You want to create an inetOrgPerson object, which is the standard LDAP object class to represent users.
Open the Active Directory Users and Computers snap-in.
If you need to change domains, right-click on "Active Directory Users and Computers" in the left pane, select Connect to Domain, enter the domain name, and click OK.
In the left pane, browse to the parent container of the new user, right-click on it, and select New InetOrgPerson.
Enter first name, last name, and user logon name fields as appropriate and click Next.
Enter and confirm the password, set any of the password flags, and click Next.
Click Finish.
The dsadd command does not support creating inetOrgPerson objects so we'll use ldifde instead. First, we need to create an LDIF file called create_inetorgperson.ldf with the following contents:
dn: <UserDN> changetype: add objectclass: inetorgperson sAMAccountName: <UserName> userAccountControl: 512
Be sure to replace <UserDN> with the distinguished name of the user you want to add and <UserName> with the user's username. Then run the following command:
> ldifde -i -f create_inetorgperson.ldf
' This code creates an inetOrgPerson object set objParent = GetObject("LDAP://<ParentDN>") set objUser = objParent.Create("inetorgperson", "cn=<UserName>") ' Taken from ADS_USER_FLAG_ENUM Const ADS_UF_NORMAL_ACCOUNT = 512 objUser.Put "sAMAccountName", "<UserName>" objUser.Put "userPrincipalName", "<UserUPN>" objUser.Put "givenName", "<UserFirstName>" objUser.Put "sn", "<UserLastName>" objUser.Put "displayName", "<UserFirstName> <UserLastName>" objUser.Put "userAccountControl", ADS_UF_NORMAL_ACCOUNT objUser.SetInfo objUser.SetPassword("<Password>") objUser.AccountDisabled = FALSE objUser.SetInfo
The inetOrgPerson object class was defined in RFC 2798. It is the closest thing in the LDAP world to a standard representation of a user, and most LDAP vendors support the inetOrgPerson class. Unfortunately, Microsoft did not support inetOrgPerson with the initial release of Active Directory. Even though they provided an add-on later to extend the schema to support it, the damage had been done. Most Active Directory implementations were already using the user object class and were unlikely to convert. This required vendors to build in support for the user class.
|
In Windows Server 2003 Active Directory, inetOrgPerson is supported natively. You can create inetOrgPerson objects for your users, who can use them to authenticate just as they would accounts of the user object class. If you haven't deployed Active Directory yet and you plan on integrating a lot of third-party LDAP-based applications that rely on inetOrgPerson, you may want to consider using it over user. You won't be losing any information or functionality because the inetOrgPerson class inherits directly from the user class. For this reason, the inetOrgPerson class has even more attributes than the Microsoft user class. The one potential downside is that some of the Microsoft tools, such as the DS utilities, do not support modifying inetOrgPerson objects.
Recipe 6.1 for creating a user and RFC 2798 (Definition of the inetOrgPerson LDAP Object Class)