Add group members from trusted domain programmatically

[Bjørn Erik Jensen]

Hi,
I have a problem that I have not been able to find a solution to.
There are very few articles about this in docs and on the Internet.

My problem:
I am working with to AD servers (two domains) that trust eachother (forest
trust),
and I want to add users from one domain to groups in the other domain.
It works just fine using the standard Windows GUI 'AD Users and Computers'.
But I have to get the same work done from C# code.
The overall steps would be:
1. Get the SID property of the user
2. Create a ForeignSecurityPrincipal object on the same AD server as the
group
- DirectoryEntry newObject = fsp.Children.Add("CN=" + sid,
"foreignSecurityPrincipal");
- byte[] userSid = (byte[])user.Properties["objectSid"].Value;
- newObject.Properties["objectSid"].Add(userSid);
- newObject.CommitChanges();
3. Add the ForeignSecurityPrincipal object as a group member

My code stops when the ForeignSecurityPrincipal object is to be created in
AD.
The DirectoryEntry.CommitChanges() method throws an exception with
the message "The requested operation did not satisfy one or more constraints
associated with the class of the object.". I suggest this means that one or
more
mandatory properties are missing. Then I try to add property "objectSid"
with
the same value as the user object (Step 1 above). After adding objectSid
property,
the exception message has changed to "The server is unwilling to process the
request.".

Do you know the solution ? Please reply to this post !

By the way, I am running Windows 2003 Servers.

-- Bjørn Erik Jensen

 

[Joe Kaplan \(MVP - ADSI\)]

I think you can get AD to create the FSP for you automatically by simply
adding the member to the group using the SID DN syntax. This would look
like something like:

groupEntry.Properties["member"].Add("<SID=xxxxx>");
groupEntry.CommitChanges();

In this case, xxxxx would be the SID in either octet string format or SDDL
format (S-1-5-xxx) if this is 2003 AD.

HTH,

Joe K.

 

[Bjørn Erik Jensen]

Yes, you are right. It works !
Thank you, Joe K.

I think you can get AD to create the FSP for you automatically by simply
adding the member to the group using the SID DN syntax. This would look
like something like:

groupEntry.Properties["member"].Add("<SID=xxxxx>");
groupEntry.CommitChanges();

In this case, xxxxx would be the SID in either octet string format or SDDL
format (S-1-5-xxx) if this is 2003 AD.

HTH,

Joe K.

Hi,
I have a problem that I have not been able to find a solution to.
There are very few articles about this in docs and on the Internet.

My problem:
I am working with to AD servers (two domains) that trust eachother
(forest trust),
and I want to add users from one domain to groups in the other domain.
It works just fine using the standard Windows GUI 'AD Users and
Computers'.
But I have to get the same work done from C# code.
The overall steps would be:
1. Get the SID property of the user
2. Create a ForeignSecurityPrincipal object on the same AD server as the
group
- DirectoryEntry newObject = fsp.Children.Add("CN=" + sid,
"foreignSecurityPrincipal");
- byte[] userSid = (byte[])user.Properties["objectSid"].Value;
- newObject.Properties["objectSid"].Add(userSid);
- newObject.CommitChanges();
3. Add the ForeignSecurityPrincipal object as a group member

My code stops when the ForeignSecurityPrincipal object is to be created
in AD.
The DirectoryEntry.CommitChanges() method throws an exception with
the message "The requested operation did not satisfy one or more
constraints
associated with the class of the object.". I suggest this means that one
or more
mandatory properties are missing. Then I try to add property "objectSid"
with
the same value as the user object (Step 1 above). After adding objectSid
property,
the exception message has changed to "The server is unwilling to process
the request.".

Do you know the solution ? Please reply to this post !

By the way, I am running Windows 2003 Servers.

-- Bjørn Erik Jensen

 

[Joe Kaplan \(MVP - ADSI\)]

I'm glad. I'll try to remember to cover this in a book topic.

Joe K.

Yes, you are right. It works !
Thank you, Joe K.

I think you can get AD to create the FSP for you automatically by simply
adding the member to the group using the SID DN syntax. This would look
like something like:

groupEntry.Properties["member"].Add("<SID=xxxxx>");
groupEntry.CommitChanges();

In this case, xxxxx would be the SID in either octet string format or
SDDL format (S-1-5-xxx) if this is 2003 AD.

HTH,

Joe K.

Hi,
I have a problem that I have not been able to find a solution to.
There are very few articles about this in docs and on the Internet.

My problem:
I am working with to AD servers (two domains) that trust eachother
(forest trust),
and I want to add users from one domain to groups in the other domain.
It works just fine using the standard Windows GUI 'AD Users and
Computers'.
But I have to get the same work done from C# code.
The overall steps would be:
1. Get the SID property of the user
2. Create a ForeignSecurityPrincipal object on the same AD server as the
group
- DirectoryEntry newObject = fsp.Children.Add("CN=" + sid,
"foreignSecurityPrincipal");
- byte[] userSid = (byte[])user.Properties["objectSid"].Value;
- newObject.Properties["objectSid"].Add(userSid);
- newObject.CommitChanges();
3. Add the ForeignSecurityPrincipal object as a group member

My code stops when the ForeignSecurityPrincipal object is to be created
in AD.
The DirectoryEntry.CommitChanges() method throws an exception with
the message "The requested operation did not satisfy one or more
constraints
associated with the class of the object.". I suggest this means that one
or more
mandatory properties are missing. Then I try to add property "objectSid"
with
the same value as the user object (Step 1 above). After adding objectSid
property,
the exception message has changed to "The server is unwilling to process
the request.".

Do you know the solution ? Please reply to this post !

By the way, I am running Windows 2003 Servers.

-- Bjørn Erik Jensen