2.7.1.1 Create a Directory Object - Client Application
In this use case, an administrator wants to create a new directory object on an existing application naming context (NC) to store information that could be used by applications on the client. To achieve this, the administrator launches the client application to interact with the Active Directory system. The client application establishes a connection to the Active Directory system. The administrator creates the directory object by using the client application.
Goal
Create a directory object on an application NC to store application-related data.
Context of Use
An administrator wants to create a new directory object in an existing application NC.

Figure 7: Use case diagram for creating a directory object on an application NC
Actors
Client application
The client application is the primary actor. It is the entity that prepares the connection to the directory server, submits the request to create the object, and relays the response to the administrator.
Windows Authentication Services
Windows Authentication Services [MS-AUTHSOD] is the supporting actor that authenticates the administrator's identity so that the Active Directory system can make access-control decisions.
Directory server
The directory server is the supporting actor that receives the creation request and creates the application directory object.
Stakeholders
Administrator
The administrator is the one who initiates operations such as create, search, modify, and delete on the application directory object. The administrator primarily wants to receive information that the operations are successfully completed or receive an error message if they failed.
Applications
Applications on the client are the entities that store information in the application directory for later retrieval and use in various operations.
Application NC
The application NC is the naming context of the directory that contains the application-specific directory objects.
Preconditions
The system-wide preconditions, as described in section 2.6, are satisfied. The Active Directory system completes initialization, as described in section 2.6.
The client application has access to a directory server to which it can establish a connection, if it is not already connected, and send the request.
There already exists an object class in the Active Directory system schema that corresponds to the directory object to be created under the application NC. For a detailed description of schema extensions, see section 2.7.3.
The Active Directory system hosts an application NC on which the client application is configured to store its application data.
Main Success Scenario
Trigger: To initiate this activity, the administrator provides the name of the directory object along with credentials as input to the client application. The administrator then invokes the operation that creates the application directory object.
The client application establishes a connection to the directory server. Windows Authentication Services authenticates the client application by using the supplied credentials ([MS-AUTHSOD] section 2).
The client application sends a request to the directory server to create a new application directory object and specifies details for the new object.
The directory server verifies that the credentials that are supplied through the client application have the necessary access-control rights to complete the operation ([MS-ADTS] section 5.1.3).
The directory server creates an object under the application NC with the name and other attributes that the client application supplies. The directory object is also populated with attributes that are mandated by the server's processing rules and constraints ([MS-ADTS] sections 3.1.1.5.1 and 3.1.1.5.2).
The directory server sends a response to the client application that the new application directory object has been successfully created.
Postcondition
The new application directory object is created and ready for use.
Extensions
If the credentials that are passed through the client application have insufficient access-control rights to create the new application directory object:
1-4. Same as Main Success Scenario.
5. The directory server sends a response to the client application that it supplied credentials with insufficient access-control rights to create the new application directory object.
If the relative distinguished name (RDN) value (that is, the name of the directory object to be created) supplied by the administrator is not unique under the same parent container, as required by [MS-ADTS] section 3.1.1.5.2.2:
1-5. Same as Main Success Scenario.
6. The directory server sends a response to the client application that indicates that the provided object name already exists.
If the directory object creation request does not contain all the mandatory attributes, as required in [MS-ADTS] section 3.1.1.2.4.5:
1-5. Same as Main Success Scenario.
6. The directory server sends a response to the client application that indicates that the missing attribute is required in the request.
If the directory object to be created under the application NC by the client application is a security principal in AD DS:
1-5. Same as Main Success Scenario.
6. The directory server sends a response to the client application that indicates that a security principal can be created only in a domain NC.