In each solution below, an example of adding a user object is shown. Modify the examples as needed to include whatever class and attributes you need to create.
Open ADSI Edit.
If an entry for the naming context you want to browse is not already displayed, do the following:
Right-click on ADSI Edit in the right pane and click Connect to . . .
Fill in the information for the naming context, container, or OU you want to add an object to. Click on the Advanced button if you need to enter alternate credentials.
In the left pane, browse to the container or OU you want to add the object to. Once you’ve found the parent container, right-click on it and select New → Object.
Under Select a Class, select user.
For the
cn
, enterjsmith
and click Next.For
sAMAccountName
, enterjsmith
and click Next.Click the More Attributes button to enter additional attributes.
Click Finish.
Create an LDIF file called create_object.ldf with the following contents:
dn: cn=jsmith,cn=users,dc=rallencorp,dc=com changetype: add objectClass: user samaccountname: jsmith
then run the following command:
> ldifde -v -i -f create_object.ldf
It is also worth noting that you can add a limited number of object
types with the dsadd
command. Run dsadd /?
from a command line for more details.
To create an object in Active Directory, you have to specify the
objectClass
, relative distinguished name (RDN)
value, and any other mandatory attributes that are not automatically
set by Active Directory. Some of the automatically generated
attributes include objectGUID
,
instanceType
, and
objectCategory
.
In the jsmith
example, the objectclass was
user
, the RDN value was jsmith
,
and the only other mandatory attribute that had to be set was
sAMAccountName
. Admittedly, this user object is
unusable in its current state because it will be disabled by default
and no password was set, but it should give you an idea of how to
create an object.
Other tools, such as AD Users and Computers, could be used to do the same thing, but ADSI Edit is useful as a generic object editor.
One attribute that you will not be able to set via ADSI Edit is the
password (unicodePwd
attribute). It is stored in
binary form and cannot be edited directly. If you want to set the
password for a user through a GUI, you can do it with the AD Users
and Computers snap-in.
For more on ldifde
, see Recipe 4.25.
With dsadd
, you can set numerous attributes when
creating an object. The downside is that as of the publication of
this book, you can create only these object types: computer, contact,
group, ou, quota, and user.
The first step to create an object is to call
GetObject
on the parent container. Then call the
Create
method on that object and specify the
objectClass
and RDN for the new object. The
sAMAccountName
attribute is then set by using the
Put
method. Finally, SetInfo
commits the change. If SetInfo
is not
called, the
creation will not get committed to the domain controller.
Recipe 4.25 for importing objects using LDIF, MSDN: IADsContainer::GetObject, MSDN: IADsContainer::Create, MSDN: IADs::Put, and MSDN: IADs::SetInfo
Get Active Directory Cookbook now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.