CodeProject: How to add a new user using DirectoryServices?. Free source code and programming help

In our previous article, How to get full name of logged in user, we showed how you can get full name of a user in a given domain or machine. You can extend that idea to obtain any information you want for a given user. This artcile will describe how you can add a new user account into your domain or machine using .Net DirectoryServices classes. We will be using WinNT provider for illustrations in this article. But you can extend the examples to use LDAP or AD providers.

Details

Here are the key steps that you will need to perform to create new account.

Create a new DirectoryEntry object and specify the machine name as the path.
User accounts are created as nodes corrresponding to User schema class in Active Directory. Therefore we will add a new DirectoryEntry object in Children collection of the machine. The key thing to rememeber will be that when you add new entry, make sure that the schema class name is User.
When you add a new node in Children collection, it will return you the newly created object. At this stage the information has not been added to your machine or active directory tree.
Now you can set all the values that you need to set for a given account. Following is the list of property names that you can set for the account.
- UserFlags
- MaxStorage
- PasswordAge
- PasswordExpired
- LoginHours
- FullName
- Description
- BadPasswordAttempts
- LastLogin
- HomeDirectory
- LoginScript
- Profile
- HomeDirDrive
- Parameters
- PrimaryGroupID
- Name
- MinPasswordLength
- MaxPasswordAge
- MinPasswordAge
- PasswordHistoryLength
- AutoUnlockInterval
- LockoutObservationInterval
- MaxBadPasswordsAllowed
- RasPermissions
- objectSid
For more information on these properties please read Active Directory Services Interface(ADSI) section in Microsoft Platform SDK.
You must have noticed from the above list that there is no property to set or get user password value. Operating system does not give access to clear text password value. So we can't expect and property or method to get it. In ADSI, IAdsUser interface provides SetPassword method to set a user's password. This is where Invoke method of DirectoryEntry class comes handy. So we call Invoke to set the password value. The Invoke method can be used to call native methods on underlying active directory objects. There is one important thing to remeber when you set a user's password value. If you are using LDAP provider, then the user account should already have been created in the system by calling CommitChanges or SetInfo method. But WinNT provider does not have this restriction. You can set password value without commiting the changes first.
The last step would be to actually create the account in the machine or domain. This is done by calling CommitChanges method on newly added DirectoryEntry object.

The following code demonstrates all the steps that we described above.

private void AddUser(string strDoamin, string strLogin, string strPwd)
{
    DirectoryEntry obDirEntry = null;
    try
    {
        obDirEntry = new DirectoryEntry("WinNT://" + strDoamin);
        DirectoryEntries entries = obDirEntry.Children;
        DirectoryEntry obUser = entries.Add(strLogin, "User");
        obUser.Properties["FullName"].Add("Amigo");
        object obRet = obUser.Invoke("SetPassword", strPwd);
        obUser.CommitChanges();
    }
    catch (Exception ex)
    {
        Trace.Warn(ex.Message);
    }
}

Please feel free to send your suggestions directly to us at softomatix@pardesiservices.com.

License

This article has no explicit license attached to it but may contain usage terms in the article text or the download files themselves. If in doubt please contact the author via the discussion board below.

A list of licenses authors might use can be found here

About the Author

Softomatix

Member

To learn more about us, Please visit us at http://www.netomatix.com

Occupation:	Web Developer
Location:	United States

Other popular .NET Framework articles:

The 30 Minute Regex Tutorial
Learn how to use regular expressions in 30 minutes with Expresso.
Strings UNDOCUMENTED
Detailed looked at the implementation of strings in .NET
Expresso - A Tool for Building and Testing Regular Expressions
For learning, building, and debugging .NET Framework regular expressions
Unraveling the Mysteries of .NET 2.0 Configuration
Learn how to utilize the powerful new .NET 2.0 configuration features to simplify and centralize your configuration code.
Simple Windows Service Sample
A simple application to show how to create a Windows service.

