HELP! - Add Active Directory User & Control Folder Permissions

[Guest]

About three weeks ago I started the laborious task of teaching myself C#
..NET....having zero OOP experience has made the process fairly difficult. I
am building a small systems management application “mostly as a learning
experience†and I’m stuck on two issues. First, I can’t figure out how to add
a NT logon name/account to Active Directory…I can add pre-windows users, but
that’s it. Second, I’m trying to control directory/folder security
permissions; but again, I’m stuck. I’ve tried to implement the
FileIOPermission class, but it doesn’t seem to apply to directories/folders.

I appreciate your help,

Thanks,

Mark
(e-mail address removed)

 

[Marc Scheuner [MVP ADSI]]

I am building a small systems management application and I’m stuck on two issues.

First, I can’t figure out how to add a NT logon name/account to Active Directory
I can add pre-windows users, but that’s it.

Not quite sure what you're trying to say here.... you can't add a user
and set its "NT Logon Name" ?? The "Pre-Windows user" name that's
being display in the Active Directory Users & Computers Tool *IS* your
"NT Logon Name" (technically, internally, it's called the
"sAMAccountName").

So assuming your company's main domain is called "dc=fabrikam,dc=com",
you could add a new user to the defautl users container like this:

// bind to the default "Users" container
DirectoryEntry deUsers = new
DirectoryEntry("LDAP://cn=Users,dc=fabrikam,dc=com");

// create a new user
DirectoryEntry newUser = deUsers.Children.Add("cn=John Doe", "user");

// add its SAM account name
newUser.Properties["sAMAccountName"].Value = "John_Doe";

// persist changes back to AD
newUser.CommitChanges();


Does that work for you?


You'd probably get more and more useful answers in the specific AD
newsgroups, most notably

microsoft.public.adsi.general

Cheers!
Marc

================================================================
Marc Scheuner May The Source Be With You!
Berne, Switzerland m.scheuner -at- inova.ch

 

[Guest]

Thank you very much.

Based on what you have said about the “Pre-Windows 2000 user’sâ€, I need not
go any further. BUT, I just want to make sure I am clear. The “user†in
question that I am trying to add is best explained by looking at an existing
user’s properties in Active Directory (right click on user, properties). From
what I see there are two fields, “User Logon Name†& “User logon name
(pre-Windows 2000)â€â€¦.what’s the difference?

I am having trouble with the following path:
DirectoryEntry("LDAP://cn=Users,dc=fabrikam,dc=com");

cn=Users, is this literally the location where users are stored? If I open
Active Directory Users and Computers “in windows†there is a folder “Usersâ€
(what does cn stand for?).

dc=fabrikam, this is my domain controller, right? The machine I am using to
code this lesson is not a member of the dc I am trying to control…is this why
I can’t get connected…Do I have to be a member of the Domain?

This is the compile error I get when I ran the code:

An unhandled exception of type 'System.Runtime.InteropServices.COMException'
occurred in system.directoryservices.dll

Additional information: The specified domain either does not exist or could
not be contacted.

I appreciate your patience…I know I have a long way to go.

Thank you again,

Mark

-----------------------------------------------------------
------------------------------------------------------------

I am building a small systems management application and I’m stuck on two issues.
First, I can’t figure out how to add a NT logon name/account to Active Directory
I can add pre-windows users, but that’s it.

Not quite sure what you're trying to say here.... you can't add a user
and set its "NT Logon Name" ?? The "Pre-Windows user" name that's
being display in the Active Directory Users & Computers Tool *IS* your
"NT Logon Name" (technically, internally, it's called the
"sAMAccountName").

So assuming your company's main domain is called "dc=fabrikam,dc=com",
you could add a new user to the defautl users container like this:

// bind to the default "Users" container
DirectoryEntry deUsers = new
DirectoryEntry("LDAP://cn=Users,dc=fabrikam,dc=com");

// create a new user
DirectoryEntry newUser = deUsers.Children.Add("cn=John Doe", "user");

// add its SAM account name
newUser.Properties["sAMAccountName"].Value = "John_Doe";

// persist changes back to AD
newUser.CommitChanges();


Does that work for you?


