Edit

Share via


ActiveDirectoryMembershipProvider.CreateUser Method

Definition

Adds a new user to the Active Directory data store.

public:
 override System::Web::Security::MembershipUser ^ CreateUser(System::String ^ username, System::String ^ password, System::String ^ email, System::String ^ passwordQuestion, System::String ^ passwordAnswer, bool isApproved, System::Object ^ providerUserKey, [Runtime::InteropServices::Out] System::Web::Security::MembershipCreateStatus % status);
public override System.Web.Security.MembershipUser CreateUser (string username, string password, string email, string passwordQuestion, string passwordAnswer, bool isApproved, object providerUserKey, out System.Web.Security.MembershipCreateStatus status);
override this.CreateUser : string * string * string * string * string * bool * obj * MembershipCreateStatus -> System.Web.Security.MembershipUser
Public Overrides Function CreateUser (username As String, password As String, email As String, passwordQuestion As String, passwordAnswer As String, isApproved As Boolean, providerUserKey As Object, ByRef status As MembershipCreateStatus) As MembershipUser

Parameters

username
String

The user name for the new user.

password
String

The password for the new user.

email
String

The email address of the new user.

passwordQuestion
String

The password question for the new user.

passwordAnswer
String

The password answer for the new user.

isApproved
Boolean

Whether or not the new user is approved to be validated.

providerUserKey
Object

The unique identifier from the membership data source for the user. This parameter must be null when using the ActiveDirectoryMembershipProvider class.

status
MembershipCreateStatus

When this method returns, contains one of the MembershipCreateStatus enumeration values indicating whether the user was created successfully.

Returns

An ActiveDirectoryMembershipUser instance containing the information for the newly created user, or null if the user was not successfully created.

Exceptions

The providerUserKey parameter is not null.

The administrator has not mapped the password question-and-answer fields to attributes of the Active Directory schema, and either the passwordQuestion or passwordAnswer parameter is not null.

The machineKey Element (ASP.NET Settings Schema) configuration element indicates an auto-generated machine encryption key. You must explicitly set the decryptionKey attribute of the machineKey Element (ASP.NET Settings Schema) element to store password answers with the ActiveDirectoryMembershipProvider.

-or-

The ActiveDirectoryMembershipProvider was unable to establish a secure connection to the directory when attempting to set the password for the new user.

An error occurred while attempting to create the user.

Remarks

The CreateUser method is called by the Membership class to create a new user in the Active Directory data store.

For both Active Directory and Active Directory Application Mode (ADAM) servers, the ActiveDirectoryMembershipProvider class requires that the instance class in the directory be user. Alternative user classes such as inetOrgPerson are not supported.

When using an Active Directory server and the user name is mapped to the userPrincipalName attribute, the ActiveDirectoryMembershipProvider class will automatically generate a random 20-character user name for the sAMAccountName parameter on your behalf.

Parameters default to the following maximum lengths.

Parameter Maximum length
username 64 characters if using the userPrincipalName attribute. If using the sAMAccountName attribute, the common restriction is 20 characters or less.
password 128 characters.
email 256 characters.
passwordQuestion 256 characters.
passwordAnswer 128 characters before and after encrypting.

The Comment property on the returned ActiveDirectoryMembershipUser instance is limited to 1024 characters.

If the directory schema has been modified by reducing the maximum allowable lengths for these attributes, these lengths will take precedence.

Before creating the user, the ActiveDirectoryMembershipProvider class will make sure the user name is unique. If the ActiveDirectoryMembershipProvider instance is configured to require unique email addresses, it will also make sure the email address is unique.

In an Active Directory user-name uniqueness is enforced by performing a GC search when the user name is mapped to userPrincipalName. If sAMAccountName is used, then the directory will automatically enforce uniqueness of the sAMAccountName across the Active Directory domain.

An ADAM server will automatically enforce user name uniqueness of the userPrincipalName across all application partitions.

Uniqueness of the email address is enforced by performing a subtree search for a duplicate email address starting at the root of the container in which users are created. This is either the default user container (if connected to an Active Directory and no container was specified in the connection string) or the container specified in the connection string.

The ActiveDirectoryMembershipProvider class creates the user directly in the user container specified in the connection string. See the ActiveDirectoryMembershipProvider class topic for more information about connection strings.

For passwords to be set on an Active Directory server, the connectionProtection attribute must be set to SignAndSeal.

When an ADAM server is being used, the connectionProtection attribute can be set to None, but only if you explicitly configure the ADAM server to allow password changes over unsecured connections.

Leading and trailing spaces are trimmed from all string parameter values except password.

Important

You cannot create new users unless the credentials used to connect to the Active Directory server have either Domain Administrator rights (not recommended) or the "create child instance," "delete child instance," and "set password" access rights. The "delete child instance" access right is required because creating a user is a multi-step process, and if any step of user creation fails, the ActiveDirectoryMembershipProvider class will delete the user instance rather than leave a partially constructed user instance in the directory.

Applies to

See also