2.7.2.1 Create a New Account - Client Application
In this use case, an administrator wants to create a new account in the directory to allow a user to access directory resources. The administrator launches the client application to create a new account. The client application establishes a connection to the Active Directory system.
Goal
Create a new account in the directory.
Context of Use
An administrator wants to create a new account in the directory.

Figure 14: Use case diagram for creating a new account
Actors
Client application
The client application is the primary actor. It is the entity that prepares the connection to the domain controller (DC), submits the request to create the new account, and relays the response to the administrator.
Windows Authentication Services
Windows Authentication Services [MS-AUTHSOD] is the supporting actor that authenticates the administrator's identity. This is done so that access-control decisions can be made by the Active Directory system.
DC
The DC is the supporting actor that receives the creation request and creates the new account.
RID Master DC
The RID Master DC is a supporting actor. It is the domain controller that is the owner of the RID Master FSMO role for the domain.
Stakeholders
Administrator
The administrator initiates operations such as create, reset, change, query for group members, create a security group, modify the group member list, and delete on the new account. The administrator primarily wants to receive information that the operations are successfully completed or receive an error message if they failed.
Directory
The directory is the entity that contains the account being created.
Preconditions
The system-wide preconditions, as described in section 2.6, are satisfied. The Active Directory system completes initialization, as described in section 2.6.
The client application has connectivity to a directory server to which it can establish a connection, if it is not already connected, and send the request.
Main Success Scenario
Trigger: The administrator launches the client application. To create a new account, the administrator provides the account name for the new account along with credentials as input to the client application.
The client application establishes a connection to the DC. Windows Authentication Services uses the supplied credentials to authenticate the client application ([MS-AUTHSOD] section 2).
The client application sends a request to the DC to create a new account and specifies the account name for the new account.
The DC verifies that the credentials supplied through the client application have the necessary access-control rights to complete the operation ([MS-ADTS] section 5.1.3).
The DC validates the constraints on the new account name ([MS-SAMR] sections 3.1.1.6 and 3.1.1.8.4).
The DC creates an object in the directory that represents the new account with the account name that the client supplied. The directory object is additionally populated with attributes that are mandated by the server's processing rules and constraints ([MS-ADTS] sections 3.1.1.5.1 and 3.1.1.5.2 and [MS-SAMR] sections 3.1.1.8 and 3.1.1.9).
The DC sends a response to the client application that the new account has been successfully created.
Postcondition
The new account is created and ready for use.
Extensions
If the credentials that are passed through the client application have insufficient access-control rights to set the password on the account:
1-4. Same as Main Success Scenario.
5. The DC sends a response to the client application that the client application has supplied credentials with insufficient access-control rights to set the password on the account.
If the account name that is supplied through the client application does not satisfy the account name constraints that are outlined in [MS-SAMR] section 3.1.1.6:
1-5. Same as Main Success Scenario.
6. The DC sends a response to the client application that the supplied account name does not meet the constraints.
If the account name that is supplied through the client application is not unique, as described in [MS-SAMR] section 3.1.1.8.4:
1-5. Same as Main Success Scenario.
6. The DC sends a response to the client application that the supplied account name is already in use by an existing account.
If the DC has used all of the relative identifiers (RIDs) that were allocated to it by RID Master FSMO role owner:
1-5. Same as Main Success Scenario. Then, after step 5, the DC sends a RID allocation request to the RID Master DC according to the rules specified in [MS-DRSR] section 4.1.10.4.3 to obtain a new RID range.
6-7. Same as main Success Scenario.