Actually, don't set the useraccountcontrol at all before the first setinfo. When you do that it will automatically create the account disabled and as a normal user account.
I just looked at the Tuna example. It does have the useraccountcontrol being set to ads_uf_normal_account prior to the first setinfo which isn't correct. Here is the generic example of how it should look set objParent = GetObject("LDAP://<ParentDN>") set objUser = objParent.Create("user", "cn=<UserName>") objUser.Put "sAMAccountName", "<UserName>" objUser.Put "userPrincipalName", "<UserUPN>" objUser.Put "givenName", "<UserFirstName>" objUser.Put "sn", "<UserLastName>" objUser.Put "displayName", "<UserFirstName> <UserLastName>" objUser.SetInfo objUser.SetPassword "password1" objUser.AccountDisabled=FALSE objUser.SetInfo Obviously the version you posted will work fine as well. :op joe -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Thursday, October 16, 2003 7:38 PM To: [EMAIL PROTECTED] Joe, Yeah - turning off the password policy..... Hmmmmm. Yummy, chewy insides. We got it resolved, thank to Mr. Cornetet. Turns out that what I needed to do was: ' ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Const ADS_UF_NORMAL_ACCOUNT = 512 Const ADS_UF_DISABLED_ACCOUNT = 514 set objParent = GetObject("LDAP://<ParentDN>) set objUser = objParent.Create("user", "cn=<UserName>") ' e.g rickk objUser.Put "sAMAccountName", "<UserName>" ' e.g rickk objUser.Put "userPrincipalName", "<UserUPN>" ' e.g [EMAIL PROTECTED] objUser.Put "givenName", "<UserFirstName>" ' e.g Rick objUser.Put "sn", "<UserLastName>" 'e.g Kingslan objUser.Put "displayName", "<UserFirstName> <UserLastName>" ' e.g Rick Kingslan objUser.Put "userAccountControl", ADS_UF_DISABLED_ACCOUNT objUser.SetInfo objUser.SetPassword("<Password>") objUser.AccountDisabled = FALSE objUser.Put "userAccountControl", ADS_UF_NORMAL_ACCOUNT objUser.SetInfo ' ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Basically, set the account to disabled before creating it so that the account would be disabled when the password was applied. Worked like a charm, so that's one piece of the automation tools resolved. It's a start to a long road - but we're finally getting some things realized. It's a good thing(TM). >Did it make it into Tuna to do the password set and useraccountcontrol >set prior to the first setinfo. Sadly, no - that was my first source, and there was nothing that helped, hence the message out to you guys. Thanks for the message, however! Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Sent: Thursday, October 16, 2003 6:12 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Creating programatically when password complexity is in force Rick you have two options... 1. Turn off your password requirements policy and allow blank passwords... :op 2. Don't touch useraccountcontrol (i.e. Enable the user) nor the password until after you create the user object. Did it make it into Tuna to do the password set and useraccountcontrol set prior to the first setinfo. That was something I pointed out. I haven't had a chance to read through the final. Don't be worried, this is a pretty common one. Your buddy joe :) -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kingslan, Rick T. Sent: Thursday, October 16, 2003 8:06 AM To: [EMAIL PROTECTED] I've run into an interesting problem. If I create a user programatically, (using C#, but we've confirmed the same with VBScript) the password cannot be set until the user object exists. If I try it, we get the error: "Server is unwilling to process the request" when a SetInfo is done on the creation of the user object. All required fields for the user object are being entered, and checked per the 'Tuna' just to be sure. However, the user cannot exist with a blank password because the blank password violates the password complexity and the minimum length rules. And, as stated, the password cannot be set until the object exists. Would one of the scripting / programming geniuses that we have here tell me what I'm missing? I have to believe that there is a way to do this. Or, am I going to be relegated to using ADUC again to create my users (which is a major pain in the a$$, to say the least)? Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory LAN Administration - Windows 2000 West Corporation [EMAIL PROTECTED] List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/