Article Top

You must Sign In to use this message board.

FAQ
Noise Tolerance Layout Per page

Msgs 1 to 25 of 40 (Total in Forum: 40) (Refresh)

FirstPrevNext

Creating Group

sreejith ss nair

0:38 30 Jan '08

Hi, I am wondering whether we can have our own group like Administrator, Power User etc in windows operating system. In concize, how to create groups programmatically. Thanks in advance If the post/article served your purpose then, please assist me in keeping it up by donating a small amount of money to my Paypal account. Email: sreejithssnair@hotmail.com
Sign In·View Thread·PermaLink	1.50/5 (2 votes)

activedirectory user profile

Jayesh Talsaniya

2:17 21 May '07

how to create activedirectory user profile with home folder. jayesh talsaniya
Sign In·View Thread·PermaLink	1.00/5 (1 vote)

How to delete user?

Gx Lam

7:12 19 Oct '06

Hi, How to delete user? Should I using DirectoryServices ?
Sign In·View Thread·PermaLink	1.40/5 (4 votes)

How can I grant Administrative right to the newly created User?

Atif Bashir

1:26 4 Aug '06

can I grant Administrative rights to the newly created User? Watch Your Thoughts for they will become your actions. Watch Your Actions for they will become your habits. Watch Your Habits for they will become your beliefs. Watch Your Beliefs for they will determine your destiny.
Sign In·View Thread·PermaLink	1.83/5 (5 votes)

Set Primary Group

SirLoric

12:48 4 Sep '05

How do I set the primary group of a user? ............................. There's nothing like the sound of incoming rifle and mortar rounds to cure the blues. No matter how down you are, you take an active and immediate interest in life. Fiat justitia, et ruat cælum
Sign In·View Thread·PermaLink	1.67/5 (3 votes)

windows 2003

Quinton Viljoen

3:29 15 Jun '05

What would be the best method to iterate the localgroups on windows 2003 and possibly add/remove users to and from it?
Sign In·View Thread·PermaLink	3.50/5 (2 votes)

"General access denied error\r\n"

dmh181

21:48 19 May '05

I use this snippet code to create a user. It's successful when I run in winform but when I process in webpage, the error is always throwed exception: "general access denied error". I don't know if there are any privileges were assigned to my computer to create new user, I can use control panel to create user by the logon account. And I have done by webpage with this snippet code on other computers. Please give me the reason and solutions. Thanks

1.20/5 (2 votes)

Re: "General access denied error\r\n"

Naresg

10:16 23 Aug '05

Hi, Did u able t get the solution for this? I m facing same problem. please mail me at "naresh_0204@hotmail.com" if u found solution. i will appriciate your help. Thanks in advance. Naresh Hanchate naresh_0204@hotmail.com
Sign In·View Thread·PermaLink

Re: "General access denied error\r\n"

nano2k

22:22 21 Nov '05

As I far as I can see, you problem is that you do not have enough rights to create a user.
When run from a winform, your thread has the rights of the user currently logged in (so you have enough permissions).
On the other hand, when running from a webpage, the thread that executes your code doesn't have enough rights.
To see the difference between the two ways, use this code:

string userName = System.Security.Principal.WindowsIdentity.GetCurrent().Name;

To solve your problem, you need to use impersonation - at least this is the method I have successfully used. To do this, you need a valid domain/user/pass account that has enough rights to create a new user account.

I found this piece of code that helped me:

http://www.dotnet247.com/247reference/msgs/7/38183.aspx[^]

Note: when running the code above in an domainless environment, just pass null value for the domain parameter in impersonateValidUser() function.

