Active Directory user creation with python-ldap

Michael Ströder michael at
Fri Apr 29 08:51:18 EDT 2011

Nello wrote:
> I need to create an Active Directory user using python-ldap library. So, I
> authenticate with an admin account and I use "add_s" to create the user.

This is possible. Which version of AD are you working with.

> Anyway, by default users are disabled on creation,

That's the correct way of doing this.

> and I can not set
> userAccountControl to swith off the flag ACCOUNTDISABLE, i.e. setting
> userAccountControl with 512 (NORMAL_ACCOUNT) value. 

This should be possible. Make sure you really bind as the admin and you have
sufficient access rights.

Check your code. I'd suggest to set trace_level when calling ldap.initialize()
to observe what gets passed to python-ldap in which order.

> Same thing if - as someone suggests - I create the user without a
> password and try to set userAccountCreation later.

Passwords are different anyway since you have to set the unicodePwd attribute.
I never tried to do this with a single write operation though.

You can try my web2ldap which does all this also with MS AD. It has a special
plugin class for attribute userAccountControl which lets you set values
bit-wise when modifying an user entry. And setting password automagically
switches to setting unicodePwd when working with MS AD.

Ciao, Michael.

More information about the Python-list mailing list