You'd probably get more and more useful answers in the specific AD
newsgroups, most notably

microsoft.public.adsi.general

Cheers!
Marc

================================================================
Marc Scheuner May The Source Be With You!
Berne, Switzerland m.scheuner -at- inova.ch

 

[Guest]

Thank you very much.

Based on what you have said about the “Pre-Windows 2000 user’sâ€, I need not
go any further. BUT, I just want to make sure I am clear. The “user†in
question that I am trying to add is best explained by looking at an existing
user’s properties in Active Directory (right click on user, properties). From
what I see there are two fields, “User Logon Name†& “User logon name
(pre-Windows 2000)â€â€¦.what’s the difference?

I am having trouble with the following path:
DirectoryEntry("LDAP://cn=Users,dc=fabrikam,dc=com");

cn=Users, is this literally the location where users are stored? If I open
Active Directory Users and Computers “in windows†there is a folder “Usersâ€
(what does cn stand for?).

dc=fabrikam, this is my domain controller, right? The machine I am using to
code this lesson is not a member of the dc I am trying to control…is this why
I can’t get connected…Do I have to be a member of the Domain?

This is the compile error I get when I ran the code:

An unhandled exception of type 'System.Runtime.InteropServices.COMException'
occurred in system.directoryservices.dll

Additional information: The specified domain either does not exist or could
not be contacted.

I appreciate your patience…I know I have a long way to go.

Thank you again,

Mark

---------------------------------------
---------------------------------------

I am building a small systems management application and I’m stuck on two issues.
First, I can’t figure out how to add a NT logon name/account to Active Directory
I can add pre-windows users, but that’s it.

Not quite sure what you're trying to say here.... you can't add a user
and set its "NT Logon Name" ?? The "Pre-Windows user" name that's
being display in the Active Directory Users & Computers Tool *IS* your
"NT Logon Name" (technically, internally, it's called the
"sAMAccountName").

So assuming your company's main domain is called "dc=fabrikam,dc=com",
you could add a new user to the defautl users container like this:

// bind to the default "Users" container
DirectoryEntry deUsers = new
DirectoryEntry("LDAP://cn=Users,dc=fabrikam,dc=com");

// create a new user
DirectoryEntry newUser = deUsers.Children.Add("cn=John Doe", "user");

// add its SAM account name
newUser.Properties["sAMAccountName"].Value = "John_Doe";

// persist changes back to AD
newUser.CommitChanges();


Does that work for you?


You'd probably get more and more useful answers in the specific AD
newsgroups, most notably

microsoft.public.adsi.general

Cheers!
Marc

================================================================
Marc Scheuner May The Source Be With You!
Berne, Switzerland m.scheuner -at- inova.ch

 

[Guest]

You have been so helpful, thank you!

I’ll try and keep it to one last question.

Richard Mueller's web site was a big help too…I found reference to
userAccountControl and the corresponding account options for User Cannot
Change Password & Password Never Expires, but “I find myself saying this
often lately†I could get the syntax right.

Any ideas on how to make this work?

Once again…thank you,

Mark

 

[Marc Scheuner [MVP ADSI]]

I found reference to userAccountControl and the corresponding account options for User Cannot

Change Password & Password Never Expires, but I find I could get the syntax right.

Sure - given that you have a DirectoryEntry called "newUser" from
previous code, do this:

int iUserAccountControl = ADS_USER_FLAG.ADS_UF_DONT_EXPIRE_PASSWD +
ADS_USER_FLAG.ADS_UF_PASSWD_CANT_CHANGE;

oNewUser.Properties["uSerAccountControl"].Value = iUserAccountControl;
oNewUser.CommitChanges();

Hope this helps
Marc

================================================================
Marc Scheuner May The Source Be With You!
Berne, Switzerland m.scheuner -at- inova.ch

 

[Guest]

When I concatenated the two flags with: int iUserAccountControl =
ADS_USER_FLAG.ADS_UF_DONT_EXPIRE_PASSWD
+ ADS_USER_FLAG.ADS_UF_PASSWD_CANT_CHANGE; I received the following build
error: Operator '+' cannot be applied to operands of type
'ActiveDs.ADS_USER_FLAG' and 'ActiveDs.ADS_USER_FLAG'

I tried to ‘OR†the statement int iUserAccountControl =
ADS_USER_FLAG.ADS_UF_DONT_EXPIRE_PASSWD
| ADS_USER_FLAG.ADS_UF_PASSWD_CANT_CHANGE; but received the following build
error: Cannot implicitly convert type 'ActiveDs.ADS_USER_FLAG' to 'int'

It seems that the ADS_USER_FLAG needed a reference to the COM ActiveDs.dll.

