Adding Users to a Microsoft ActiveDirectory via LDAP/JNDI

Apparently, it isn't that terribly difficult to add users to an MS AD via LDAP; you just have to set the right attributes, and MS AD will do the rest and set sensible defaults for the other attribs.

More or less, a rundown of the attribs needed to be set, or can be set:

  • displayName: the display name for this user. Of course, this is usually the same as the user name
  • givenName: the user's first name; same as the CN attrib.
  • name: the user's full name
  • initials: the user's middle initials
  • sn: surname
  • sAMAccountName: Old (pre-Win2k) domain login name
  • userPrincipalName: username@domain; usually the sAMAccountName + your AD domain
  • pwdLastSet: When the password was last set; since this is a new user, be sure to set this to 0; details below
    • </ul> </p>

    Now, this creates a user that is disabled by default. To enable, you'll have to modify the userAccountControl attrib. userAccountControl, as far as I can tell, is a bitfield with a minimum value of 512 (don't ask, I have no idea why). Setting it to 512 with a password already set for the user marks the password to be permanent ("User cannot change password" in the AD Users and Computers admin tool), unless pwdLastSet is 0, in which case, a value of 512 (with a password already set) prompts the user to change his password on the next login. However (and this is strange), if the account doesn't have a password set (just as when we create users via LDAP), userAccountControl will be 546 initially, and you'll have to set it to 544 to enable the account (and prompt for a password the next time).

    NOTE: If you're wondering, I did not reverse-engineer anything here. This info can easily be discovered if you have the patience, any LDAP browser, and administrator access to an Active Directory. (Of course, the last item'll be hard to get. Thank God I actually work in an MS-partner shop.)

    Edited (4:39 PM): I forgot to mention that you also have to ensure you're setting the objectClass properly. AD users are of the object classes top, person, organizationalPerson, user.

Originally from here