Recipe 6.3 Creating an inetOrgPerson User

6.3.1 Problem

You want to create an inetOrgPerson object, which is the standard LDAP object class to represent users.

6.3.2 Solution Using a graphical user interface
  1. Open the Active Directory Users and Computers snap-in.

  2. If you need to change domains, right-click on "Active Directory Users and Computers" in the left pane, select Connect to Domain, enter the domain name, and click OK.

  3. In the left pane, browse to the parent container of the new user, right-click on it, and select New InetOrgPerson.

  4. Enter first name, last name, and user logon name fields as appropriate and click Next.

  5. Enter and confirm the password, set any of the password flags, and click Next.

  6. Click Finish. Using a command-line interface

The dsadd command does not support creating inetOrgPerson objects so we'll use ldifde instead. First, we need to create an LDIF file called create_inetorgperson.ldf with the following contents:

dn: <UserDN>
changetype: add
objectclass: inetorgperson
sAMAccountName: <UserName>
userAccountControl: 512

Be sure to replace <UserDN> with the distinguished name of the user you want to add and <UserName> with the user's username. Then run the following command:

> ldifde -i -f create_inetorgperson.ldf Using VBScript
' This code creates an inetOrgPerson object

set objParent = GetObject("LDAP://<ParentDN>")
set objUser   = objParent.Create("inetorgperson", "cn=<UserName>")


objUser.Put "sAMAccountName", "<UserName>"
objUser.Put "userPrincipalName", "<UserUPN>"
objUser.Put "givenName", "<UserFirstName>"
objUser.Put "sn", "<UserLastName>"
objUser.Put "displayName", "<UserFirstName> <UserLastName>"
objUser.Put "userAccountControl", ADS_UF_NORMAL_ACCOUNT
objUser.AccountDisabled = FALSE

6.3.3 Discussion

The inetOrgPerson object class was defined in RFC 2798. It is the closest thing in the LDAP world to a standard representation of a user, and most LDAP vendors support the inetOrgPerson class. Unfortunately, Microsoft did not support inetOrgPerson with the initial release of Active Directory. Even though they provided an add-on later to extend the schema to support it, the damage had been done. Most Active Directory implementations were already using the user object class and were unlikely to convert. This required vendors to build in support for the user class.

You can download the InetOrgPerson Kit for Windows 2000 from the following web site: This requires that you extend the schema to support an additional object class and new attributes. It also creates a schema conflict with Windows Server 2003. See MS KB 314649 for more information.

In Windows Server 2003 Active Directory, inetOrgPerson is supported natively. You can create inetOrgPerson objects for your users, who can use them to authenticate just as they would accounts of the user object class. If you haven't deployed Active Directory yet and you plan on integrating a lot of third-party LDAP-based applications that rely on inetOrgPerson, you may want to consider using it over user. You won't be losing any information or functionality because the inetOrgPerson class inherits directly from the user class. For this reason, the inetOrgPerson class has even more attributes than the Microsoft user class. The one potential downside is that some of the Microsoft tools, such as the DS utilities, do not support modifying inetOrgPerson objects.

6.3.4 See Also

Recipe 6.1 for creating a user and RFC 2798 (Definition of the inetOrgPerson LDAP Object Class)

    Chapter 3. Domain Controllers, Global Catalogs, and FSMOs
    Chapter 6. Users
    Appendix A. Tool List