0

I've seen this question and tried with both "userPrincipalName" and "userFlags" and I'm receiving "The specified directory service attribute or value does not exist" in both cases.

I am able to set the attribute with the following in Powershell

Get-ADUser -Filter 'cn -like "*username*"' -Server <serveraddrress> -SearchBase "<searchbase>" | Set-ADUser -PasswordNeverExpires:$True

My C# code is as follows, it works fine if I remove the line setting userAccountControl, but it creates the user with Password Never Expires = FALSE

using (var dirEntry = entry.Children.Add("CN=" + username, "user"))
{
    dirEntry.Properties["userPrincipalName"].Value = string.Format("{0}@principal", username);
    dirEntry.CommitChanges();
    dirEntry.Options.PasswordPort = port;
    dirEntry.Options.PasswordEncoding = PasswordEncodingMethod.PasswordEncodingClear;
    dirEntry.Invoke("SetPassword", password);

    if (!string.IsNullOrEmpty(email))
         dirEntry.Properties["mail"].Value = email;
    dirEntry.Properties["msDS-UserAccountDisabled"].Value = "FALSE";

    //this doesn't work with both "userAccountControl" and "userFlags"
    dirEntry.Properties["userAccountControl"].Value = (int)(dirEntry.Properties["userAccountControl"].Value ?? 0) | 0x10000;

    dirEntry.CommitChanges();
}
axk
  • 5,316
  • 12
  • 58
  • 96

1 Answers1

1

Are you using Active Directory Application Mode (ADAM)? This line makes me think you are:

dirEntry.Properties["msDS-UserAccountDisabled"].Value = "FALSE";

That attribute doesn't exist in normal Active Directory. So if that's working for you, then you are using ADAM.

If you are using ADAM, then use the msDS-UserDontExpirePassword attribute to make the password not expire:

dirEntry.Properties["msDS-UserDontExpirePassword"].Value = true;

If you are not using ADAM, then the "msDS-UserAccountDisabled doesn't exist and you shouldn't be using that. Instead, use userAccountControl to set both.

Since you just created the account, you don't need to worry about what the value already was, you can just set it to a specific value. Assuming you want it enabled with the "don't expire password" flag, then you can use this:

//NORMAL_ACCOUNT | DONT_EXPIRE_PASSWORD
dirEntry.Properties["userAccountControl"].Value = 0x0200 | 0x10000;

You can leave each value separated like that, or just use the resulting decimal value of 66048.

Gabriel Luci
  • 38,328
  • 4
  • 55
  • 84
  • thanks! Will try it soon. Need to do some reading on AD in general... dirEntry.Properties["userAccountControl"] was null, thus the check, but it didn't help as it turned out. – axk May 28 '20 at 15:18
  • Yeah, you're probably running an ADAM instance. In normal AD, `userAccountControl` is never null. – Gabriel Luci May 28 '20 at 15:33