AD adding user to a group in a different domain

M

Mathias Alvarsson

In the creation-process of the new user, I also wan't to add it to a group
that exists in another domain in the same forrest. When I try this I get
these error-messages: "The object was not found on the server" or "The
server was unwilling to process the request".

I'm using the following code to add a user to a group:
string sGroupPath =
"LDAP://server1.domain1.test.com/CN=Test,CN=Users,DC=domain1,DC=test,DC=com"
;
string sUserPath =
"LDAP://server2.domain2.test.com/CN=John,CN=Users,DC=domain2,DC=test,DC=com"
;
DirectoryEntry oGroup = new DirectoryEntry( sGroupPath );
oGroup.Invoke("Add", new Object[] {sUserPath });

If I run the group-addingcode manually after the user has been replicated
between the domains, it works ok. But how do I do this in the same process
that creates the AD-user?

/Mathias
 
M

Marc Scheuner [MVP ADSI]

I'm using the following code to add a user to a group:
string sGroupPath =
"LDAP://server1.domain1.test.com/CN=Test,CN=Users,DC=domain1,DC=test,DC=com"
;
string sUserPath =
"LDAP://server2.domain2.test.com/CN=John,CN=Users,DC=domain2,DC=test,DC=com"
;
DirectoryEntry oGroup = new DirectoryEntry( sGroupPath );
oGroup.Invoke("Add", new Object[] {sUserPath });
Click to expand...

First of all, you don't need to go the complicated way of invoking the
"Add" method on the group's native IADsGroup interface - just use the
group's "Children.Add" method.

Secondly, when adding a user to a group, you only have to specify the
user's DN - e.g. anything from the CN= part on. Do not specify the
LDAP:// and the server!

Thirdly, there are a number of issues mostly with permissions and
trusts when doing this - so you might run into problems based on your
setup.

So now, try this, and see if it works:

string sUserPath = "CN=John,CN=Users,DC=domain2,DC=test,DC=com"
DirectoryEntry oGroup = new DirectoryEntry( sGroupPath );
oGroup.Children.Add(sUserPath)

Marc
 
M

Mathias Erlandsson

I tried as you suggested, but it didn't work. I got no error-messages at
all. Any ideas?

/Mathias


Marc Scheuner said:
I'm using the following code to add a user to a group:
string sGroupPath =
"LDAP://server1.domain1.test.com/CN=Test,CN=Users,DC=domain1,DC=test,DC=com
Click to expand...
"
;
string sUserPath =
"LDAP://server2.domain2.test.com/CN=John,CN=Users,DC=domain2,DC=test,DC=com
Click to expand...
"
;
DirectoryEntry oGroup = new DirectoryEntry( sGroupPath );
oGroup.Invoke("Add", new Object[] {sUserPath });
Click to expand...

First of all, you don't need to go the complicated way of invoking the
"Add" method on the group's native IADsGroup interface - just use the
group's "Children.Add" method.

Secondly, when adding a user to a group, you only have to specify the
user's DN - e.g. anything from the CN= part on. Do not specify the
LDAP:// and the server!

Thirdly, there are a number of issues mostly with permissions and
trusts when doing this - so you might run into problems based on your
setup.

So now, try this, and see if it works:

string sUserPath = "CN=John,CN=Users,DC=domain2,DC=test,DC=com"
DirectoryEntry oGroup = new DirectoryEntry( sGroupPath );
oGroup.Children.Add(sUserPath)

Marc
Click to expand...
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Connect to a different domain in AD 1
C# Exchange create mailbox 2
Adding AD-user in AD-group 2
Creating a User object in AD 3
How to read ACLs in AD with dotnet managed C# ? 1
Iterate and List Members of an NT Group with LDAP 2
How do I programatically determine the enabled or disabled status of AD accounts 3
Trying to get Users in a Group 2

Top