Directory Services

Creating a User

To create a user in Active Directory, create a user object in the domain container of the domain where you want to place the user. Users can be created at the root of the domain, within an organizational unit, or within a container.

When you create a user object, you must also set the following properties to set the object as a legal user that is recognized by Active Directory and the Windows Security system.

Property Description
cn Specifies the name of the user object in the directory. This will be the object's relative distinguished name (RDN).
sAMAccountName Specifies a string that is the name used to support clients and servers from a previous version of Windows. The sAMAccountName should be less than 20 characters to support clients from a previous version of Windows.

The sAMAccountName must be unique among all security principal objects within the domain. You should perform a query against the domain to verify that the sAMAccountName is unique within the domain.

Beginning with Windows Server 2003, sAMAccountName is an optional parameter. The server will create a random sAMAccountName value if one is not specified.

You can also set other properties. The following user properties are set with default values if you do not explicitly set them at creation time.

Property Description
accountExpires Specifies when the account will expire. The default is TIMEQ_FOREVER, which indicates that the account will never expire.
nTSecurityDescriptor A security descriptor is created based on specific rules. For more information, How Security Descriptors are Set on New Directory Objects.
objectCategory Specifies the user category. The default is "Person".
name Specifies the user name. The default is the value set for cn.
pwdLastSet Specifies when the user last set the password. The default is zero, which indicates that the user must change the password at next logon.
userAccountControl Contains values that determine several logon and account features for the user.

By default, the following flags are set:

  • UF_ACCOUNTDISABLE - The account is disabled.
  • UF_PASSWD_NOTREQD - No password is required.
  • UF_NORMAL_ACCOUNT - Default account type that represents a typical user.
memberOf Specifies the group or groups that the user is a direct member of. The default is "Domain Users".

A user is created by binding to the desired container and then using either IADsContainer::Create or IDirectoryObject::CreateDSObject. When IADsContainer::Create is used, the cn property is taken from the bstrRelativeName parameter. The new user object must be committed by calling IADs::SetInfo or the object will not be created.

When using IDirectoryObject::CreateDSObject, the cn property is taken from the pszRDNName parameter. The object created in this manner is committed when IDirectoryObject::CreateDSObject is called.

For more information, and a code example of how to create a user with either method, see Example Code for Creating a User.