CreateUser Method

ActiveDirectoryMembershipProvider.CreateUser Method (String, String, String, String, String, Boolean, Object, MembershipCreateStatus)


Adds a new user to the Active Directory data store.

Namespace:   System.Web.Security
Assembly:  System.Web (in System.Web.dll)

	Unrestricted = true)]
	Unrestricted = true)]
	Unrestricted = true)]
public override MembershipUser CreateUser(
	string username,
	string password,
	string email,
	string passwordQuestion,
	string passwordAnswer,
	bool isApproved,
	object providerUserKey,
	out MembershipCreateStatus status


Type: System.String

The user name for the new user.

Type: System.String

The password for the new user.

Type: System.String

The e-mail address of the new user.

Type: System.String

The password question for the new user.

Type: System.String

The password answer for the new user.

Type: System.Boolean

Whether or not the new user is approved to be validated.

Type: System.Object

The unique identifier from the membership data source for the user. This parameter must be null when using the ActiveDirectoryMembershipProvider class.

Type: System.Web.Security.MembershipCreateStatus

When this method returns, contains one of the MembershipCreateStatus enumeration values indicating whether the user was created successfully.

Return Value

Type: System.Web.Security.MembershipUser

An ActiveDirectoryMembershipUser instance containing the information for the newly created user, or null if the user was not successfully created.

Exception Condition

The providerUserKey parameter is not null.


The administrator has not mapped the password question-and-answer fields to attributes of the Active Directory schema, and either the passwordQuestion or passwordAnswer parameter is not null.


The machineKey Element (ASP.NET Settings Schema) configuration element indicates an auto-generated machine encryption key. You must explicitly set the decriptionKey attribute of the machineKey Element (ASP.NET Settings Schema) element to store password answers with the ActiveDirectoryMembershipProvider.

- or -

The ActiveDirectoryMembershipProvider was unable to establish a secure connection to the directory when attempting to set the password for the new user.


An error occurred while attempting to create the user.


The CreateUser method is called before the ActiveDirectoryMembershipProvider instance is initialized.

The CreateUser method is called by the Membership class to create a new user in the Active Directory data store.

For both Active Directory and Active Directory Application Mode (ADAM) servers, the ActiveDirectoryMembershipProvider class requires that the instance class in the directory be user. Alternative user classes such as inetOrgPerson are not supported.

When using an Active Directory server and the user name is mapped to the userPrincipalName attribute, the ActiveDirectoryMembershipProvider class will automatically generate a random 20-character user name for the sAMAccountName parameter on your behalf.

Parameters default to the following maximum lengths.


Maximum length


64 characters if using the userPrincipalName attribute. If using the sAMAccountName attribute, the common restriction is 20 characters or less.


128 characters.


256 characters.


256 characters.


128 characters before and after encrypting.

The Comment property on the returned ActiveDirectoryMembershipUser instance is limited to 1024 characters.

If the directory schema has been modified by reducing the maximum allowable lengths for these attributes, these lengths will take precedence.

Before creating the user, the ActiveDirectoryMembershipProvider class will make sure the user name is unique. If the ActiveDirectoryMembershipProvider instance is configured to require unique e-mail addresses, it will also make sure the e-mail address is unique.

In an Active Directory user-name uniqueness is enforced by performing a GC search when the user name is mapped to userPrincipalName. If sAMAccountName is used, then the directory will automatically enforce uniqueness of the sAMAccountName across the Active Directory domain.

An ADAM server will automatically enforce user name uniqueness of the userPrincipalName across all application partitions.

Uniqueness of the e-mail address is enforced by performing a subtree search for a duplicate e-mail address starting at the root of the container in which users are created. This is either the default user container (if connected to an Active Directory and no container was specified in the connection string) or the container specified in the connection string.

The ActiveDirectoryMembershipProvider class creates the user directly in the user container specified in the connection string. See the ActiveDirectoryMembershipProvider class topic for more information about connection strings.

For passwords to be set on an Active Directory server, the connectionProtection attribute must be set to SignAndSeal.

When an ADAM server is being used, the connectionProtection attribute can be set to None, but only if you explicitly configure the ADAM server to allow password changes over unsecured connections.

Leading and trailing spaces are trimmed from all string parameter values except password.

System_CAPS_security Security Note

You cannot create new users unless the credentials used to connect to the Active Directory server have either Domain Administrator rights (not recommended) or the "create child instance," "delete child instance," and "set password" access rights. The "delete child instance" access right is required because creating a user is a multi-step process, and if any step of user creation fails, the ActiveDirectoryMembershipProvider class will delete the user instance rather than leave a partially constructed user instance in the directory.

.NET Framework
Available since 2.0
Return to top
© 2015 Microsoft