>2) do I put this code in an asp page, or com on the server?

It doesn't really matter, but security issues might be easier to handle if you put this logic in a out-of-process COM server (exe), and call the COM server from ASP. You can then configure your COM server to impersonate an account that has rights to add users. Otherwise, page users will receive an authentication dialog, which you probably son't want. Check out Rick Strahl's article on ASP and VFP COM servers at www.west-wind.com.