Joe,
Yeah - turning off the password policy..... Hmmmmm. Yummy, chewy insides.
We got it resolved, thank to Mr. Cornetet. Turns out that what I needed to
do was:
' ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Const ADS_UF_NORMAL_ACCOUNT = 512
Const ADS_UF_DISABLED_ACCOUNT = 514
set objParent = GetObject("LDAP://<ParentDN>) set objUser =
objParent.Create("user", "cn=<UserName>") ' e.g rickk
objUser.Put "sAMAccountName", "<UserName>" ' e.g rickk
objUser.Put "userPrincipalName", "<UserUPN>" ' e.g
[EMAIL PROTECTED]
objUser.Put "givenName", "<UserFirstName>" ' e.g Rick
objUser.Put "sn", "<UserLastName>" 'e.g Kingslan
objUser.Put "displayName", "<UserFirstName> <UserLastName>" ' e.g Rick
Kingslan
objUser.Put "userAccountControl", ADS_UF_DISABLED_ACCOUNT
objUser.SetInfo
objUser.SetPassword("<Password>")
objUser.AccountDisabled = FALSE
objUser.Put "userAccountControl", ADS_UF_NORMAL_ACCOUNT
objUser.SetInfo
' ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Basically, set the account to disabled before creating it so that the
account would be disabled when the password was applied. Worked like a
charm, so that's one piece of the automation tools resolved. It's a start
to a long road - but we're finally getting some things realized.
It's a good thing(TM).
>Did it make it into Tuna to do the password set and useraccountcontrol set
prior to the first setinfo.
Sadly, no - that was my first source, and there was nothing that helped,
hence the message out to you guys.
Thanks for the message, however!
Rick Kingslan MCSE, MCSA, MCT
Microsoft MVP - Active Directory
Associate Expert
Expert Zone - www.microsoft.com/windowsxp/expertzone
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Joe
Sent: Thursday, October 16, 2003 6:12 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Creating programatically when password complexity
is in force
Rick you have two options...
1. Turn off your password requirements policy and allow blank passwords...
:op
2. Don't touch useraccountcontrol (i.e. Enable the user) nor the password
until after you create the user object.
Did it make it into Tuna to do the password set and useraccountcontrol set
prior to the first setinfo. That was something I pointed out. I haven't had
a chance to read through the final.
Don't be worried, this is a pretty common one.
Your buddy joe :)
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kingslan, Rick T.
Sent: Thursday, October 16, 2003 8:06 AM
To: [EMAIL PROTECTED]
I've run into an interesting problem. If I create a user programatically,
(using C#, but we've confirmed the same with VBScript) the password cannot
be set until the user object exists. If I try it, we get the error:
"Server is unwilling to process the request"
when a SetInfo is done on the creation of the user object. All required
fields for the user object are being entered, and checked per the 'Tuna'
just to be sure.
However, the user cannot exist with a blank password because the blank
password violates the password complexity and the minimum length rules.
And, as stated, the password cannot be set until the object exists.
Would one of the scripting / programming geniuses that we have here tell me
what I'm missing? I have to believe that there is a way to do this.
Or, am I going to be relegated to using ADUC again to create my users (which
is a major pain in the a$$, to say the least)?
Rick Kingslan MCSE, MCSA, MCT
Microsoft MVP - Active Directory
LAN Administration - Windows 2000
West Corporation
[EMAIL PROTECTED]
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
