如何在 AD 用户帐户中设置 userAccountControl 属性

Question

I'm creating AD user account using java. I could successfully create the user account and the account did created in the "AD Users and Computers" GUI but I couldn't access the created AD user account.

The problem I encountered is I cannot set the "userAccountControl" attribute to "512" which stands for NORMAL_ACCOUNT or "66048" for NORMAL_ACCOUNT, ACCOUNT_NEVER_EXPIRES .

The following exception is displayed whenever I set the above values:

javax.naming.NameAlreadyBoundException: [LDAP: error code 68 - 00000524: UpdErr: DSID-031A122A, problem 6005 (ENTRY_EXISTS), data 0
]; remaining name 'cn=User Four,ou=DAT,DC=dat,DC=com'
at com.sun.jndi.ldap.LdapCtx.mapErrorCode(Unknown Source)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(Unknown Source)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(Unknown Source)
at com.sun.jndi.ldap.LdapCtx.c_createSubcontext(Unknown Source)
at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_createSubcontext(Unknown Source)
at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.createSubcontext(Unknown Source)
at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.createSubcontext(Unknown Source)
at javax.naming.directory.InitialDirContext.createSubcontext(Unknown Source)
at NewUser.addUser(NewUser.java:94)
at MainClass.main(MainClass.java:7)

When I create user account directly from AD GUI, the account successfully created with "userAccountControl" attribute "512" or "66048" . And I can access those accounts.

Can anyone tell me how to solve this problem.

Here's my addUser() method.

public boolean addUser() throws NamingException {

        Attributes container = new BasicAttributes();
        Attribute objClasses = new BasicAttribute("objectClass");
        objClasses.add("top");
        objClasses.add("person");
        objClasses.add("organizationalPerson");
        objClasses.add("user");

        String cnValue = new StringBuffer(firstName).append(" ").append(lastName).toString();
        Attribute cn = new BasicAttribute("cn", cnValue);
        Attribute sAMAccountName = new BasicAttribute("sAMAccountName", userName);
        Attribute principalName = new BasicAttribute("userPrincipalName", userName
                + "@" + DOMAIN_NAME);
        Attribute givenName = new BasicAttribute("givenName", firstName);
        Attribute sn = new BasicAttribute("sn", lastName);
        Attribute uid = new BasicAttribute("uid", userName);
        Attribute userPassword = new BasicAttribute("userpassword", password);
        Attribute userAccountControl = new BasicAttribute("userAccountControl", "512");

        container.put(objClasses);
        container.put(sAMAccountName);
        container.put(principalName);
        container.put(cn);
        container.put(sn);
        container.put(givenName);
        container.put(uid);
        container.put(userPassword);
        container.put(userAccountControl);

        try {
            context.createSubcontext(getUserDN(cnValue, organisationUnit), container);
            return true;
        } catch (Exception e) {
            return false;
        }
    }

Answer 1

Actually "userAccountControl" attribute cannot be set to 512 or 66048 because my above code creates AD account with no password in the AD server. I used command line AD account creation method dsadd user "cn=User name,ou=org unit,ou=org unit,dc=domain,dc=domain" -upn "userName@dat.com" -email "userName@dat.com" -fn firstName -ln lastName -display "Display user name" -mustchpwd no -pwd password -disabled no