LDAP and AD - Error adding user to group with C#

Asked

Viewed 1,100 times

3

I am trying to add a user to the group, but I am returned the following error:

Message: The server is reluctant to process the request.
Errorcode: -2147016651
Extendederror: 1359
Extendederrormessage: 0000054F: Svcerr: DSID-031A120C, problem 5003 (WILL_NOT_PERFORM), date 0
Hresult: -2147016651

I get this with the following code:

    public void UpdateUserGroup(ADEntry selectedEntry, ADEntry groupEntry, bool addUser)
    {
        DirectoryEntry selectedDirEntry = selectedEntry.ToDirectoryEntry(this.Connector.Credential);
        DirectoryEntry groupDirEntry = groupEntry.ToDirectoryEntry(this.Connector.Credential);

        if ((selectedDirEntry.SchemaClassName.Equals("user")) && (groupDirEntry.SchemaClassName.Equals("group")))
        {
            if (addUser)
            {
                groupDirEntry.Properties["member"].Add(selectedDirEntry.Path);
            }
            else
            {
                groupDirEntry.Properties["member"].Remove(selectedDirEntry.Path);
            }

            groupDirEntry.CommitChanges();
            groupDirEntry.RefreshCache();
        }
    }

The user I am using is Domainadmin. Does anyone have any suggested solution?

Grateful.

c# .net active-directory

  • Which version of the Framework you are using?

  • I’m using version 4.5

  • Are you just changing the groups or do you have any other changes being made? Specifically, password change?

2 answers

2

If you are in 3.5+ you should start using the System.DirectoryServices.Accountmanagement classes. Everything is much simpler. You have to initialize a Principalcontext and then rely on it to do the operations. I wore the same as you, it made it very easy for me to use the new namespace.

I don’t have my source here, but I think this should solve the problem. If not, let me know:

public void AddUserToGroup(string userId, string groupName) 
{ 
    try 
    { 
        using (PrincipalContext pc = new PrincipalContext(ContextType.Domain, "COMPANY"))
        {
            GroupPrincipal group = GroupPrincipal.FindByIdentity(pc, groupName);
            group.Members.Add(pc, IdentityType.UserPrincipalName, userId);
            group.Save();
        }
    } 
    catch (System.DirectoryServices.DirectoryServicesCOMException E) 
    { 
        //doSomething with E.Message.ToString(); 

    } 
} 

public void RemoveUserFromGroup(string userId, string groupName)
{   
    try 
    { 
        using (PrincipalContext pc = new PrincipalContext(ContextType.Domain, "COMPANY"))
        {
            GroupPrincipal group = GroupPrincipal.FindByIdentity(pc, groupName);
            group.Members.Remove(pc, IdentityType.UserPrincipalName, userId);
            group.Save();
        }
    } 
    catch (System.DirectoryServices.DirectoryServicesCOMException E) 
    { 
        //doSomething with E.Message.ToString(); 

    }
}

  • Hi Luiz, Before going to the forums I did a test using the methods of Directoryservices, but my error code right when searching for the group, and worse, with the following message "Local Error". The user I’m using is Domain Admin, I’m not sure there is any policy that should be updated. Anyway, thanks for the help, it seems that there is a lot of mystery in the handling of AD and in the error messages that Microsoft makes available.

  • If there is an error immediately when searching, I think you can forget about making changes. You have to see why it gives this error. You say you are using "Domain Admin". Does this need to be? How big is the AD? Who is responsible for the AD? Is there any kind of lock?

0

I was able to solve using the DirectoryServices, I had to use the signature that provides the user and the password. In the end the method was like this:

public void UpdateUserGroup(ADEntry selectedEntry, ADEntry groupEntry, bool addUser)
{
    if (selectedEntry.Type == ADEntryType.User && groupEntry.Type == ADEntryType.Group)
    {
        using (PrincipalContext pc = new PrincipalContext(ContextType.Domain, this.Connector.Credential.Server, Connector.Credential.User, Connector.Credential.Password))
        {
            GroupPrincipal group = GroupPrincipal.FindByIdentity(pc, groupEntry.Name);

            if (addUser)
            {
                group.Members.Add(pc, IdentityType.Name, selectedEntry.Name);                        
            }
            else
            {
                group.Members.Remove(pc, IdentityType.Name, selectedEntry.Name);
            }

            group.Save();
        }
    }            
}

Thank you Luiz for the help.

  • This I know, but I didn’t have enough points on the pt stack to vote.

  • I already have and I already voted

Browser other questions tagged c# .net active-directory

You are not signed in. Login or sign up in order to post.