Directory Services

Creating New Users in the Organizational Unit

Jay Adams was hired into the Fabrikam Sales organization. His direct report is Michael Hines. As shown in the following code example, Joe Worden, the enterprise administrator, will create a new account for him.

Dim salesOU as IADsContainer
Set salesOU = GetObject("LDAP://OU=Sales,DC=Fabrikam,DC=COM")
Set usr = salesOU.Create("user", "CN=Jay Adams")
usr.Put "sAMAccountName", "jayadams"
usr.Put "userPrincipalName", "" 
usr.Put "title" "Marketing Manager"

usr.SetPassword "seahorse"
usr.AccountDisabled = False

When creating a new user, you must specify a sAMAccountName. This is a mandatory attribute for the user class. Before an instance of an object can be created, all mandatory attributes must be set. The user sAMAccountName is used to log on from computers running versions of Windows earlier than Windows 2000. Computers running Windows 2000 continue to understand the sAMAccountName. Beginning with Windows Server 2003, the sAMAccountName will automatically be generated if one is not specified for a new user.

In a Windows 2000 environment (both the client and the DC are running Windows 2000), the user can log on using either the sAMAccountName or userPrincipalName. In this example, Jay's userPrincipalName is set to If Jay moves to a different domain in the same enterprise, he can continue to use his userPrincipalName.

When creating a new user, all of the required attributes must be set in the local cache before the IADs.SetInfo method is called.

Joe, as an administrator, can assign Jay's password using the IADsUser.SetPassword method. The IADsUser.SetPassword method will not work until the IADs.SetInfo method has been called.

Then, Joe enables the user account by setting the IADsUser.AccountDisabled property to FALSE.

The following code example shows how to set Jay as Michael's manager.

Set usr = GetObject("LDAP://CN=mikehines, OU=Sales, DC=Fabrikam, DC=COM")
usr.Put "manager", "CN=Jay Adams,OU=Sales, DC=Fabrikam,DC=COM"

You may wonder what happens if Jay changes his name, moves to a different organization, or leaves the company. Who maintains this manager-direct report link? For more information, and the solution to this problem, see Reorganization. Because the Active Directory schema is extensible, you can model your objects to include similar manager-direct report style relationships.

Before going on to the next task, look at how Joe would view Jay's direct reports.

Set usr = GetObject("LDAP://CN=Jay Adams, OU=Sales, DC=Fabrikam, DC=COM")
reports = usr.GetEx ("directReports")

For each directReport in reports
	Debug.Print directReport

In this code example, Michael will display as Jay's direct report, even though the directReports attribute was never modified. Active Directory does this automatically.

In the directory world, an attribute can have single or multiple values. Because directReports has multiple values, you can get this information by looking at the schema, it is easier to use the IADs.GetEx method, which returns an array of values regardless of whether single or multiple values are returned.

The Active Directory Users and Computers snap-in lets you view direct reports and manager relationships on the user's property page.