How do I set "user cannot change password" property when adding a user in active directory with visual basic . net ?

Posted on 2012-08-17
Last Modified: 2012-08-22
Hello folks.  This is my code below and it works great but I cannot figure out how to set the "user cannot change password" attribute for the new user?  anyone know how to do this?  thank you so much!

Public Function AddUser(ByVal FirstName As String, ByVal LastName As String, ByVal MI As String,
                            ByVal username As String, ByVal group As String,
                            ByVal ssid As String, ByVal social As String, ByVal grade As String,
                            ByVal room As String, ByVal team As String, ByVal school As String, ByVal password As String)

        Dim displayname As String = FirstName & " " & MI & " " & LastName
               Dim DE As DirectoryEntry = New DirectoryEntry("LDAP://,DC=domain,DC=net")
        Dim OU As DirectoryEntry = DE.Children.Find("OU=my users, OU=users")
        Dim NewUser As DirectoryEntry = OU.Children.Add("CN=" & username, "User")
        NewUser.Properties("sAMAccountName").Value = username
        If Not MI = Nothing Then
        End If
        NewUser.Invoke("SetPassword", password)
        Dim grp As DirectoryEntry = OU.Children.Find("CN=my group")
        Dim grp2 As DirectoryEntry = OU.Children.Find("CN=my group2")
        If grp.Name <> "" Then
            grp.Invoke("Add", NewUser.Path.ToString())
            grp2.Invoke("Add", NewUser.Path.ToString())
        End If

        Dim userACFlags As Object = NewUser.Properties("userAccountControl").Value
             NewUser.Properties("userAccountControl").Value = userACFlags Or &H200 Or &H10000 Xor &H2 ' 

        Console.WriteLine("Account Created Successfully")
    End Function

Open in new window

Question by:linuxrox
    LVL 83

    Accepted Solution


    Author Comment

    that's cool CodeCruiser and that's great for editing an account but is it possible to set it upon addition of a user?  I could run that code i guess after i successfully add an account to modify it but I just thought there surely was a way to set this attribute when you create an account.  maybe i'm incorrect on that though.
    LVL 83

    Expert Comment

    I think its not a standard property like others so you may have to call that function after creating the user.

    Author Comment

    ahh, i see.  I've seen some .NET stuff that will do it but it's not using something most have seen.   I'll post it tomorrow and let you see, although i've not tried it yet.  it's a different set of functions i believe.

    Author Comment

    This is supposed to work but on my domain i get a crazy error like:
     InnerException: System.DirectoryServices.DirectoryServicesCOMException
           ExtendedErrorMessage=0000208F: NameErr: DSID-031001D1, problem 2006 (BAD_NAME), data 8350, best match of:

    i call the function with this
    AddUser("testers", "234200", "tester")

    Open in new window

    Any idea on this?

    Private Sub AddUser(ByVal login As String, ByVal password As String, ByVal fullName As String)
            Dim dirEntry As DirectoryEntry
            dirEntry = New DirectoryEntry("LDAP://,DC=my,DC=domain,DC=net")
            Dim entries As DirectoryEntries = dirEntry.Children
            ' Set login name and full name.
            Dim newUser As DirectoryEntry = entries.Add(login, "User")
            newUser.Properties("Description").Add("Member of site")
            ' User must change password at next logon (1 - true, 0 - false)
            ' Password never expires.
            ' Set flags - User Cannot change password | Password never expires.
            newUser.Properties("Userflags").Add(&H40 Or &H10000)
            ' Set the password.
            Dim result As Object = newUser.Invoke("SetPassword", password)
            ' Add user to the group "Members"
            Dim grp As DirectoryEntry = dirEntry.Children.Find("People", "group")
            If (Not grp Is Nothing) Then
                grp.Invoke("Add", New Object() {newUser.Path.ToString()})
            End If
        End Sub

    Open in new window

    LVL 83

    Expert Comment

    The error code seems to mean

    LDAP_INVALID_DN_SYNTAX This error occurs when a distinguished name used for the creation of objects contains invalid characters.

    Author Comment

    hmm, just can't understand where invalid characters are.  very strange.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Better Security Awareness With Threat Intelligence

    See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

    Suggested Solutions

    In my previous two articles we discussed Binary Serialization ( and XML Serialization ( In this article we will try to know more about SOAP (Simple Object Acces…
    For those of you who don't follow the news, or just happen to live under rocks, Microsoft Research released a beta SDK ( for the Xbox 360 Kinect. If you don't know what a Kinect is (http:…
    Internet Business Fax to Email Made Easy - With eFax Corporate (, you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
    Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

    759 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    11 Experts available now in Live!

    Get 1:1 Help Now