Re: "General access denied error\r\n"

mohdmo2005

23:45 16 Jul '07

many thanks for you nano2k, you solved a big problem for me. have a nice day MohdM
Sign In·View Thread·PermaLink	1.00/5 (1 vote)

Re: "General access denied error\r\n"

Member 1846328

3:11 29 Sep '08

Hi , I am getting the same access denied error. I tried to access the link which you have provided , but it shows "BAD REQUEST" error message . Could you please help me on the "access denied error" problem. Could you please tell me what i need to do to solve this issue . Regards, Lisha lishamj
Sign In·View Thread·PermaLink

Re: "General access denied error\r\n"

dbbtvlzfpz

23:27 19 Oct '08

I used impersonation to solve this problem. I found the information on this page: http://msdn.microsoft.com/en-us/library/xh507fc5.aspx Add the code as indicated to the system.web section of your web.config file, entering the username and password of a user with sufficient privileges to create a new user. I created a new local user on the web server with admin privileges, and used this user.
Sign In·View Thread·PermaLink	1.00/5 (1 vote)

Add user to AD too slow

sonnv

22:39 2 Mar '05

When I add a user to AD using DirectoryEntry.Children.Add or DirectoryEntries.Add, it reponses too slow. Is there any other way to speed up this? If I add about 1000 users to AD, it took about 30minutes to complete
Sign In·View Thread·PermaLink

add user problem

sanaz_

21:48 14 Aug '04

hello ,
plz see this code , i have a problem .
it give me this error --->
exception has been thrown by the target of an invocation Confused

Dim _Path As String = "LDAP://server"
Dim domain As String = "prd.com"
Private Sub Page_Load(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles MyBase.Load
'Put user code to initialize the page here
Try
Dim nun As String = "k11110"
Dim username As String = "amini"
Dim pwd As String = "test123"
Dim DE As DirectoryEntry = New DirectoryEntry(_Path, domain & "\" & username, pwd)
Dim OU As DirectoryEntry = DE.Children.Find("CN=USERS")
Dim NewUser As DirectoryEntry = OU.Children.Add("CN=" + nun, "User")

NewUser.Properties("sAMAccountName").Value = nun
NewUser.Properties("userPrincipalName").Add(nun + "@prd-co.com")
NewUser.Properties("GivenName").Add("sanaz")
NewUser.Properties("initials").Add("a")
NewUser.Properties("sn").Add("amini")
NewUser.Properties("displayName").Add("Amini")
NewUser.Properties("description").Add("Amini")
NewUser.CommitChanges()

NewUser.NativeObject.accountdisabled = False
NewUser.Properties("accountExpires").Value = 0
NewUser.Properties("pwdLastSet").Value = -1
NewUser.Invoke("setpassword", pwd)
NewUser.CommitChanges()
Catch ex As Exception
Response.Write(ex.Message)
End Try
End Sub

thank you.

1.60/5 (5 votes)

Authentication issue

Anonymous

3:47 5 Mar '04

Has anyone seen this before? I am using this code snippet to add an account on my pc. The page i created kept hanging, so i debugged it, and i found that it was telling me that the specified username is invalid. I have tried using the credentials of a local admin account on the machine to take out the possibility of not actually authenticating, but no matter what, i continually get the same error. When i remove the authentication information, it steps through the entire code, but then fails at the end because no credentials were supplied.... Confused

and in vb.net ?

trollibus

4:37 20 Jan '04

Hi, i'd like to know how i can do the same in vb.net ? In fact, what i really wanted is to browse my domain (!! NT 4 => not Active directory) and for each groups, list all the user. I've done in vb but in .net, i'm lost... thx, Troll
Sign In·View Thread·PermaLink	2.00/5 (1 vote)

Re: and in vb.net ?

anonymous

10:05 11 Feb '04

Here's a link to the MSDN site that explains how to load up all the info on AD(and i'm using all this stuff without AD and it seems to be working just fine) into a tree view.

