CreateUser Method

ActiveDirectoryMembershipProvider.CreateUser Method

Adds a new user to the Active Directory data store.

Namespace: System.Web.Security
Assembly: System.Web (in system.web.dll)

public override MembershipUser CreateUser (
	string username,
	string password,
	string email,
	string passwordQuestion,
	string passwordAnswer,
	bool isApproved,
	Object providerUserKey,
	out MembershipCreateStatus status
public MembershipUser CreateUser (
	String username, 
	String password, 
	String email, 
	String passwordQuestion, 
	String passwordAnswer, 
	boolean isApproved, 
	Object providerUserKey, 
	/** @attribute OutAttribute() */ /** @ref */ MembershipCreateStatus status
Not applicable.



The user name for the new user.


The password for the new user.


The e-mail address of the new user.


The password question for the new user.


The password answer for the new user.


Whether or not the new user is approved to be validated.


The unique identifier from the membership data source for the user. This parameter must be a null reference (Nothing in Visual Basic) when using the ActiveDirectoryMembershipProvider class.


When this method returns, contains one of the MembershipCreateStatus enumeration values indicating whether the user was created successfully.

Return Value

An ActiveDirectoryMembershipUser instance containing the information for the newly created user, or a null reference (Nothing in Visual Basic) if the user was not successfully created.

Exception typeCondition


The providerUserKey parameter is not a null reference (Nothing in Visual Basic).


The administrator has not mapped the password question-and-answer fields to attributes of the Active Directory schema, and either the passwordQuestion or passwordAnswer parameter is not a null reference (Nothing in Visual Basic).


The machineKey Element (ASP.NET Settings Schema) configuration element indicates an auto-generated machine encryption key. You must explicitly set the decriptionKey attribute of the machineKey Element (ASP.NET Settings Schema) element to store password answers with the ActiveDirectoryMembershipProvider.

- or -

The ActiveDirectoryMembershipProvider was unable to establish a secure connection to the directory when attempting to set the password for the new user.


An error occurred while attempting to create the user.


The CreateUser method is called before the ActiveDirectoryMembershipProvider instance is initialized.

The CreateUser method is called by the Membership class to create a new user in the Active Directory data store.

For both Active Directory and ADAM servers, the ActiveDirectoryMembershipProvider class requires that the instance class in the directory be user. Alternative user classes such as inetOrgPerson are not supported.

When using an Active Directory server and the user name is mapped to the userPrincipalName attribute, the ActiveDirectoryMembershipProvider class will automatically generate a random 20-character user name for the sAMAccountName parameter on your behalf.

Parameters default to the following maximum lengths.


Maximum length


64 characters if using the userPrincipalName attribute. If using the sAMAccountName attribute, the common restriction is 20 characters or less.


128 characters.


256 characters.


256 characters.


128 characters before and after encrypting.

The Comment property on the returned ActiveDirectoryMembershipUser instance is limited to 1024 characters.

If the directory schema has been modified by reducing the maximum allowable lengths for these attributes, these lengths will take precedence.

Before creating the user, the ActiveDirectoryMembershipProvider class will make sure the user name is unique. If the ActiveDirectoryMembershipProvider instance is configured to require unique e-mail addresses, it will also make sure the e-mail address is unique.

In an Active Directory user-name uniqueness is enforced by performing a GC search when the user name is mapped to userPrincipalName. If sAMAccountName is used, then the directory will automatically enforce uniqueness of the sAMAccountName across the Active Directory domain.

An ADAM server will automatically enforce user name uniqueness of the userPrincipalName across all application partitions.

Uniqueness of the e-mail address is enforced by performing a subtree search for a duplicate e-mail address starting at the root of the container in which users are created. This is either the default user container (if connected to an Active Directory and no container was specified in the connection string) or the container specified in the connection string.

The ActiveDirectoryMembershipProvider class creates the user directly in the user container specified in the connection string. See the ActiveDirectoryMembershipProvider class topic for more information about connection strings.

For passwords to be set on an Active Directory server, the connectionProtection attribute must be set to SignAndSeal.

When an ADAM server is being used, the connectionProtection attribute can be set to None, but only if you explicitly configure the ADAM server to allow password changes over unsecured connections.

Leading and trailing spaces are trimmed from all string parameter values except password.

Security noteSecurity Note:

You cannot create new users unless the credentials used to connect to the Active Directory server have either Domain Administrator rights (not recommended) or the "create child instance," "delete child instance," and "set password" access rights. The "delete child instance" access right is required because creating a user is a multi-step process, and if any step of user creation fails, the ActiveDirectoryMembershipProvider class will delete the user instance rather than leave a partially constructed user instance in the directory.

Windows 98, Windows Server 2000 SP4, Windows Server 2003, Windows XP Media Center Edition, Windows XP Professional x64 Edition, Windows XP SP2, Windows XP Starter Edition

The Microsoft .NET Framework 3.0 is supported on Windows Vista, Microsoft Windows XP SP2, and Windows Server 2003 SP1.

.NET Framework

Supported in: 3.0, 2.0

Community Additions

© 2016 Microsoft