using System;
using System.Text;
using System.DirectoryServices;
using System.IO;
using System.Security.AccessControl;
using System.Security.Principal;

namespace activeDirectoryLdapExamples
{
    class Program
    {
        static void Main(string[] args)
        {
            // connect to LDAP

            DirectoryEntry myLdapConnection = createDirectoryEntry();

            // define vars for user

            String domain      = "leeds-art.ac.uk";
            String first       = "Test";
            String last        = "User";
            String description = ".NET Test";
            object[] password  = { "12345678" };
            String[] groups    = { "Staff" };
            String username    = first.ToLower() + last.Substring(0, 1).ToLower();
            String homeDrive   = "H:";
            String homeDir     = @"\\gonzo.leeds-art.ac.uk\data3\USERS\" + username;

            // create user

            try
            {
                if (createUser(myLdapConnection, domain, first, last, description,
                           password, groups, username, homeDrive, homeDir, true) == 0)
                {

                    Console.WriteLine("Account created!");
                    Console.ReadLine();
                }

                else
                {
                    Console.WriteLine("Problem creating account :(");
                    Console.ReadLine();
                }
            }

            catch (Exception e)
            {
                Console.WriteLine("Exception caught:\n\n" + e.ToString());
                Console.ReadLine();
            }
        }

        static int createUser(DirectoryEntry myLdapConnection, String domain, String first, String last, 
                               String description,object[] password, String[] groups, String username, 
                               String homeDrive, String homeDir, bool enabled)
        {
            // create new user object and write into AD

            DirectoryEntry user = myLdapConnection.Children.Add("CN=" + first + " " + last, "user");
    
            user.Properties["userprincipalname"].Add(username + "@" + domain); // User name (domain based)
            user.Properties["samaccountname"].Add(username);                   // User name (older systems)
            user.Properties["sn"].Add(last);                                   // Surname
            user.Properties["givenname"].Add(first);                           // Forename
            user.Properties["displayname"].Add(first + " " + last);            // Display name
            user.Properties["description"].Add(description);                   // Description
            user.Properties["mail"].Add(first + "." + last + "@" + domain);    // E-mail
            user.Properties["homedirectory"].Add(homeDir);                     // Home dir (drive letter)
            user.Properties["homedrive"].Add(homeDrive);                       // Home dir (path)
         
            user.CommitChanges();

            // set user's password

            user.Invoke("SetPassword", password);

            // enable account if requested (not entirely sure how this works but it does!)

            if (enabled) 
                user.Invoke("Put", new object[] { "userAccountControl", "512" });

            // add user to specified groups

            foreach (String thisGroup in groups)
            {
                DirectoryEntry newGroup = myLdapConnection.Parent.Children.Find("CN=" + thisGroup, "group");

                if (newGroup != null) 
                    newGroup.Invoke("Add", new object[] { user.Path.ToString() });
            }

            user.CommitChanges();

            // make home folder on server
            
            Directory.CreateDirectory(homeDir);

            // set permissions on folder, we loop this because if the program
            // tries to set the permissions straight away an exception will be
            // thrown as the brand new user does not seem to be available, it takes
            // a second or so for it to appear and it can then be used in ACLs
            // and set as the owner

            bool folderCreated = false;

            while (!folderCreated)
            {
                try
                {
                    // get current ACL

                    DirectoryInfo dInfo = new DirectoryInfo(homeDir);
                    DirectorySecurity dSecurity = dInfo.GetAccessControl();

                    // Add full control for the user and set owner to them

                    IdentityReference newUser = new NTAccount(domain + @"\" + username);

                    dSecurity.SetOwner(newUser);

                    FileSystemAccessRule permissions =
                        new FileSystemAccessRule(newUser, FileSystemRights.FullControl, AccessControlType.Allow);

                    dSecurity.AddAccessRule(permissions);

                    // Set the new access settings.

                    dInfo.SetAccessControl(dSecurity);
                    folderCreated = true;
                }

                catch (System.Security.Principal.IdentityNotMappedException)
                {
                    Console.Write(".");
                }

                catch (Exception ex)
                {
                    // other exception caught so not problem with user delay as 
                    // commented above

                    Console.WriteLine("Exception caught:" + ex.ToString());
                    return 1;
                }
            }

            return 0;
        }

        static DirectoryEntry createDirectoryEntry()
        {
            // create and return new LDAP connection with desired settings

            DirectoryEntry ldapConnection = new DirectoryEntry("rizzo.leeds-art.ac.uk");
            ldapConnection.Path = "LDAP://OU=staffusers,DC=leeds-art,DC=ac,DC=uk";
            ldapConnection.AuthenticationType = AuthenticationTypes.Secure;
            return ldapConnection;
        }
    }
}