Creating an inetOrgPerson User

Creating an inetOrgPerson User


You want to create an inetOrgPerson object, which is the standard LDAP object class to represent users.


Using a graphical user interface
  1. Open the ADUC snap-in.

  2. If you need to change domains, right-click on "Active Directory Users and Computers" in the left pane, select Connect to Domain, enter the domain name, and click OK.

  3. In the left pane, browse to the parent container of the new user, right-click on it, and select New InetOrgPerson.

  4. Enter first name, last name, and user logon name fields as appropriate and click Next.

  5. Enter and confirm the password, set any of the password flags, and click Next.

  6. Click Finish.

Using a command-line interface

DSAdd does not support creating inetOrgPerson objects, so use ldifde instead. First, you need to create an LDIF file called create_inetorgperson.ldf with the following contents:

	dn: <UserDN>
	changetype: add
	sAMAccountName: <UserName>

	dn: <UserDN>
	changetype: modify
	add: userAccountControl
	userAccountControl: 512

Be sure to replace <UserDN> with the distinguished name of the user you want to add and <UserName> with the user's username. Then run the following command:

	> ldifde -i -f create_ 

You can also use the AdMod utility to create an inetOrgPerson object, as follows:

	> admod -b "cn=inetOrgPerson,cn=Users,dc=rallencorp,dc=com"
	   objectclass::inetOrgPerson sAMAccountName::InetOrg -add

Using VBScript
	' This code creates an  
inetOrgPerson object
	set objParent = GetObject("LDAP://<ParentDN>")
	set objUser = objParent.Create("inetorgperson", "cn=<UserName>")

	' Taken from ADS_USER_FLAG_ENUM

	objUser.Put "sAMAccountName", "<UserName>"
	objUser.Put "userPrincipalName", "<UserUPN>"
	objUser.Put "givenName", "<UserFirstName>"
	objUser.Put "sn", "<UserLastName>"
	objUser.Put "displayName", "<UserFirstName> <UserLastName>"
	objUser.Put "userAccountControl", ADS_UF_NORMAL_ACCOUNT
	objUser.AccountDisabled = FALSE


The inetOrgPerson object class was defined in RFC 2798.It is the closest thing in the LDAP world to a standard representation of a user, and most LDAP vendors support the inetOrgPerson class. Unfortunately, Microsoft did not support inetOrgPerson with the initial release of Active Directory. Even though they provided an add-on later to extend the schema to support it, the damage had been done. Most Active Directory implementations were already using the user object class and were unlikely to convert, which required vendors to build in support for the user class.

You can download the InetOrgPerson Kit for Windows 2000 from the following web site: This requires that you extend the schema to support an additional object class and new attributes. It also creates a schema conflict with Windows Server 2003.See MS KB 314649 for more information.

In Windows Server 2003 Active Directory, inetOrgPerson is supported natively. You can create inetOrgPerson objects for your users, who can use them to authenticate just as they would accounts of the user object class. If you haven't deployed Active Directory yet and you plan on integrating a lot of third-party LDAP-based applications that rely on inetOrgPerson, you may want to consider using it over user. You won't be losing any information or functionality because the inetOrgPerson class inherits directly from the user class. For this reason, the inetOrgPersonclass has even more attributes than the Microsoft user class.

The one potential downside is that some of the Microsoft tools, such as the DS utilities, do not support modifying inetOrgPerson objects.(You can, however, use AdMod to perform these modifications.)

See Also

Recipe 6.2 for creating a user, MS KB 314649, and RFC 2798 (Definition of the InetOrgPerson LDAP Object Class)

 Python   SQL   Java   php   Perl 
 game development   web development   internet   *nix   graphics   hardware 
 telecommunications   C++ 
 Flash   Active Directory   Windows