. If the security policies of the domain that the account is created in requires a password for all user accounts, then the UF_PASSWD_NOTREQD flag must be removed from the userAccountControl attribute for the account.

See Also