Listed below is the program is its totality.

using System;
using System.DirectoryServices;
using ActiveDs;

namespace ConsoleApplication3
{
class Class1
{


[STAThread]
static void Main(string[] args)
{

try
{
string path = "LDAP://ec-t1/CN=Users,DC=smallbusiness,DC=local";
DirectoryEntry entry = new DirectoryEntry(path,"ec=t1\\administrator",
"mae008");

DirectoryEntry newUser = entry.Children.Add("cn=Test User", "user");
newUser.Properties["sAMAccountName"].Add("testuser");
newUser.Properties["userPrincipalName"].Add("testuser");
newUser.Properties["sn"].Add("User");
newUser.Properties["givenName"].Add("Test");
newUser.Properties["description"].Add("Test account added with code.");
newUser.Properties["displayname"].Add("Test");
newUser.Properties["physicalDeliveryOfficeName"].Add("Test");
newUser.CommitChanges();

newUser.Invoke("SetPassword", new object[] {"mypassword1"} );


//int iUserAccountControl = ADS_USER_FLAG.ADS_UF_DONT_EXPIRE_PASSWD +
ADS_USER_FLAG.ADS_UF_PASSWD_CANT_CHANGE;

int iUserAccountControl = ADS_USER_FLAG.ADS_UF_DONT_EXPIRE_PASSWD
| ADS_USER_FLAG.ADS_UF_PASSWD_CANT_CHANGE;
newUser.Properties["userAccountControl"].Value = iUserAccountControl;
newUser.CommitChanges();

}
catch( Exception exception )
{
Console.WriteLine( exception.Message );
}



}
}
}



If I can ever help you in return for the all help you have given me, just
say the word.

Thanks,

Mark

I found reference to userAccountControl and the corresponding account options for User Cannot
Change Password & Password Never Expires, but I find I could get the syntax right.

Sure - given that you have a DirectoryEntry called "newUser" from
previous code, do this:

int iUserAccountControl = ADS_USER_FLAG.ADS_UF_DONT_EXPIRE_PASSWD +
ADS_USER_FLAG.ADS_UF_PASSWD_CANT_CHANGE;

oNewUser.Properties["uSerAccountControl"].Value = iUserAccountControl;
oNewUser.CommitChanges();

Hope this helps
Marc

================================================================
Marc Scheuner May The Source Be With You!
Berne, Switzerland m.scheuner -at- inova.ch

 

[Guest]

When I concatenated the two flags with: int iUserAccountControl =
ADS_USER_FLAG.ADS_UF_DONT_EXPIRE_PASSWD
+ ADS_USER_FLAG.ADS_UF_PASSWD_CANT_CHANGE; I received the following build
error: Operator '+' cannot be applied to operands of type
'ActiveDs.ADS_USER_FLAG' and 'ActiveDs.ADS_USER_FLAG'

I tried to ‘OR†the statement int iUserAccountControl =
ADS_USER_FLAG.ADS_UF_DONT_EXPIRE_PASSWD
| ADS_USER_FLAG.ADS_UF_PASSWD_CANT_CHANGE; but received the following build
error: Cannot implicitly convert type 'ActiveDs.ADS_USER_FLAG' to 'int'

It seems that the ADS_USER_FLAG needed a reference to the COM ActiveDs.dll.

Listed below is the program is its totality.

using System;
using System.DirectoryServices;
using ActiveDs;

namespace ConsoleApplication3
{
class Class1
{


[STAThread]
static void Main(string[] args)
{

try
{
string path = "LDAP://ec-t1/CN=Users,DC=smallbusiness,DC=local";
DirectoryEntry entry = new DirectoryEntry(path,"ec=t1\\administrator",
"mae008");

