To create a user in Active Directory, create a user object in the domain container of the domain where you want to place the user. Users can be created at the root of the domain, within an organizational unit, or within a container.
When you create a user object, you must also set the following properties to set the object as a legal user that is recognized by Active Directory and the Windows Security system.
|cn||Specifies the name of the user object in the directory. This will be the object's relative distinguished name (RDN).|
|sAMAccountName||Specifies a string that is the name used to support clients and
servers from a previous version of Windows. The
sAMAccountName should be less than 20 characters to support
clients from a previous version of Windows.
The sAMAccountName must be unique among all security principal objects within the domain. You should perform a query against the domain to verify that the sAMAccountName is unique within the domain.
Beginning with Windows Server 2003, sAMAccountName is an optional parameter. The server will create a random sAMAccountName value if one is not specified.
You can also set other properties. The following user properties are set with default values if you do not explicitly set them at creation time.
|accountExpires||Specifies when the account will expire. The default is TIMEQ_FOREVER, which indicates that the account will never expire.|
|nTSecurityDescriptor||A security descriptor is created based on specific rules. For more information, How Security Descriptors are Set on New Directory Objects.|
|objectCategory||Specifies the user category. The default is "Person".|
|name||Specifies the user name. The default is the value set for cn.|
|pwdLastSet||Specifies when the user last set the password. The default is zero, which indicates that the user must change the password at next logon.|
|userAccountControl||Contains values that determine several logon and account
features for the user.
By default, the following flags are set:
|memberOf||Specifies the group or groups that the user is a direct member of. The default is "Domain Users".|
A user is created by binding to the desired container and then using either IADsContainer::Create or IDirectoryObject::CreateDSObject. When IADsContainer::Create is used, the cn property is taken from the bstrRelativeName parameter. The new user object must be committed by calling IADs::SetInfo or the object will not be created.
When using IDirectoryObject::CreateDSObject, the cn property is taken from the pszRDNName parameter. The object created in this manner is committed when IDirectoryObject::CreateDSObject is called.
For more information, and a code example of how to create a user with either method, see Example Code for Creating a User.