Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Creating Active Directory user with password in C#

I'm looking for a way to create Active Directory users and set their password, preferably without giving my application/service Domain Admin privileges.

I've tried the following:

DirectoryEntry newUser = _directoryEntry.Children.Add("CN=" + fullname, USER);
newUser.Properties["samAccountName"].Value = username;
newUser.Properties["userPassword"].Value = password;
newUser.Properties["mail"].Value = email;
newUser.CommitChanges();

The user is created, but it seems the password is never set on the user.

Does anyone have an idea on how to set the user's password initially when creating the user? I know about

.Invoke("SetPassword", new object[] { password })

But that requires my code to be run with Domain Admin privileges. As I don't really see the point to grant my code Domain Admin privileges, just to set the initial password (I also allow user password resets, but those run in the context of that particular user), I am hoping someone has a clever solution that doesn't require me to do so.

Thanks in advance!

like image 743
RajenK Avatar asked Feb 21 '10 12:02

RajenK


People also ask

How do I create a user password in Active Directory?

Right-click Users, point to New, and then click User. Type the first name, last name, and user logon name of the new user, and then click Next. Type a new password, confirm the password, and then click to select one of the following check boxes: Users must change password at next logon (recommended for most users)

What is C# DirectoryEntry?

The DirectoryEntry class presents a node or object in the Active Directory hierarchy. The Add method creates a request to create a new entry in the container. The Find method returns the child with the specified name. The Remove method deletes a child DirectoryEntry from this collection.

What is System DirectoryServices AccountManagement?

System. DirectoryServices. AccountManagement manages directory objects independent of the System.


2 Answers

You can do this whole process much easier now with System.DirectoryServices.AccountManagement (long as you're on .Net 3.5):

See here for a full rundown

Here's a quick example of your specific case:

using(var pc = new PrincipalContext(ContextType.Domain))
{
  using(var up = new UserPrincipal(pc))
  {
    up.SamAccountName = username;
    up.EmailAddress = email;
    up.SetPassword(password);
    up.Enabled = true;
    up.ExpirePasswordNow();
    up.Save();
  }
}
like image 97
Nick Craver Avatar answered Oct 11 '22 00:10

Nick Craver


I'd use @Nick's code (wrapped in using statements so the context and principal are disposed properly). As for privileges, you'll need to at least have enough privileges on the OU where you are creating the user to create and manage objects. I'd create a specific user under which your program will run and give it just enough privileges to do the tasks that it needs in that specific OU and no more.

like image 4
tvanfosson Avatar answered Oct 11 '22 00:10

tvanfosson