DirectoryEntry newUser = entry.Children.Add("cn=Test User", "user");
newUser.Properties["sAMAccountName"].Add("testuser");
newUser.Properties["userPrincipalName"].Add("testuser");
newUser.Properties["sn"].Add("User");
newUser.Properties["givenName"].Add("Test");
newUser.Properties["description"].Add("Test account added with code.");
newUser.Properties["displayname"].Add("Test");
newUser.Properties["physicalDeliveryOfficeName"].Add("Test");
newUser.CommitChanges();

newUser.Invoke("SetPassword", new object[] {"mypassword1"} );


//int iUserAccountControl = ADS_USER_FLAG.ADS_UF_DONT_EXPIRE_PASSWD +
ADS_USER_FLAG.ADS_UF_PASSWD_CANT_CHANGE;

int iUserAccountControl = ADS_USER_FLAG.ADS_UF_DONT_EXPIRE_PASSWD
| ADS_USER_FLAG.ADS_UF_PASSWD_CANT_CHANGE;
newUser.Properties["userAccountControl"].Value = iUserAccountControl;
newUser.CommitChanges();

}
catch( Exception exception )
{
Console.WriteLine( exception.Message );
}



}
}
}



If I can ever help you in return for the all help you have given me, just
say the word.

Thanks,

Mark

I found reference to userAccountControl and the corresponding account options for User Cannot
Change Password & Password Never Expires, but I find I could get the syntax right.

Sure - given that you have a DirectoryEntry called "newUser" from
previous code, do this:

int iUserAccountControl = ADS_USER_FLAG.ADS_UF_DONT_EXPIRE_PASSWD +
ADS_USER_FLAG.ADS_UF_PASSWD_CANT_CHANGE;

oNewUser.Properties["uSerAccountControl"].Value = iUserAccountControl;
oNewUser.CommitChanges();

Hope this helps
Marc

================================================================
Marc Scheuner May The Source Be With You!
Berne, Switzerland m.scheuner -at- inova.ch

 

[Marc Scheuner [MVP ADSI]]

When I concatenated the two flags with: int iUserAccountControl =

ADS_USER_FLAG.ADS_UF_DONT_EXPIRE_PASSWD
+ ADS_USER_FLAG.ADS_UF_PASSWD_CANT_CHANGE; I received the following build
error: Operator '+' cannot be applied to operands of type
'ActiveDs.ADS_USER_FLAG' and 'ActiveDs.ADS_USER_FLAG'

Ooops, sorry - try the "OR" ( | ) operator instead:

ADS_USER_FLAG.ADS_UF_DONT_EXPIRE_PASSWD |
ADS_USER_FLAG.ADS_UF_PASSWD_CANT_CHANGE

Marc
================================================================
Marc Scheuner May The Source Be With You!
Berne, Switzerland m.scheuner -at- inova.ch

 

[Guest]

I tried to ‘OR†the statement int iUserAccountControl =
ADS_USER_FLAG.ADS_UF_DONT_EXPIRE_PASSWD
| ADS_USER_FLAG.ADS_UF_PASSWD_CANT_CHANGE; but received the following build
error: Cannot implicitly convert type 'ActiveDs.ADS_USER_FLAG' to 'int'

I'm stumped?

Mark

 

[Marc Scheuner [MVP ADSI]]

I tried to ‘OR” the statement int iUserAccountControl =

ADS_USER_FLAG.ADS_UF_DONT_EXPIRE_PASSWD
| ADS_USER_FLAG.ADS_UF_PASSWD_CANT_CHANGE; but received the following build
error: Cannot implicitly convert type 'ActiveDs.ADS_USER_FLAG' to 'int'

Sorry for the delay........ yes, shooks - the attribute that you set
will have to be an INT, while the flags are enums in the ActiveDs
namespace....... so you need to "OR" them together if you want more
than one, and in the end, you need to explicitly cast it to an Int....

So here's some code that will REALLY work - promised !!

int iUserAccountControl =
(int)(ADS_USER_FLAG.ADS_UF_DONT_EXPIRE_PASSWD |
ADS_USER_FLAG.ADS_UF_PASSWD_CANT_CHANGE);

and then set your user object's
".Properties["uSerAccountControl"].Value = iUserAccountControl;

Sorry for the confusion..... (I was doing everything off the top of my
head, without a chance to actually test it in VS.NET).

Marc
================================================================
Marc Scheuner May The Source Be With You!
Berne, Switzerland m.scheuner -at- inova.ch