The other links on the left are ALL useful stuff on how to use the DirectoryServices.dll and all the code samples are in C# and VB.NET

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/vbcon/html/vbtskremovingactivedirectorynodes.asp

5.00/5 (1 vote)

Clickety

Colin Angus Mackay

6:00 6 Oct '04

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/vbcon/html/vbtskremovingactivedirectorynodes.asp[^] Do you want to know more? Vogon Building and Loan advise that your planet is at risk if you do not keep up repayments on any mortgage secured upon it. Please remember that the force of gravity can go up as well as down.
Sign In·View Thread·PermaLink

get current user's password

cronosxfiles

1:32 9 Dec '03

In this article you say: "Operating system does not give access to clear text password value". I'm creating windows tasks that wont run unless they have the user name and password set. How do some applications (such as Norton System Works) manage to create system tasks which use my user name and my password to run? I don't remember having provided any password during instalation. I need to provide the current user's password in the moment I create the task.
Thanks in advance for any suggestion.

Regards Juanma.

Juan Manuel Gómez Ramos
B.Sc. Computer Science

1.33/5 (2 votes)

Exchange

candan

15:11 18 Aug '03

When I crate a account in AD ? How can I crate a mail in Exchange and IM ? Thx for some hints.
Sign In·View Thread·PermaLink	1.20/5 (2 votes)

Group membership

andy.ainsworth@forbessolicitors.co.uk

0:18 6 Aug '03

This post has been a great help. Is there any way to add new users to groups. andy
Sign In·View Thread·PermaLink	3.00/5 (3 votes)

Re: Group membership

cerda

23:07 29 Mar '04

You should try GroupMembership attribute, which should contain collection of distinguishedNames of groups. But better is to add user into group via group itself. It is member attribute which should contain collection of distinguishedNames of users.
Sign In·View Thread·PermaLink	2.75/5 (4 votes)

Re: Group membership

Atif Bashir

0:19 8 Aug '06

I'm using the following code in C# to "Add a User to Administrators Group"

--------------------------CODE-----------------------------------------------------
DirectoryEntry DirEntry = new DirectoryEntry("WinNT://" + strDomain);
DirectoryEntries entries = DirEntry.Children;

DirectoryEntry adminGroup = entries.Find("Administrators", "Group");

DirectoryEntry newUser = entries.Add(strLogin, "User");
newUser.Properties["FullName"].Add(textBox2.Text);
object Ret = newUser.Invoke("SetPassword", strPassword);
newUser.CommitChanges();

adminGroup.Properties["member"].Add(newUser.Properties["distinguishedName"].Value);
adminGroup.CommitChanges();
------------------------------------------------------------------------------------

but the following exeption occurs:

==============================Exeption
Value cannot be null.
Parameter name: value
======================================

I think there are not valid members
adminGroup.Properties["member"] & newUser.Properties["distinguishedName"]

Anybody can help in this context

Thanx in advance

Watch Your Thoughts for they will become your actions.
Watch Your Actions for they will become your habits.
Watch Your Habits for they will become your beliefs.
Watch Your Beliefs for they will determine your destiny.

Setting a UserFlag to Don't Expire a Password

optimistck

5:46 18 Mar '03

Hello,

The code has helped me get a better understanding on the process of adding a user, but I also need to set the user UserFlag UF_DONT_EXPIRE_PASSWD to not expire. I have added the UserFlag property, but I have no clue how to set or even access the don't expire password bit.

Using your original code, how would you prevent the password from changing? There are no resources on the net that describe this operation in C#.

Thanks!

CK
Confused

1.50/5 (2 votes)

Re: Setting a UserFlag to Don't Expire a Password

Optimistck

6:39 18 Mar '03

Got it. //Add the following: const int UF_PASSWD_CANT_CHANGE = 0x0040; NewUser.Properties["userFlags"].Add(UF_PASSWD_CANT_CHANGE); // Done Self prescribed help at its best. CK
Sign In·View Thread·PermaLink	2.75/5 (3 votes)

Last Visit: 16:13 23 Nov '09 Last Update: 16:13 23 Nov '09

12 Next »

General News Question Answer Joke Rant Admin

PermaLink | Privacy | Terms of Use
Last Updated: 19 Feb 2003
Editor: Nishant Sivakumar