Remove user from local group

[John]

Hi,

I have the code snippet but it does not seem to work, could anyone point me out what wrong with it?

//try to remove a local user from a local group

string path = string.Format("WinNT://{0}/{1}/{2},group", domainName, serverName, groupName);

// Bind to remote computer Administrator group.
using (DirectoryEntry groupEntry = new DirectoryEntry(path))
{
path = string.Format("WinNT://{0}/{1}/{2},user", domainName, serverName, userName);
using (DirectoryEntry userEntry = new DirectoryEntry(path))
{
groupEntry.Children.Remove(userEntry);
}
}

I also find out that I could not cast the groupEntry to IADsgroup

string path = string.Format("WinNT://{0}/{1}/{2},group", domainName, serverName, groupName);

// Bind to remote computer Administrator group.
using (DirectoryEntry groupEntry = new DirectoryEntry(path))
{
IADsgroup grp = groupEntry as IADsgroup; //??? why the groupEntry cannot be cast to IADsgroup?


}

How can I add a domain group into a local group?

Thanks!
John

 

[Zhi-xin Ye]

Hi, John

As I understand, you have three questions related to ADSI programming.

1.How to remove a local user from a local group?

When you run your code, you will get an InvalidOperationException says that

"The Active Directory object located at the path WinNT://xxxxx is not a
container"

This is because the "DirectoryEntry.Children" property is used to retrieve
the child nodes in the Active Directory hierarchy. The parent-child
relationships can include the following:

User/Group/Computer objects are child objects of the "container"
(IADsContainer) object. They can also be child objects of an
"organizational unit" (IADsOU) object, which implements IADsContainer. Each
child object can only have one single parent object.

But for "group" objects, they are not containers and they do not implement
the IADsContainer interface. Each user can belong to multiple groups. So
there are no parent-child relationships between groups and users.

In order to remove a user from a group, we can call the IADsGroup.Remove
method or DirectyEntry.Invoke method.

private void button1_Click(object sender, EventArgs e)
{
string path = string.Format("WinNT://{0},computer",
Environment.MachineName);
using (DirectoryEntry dirEntry = new DirectoryEntry(path))
{
//Get the "Users" group
DirectoryEntry groupEntry = dirEntry.Children.Find("Users",
"group");
if (groupEntry != null)
{
//Get the "test" user
DirectoryEntry userEntry =
dirEntry.Children.Find("test", "user");

//we can remove the user using the IADsGroup.Remove
method
IADsGroup grp = groupEntry.NativeObject as IADsGroup;
grp.Remove(userEntry.Path);

//Or we can call the DirectoryEntry.Invoke method
//groupEntry.Invoke("Remove", new object[] {
userEntry.Path.ToString() });

groupEntry.CommitChanges();

userEntry.Dispose();
}

groupEntry.Dispose();
}
}


2. How to cast a DirectoryEntry object to IADsGroup object?

The DirectoryEntry object cannot be casted to IADsGroup type directly, we
should cast its native object instead,

IADsGroup grp = groupEntry.NativeObject as IADsGroup;

3. How to add a domain group into a local group?

To add a domain group into a local group, we can use call the
DirectoryEntry.Invoke() method with "Add" parameter to do the trick.

private void button1_Click(object sender, EventArgs e)
{
//"TestLocalGroup" is the local group name.
DirectoryEntry deLocalGroup = new
DirectoryEntry("WinNT://localhost/TestLocalGroup,group");

//"MyNetBIOS" is the domain NetBIOS name. "TestDomainGroup" is
the domain group name.
DirectoryEntry deDomainGroup = new
DirectoryEntry("WinNT://MyNetBIOS/TestDomainGroup,group");

deLocalGroup.Invoke("Add", deDomainGroup.Path);
deLocalGroup.CommitChanges();

deLocalGroup.Close();
deDomainGroup.Close();

}

If you need additional information on this please let me know.

Sincerely,
Zhi-Xin Ye
Microsoft Online Community Support

Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we can improve the support we provide to you. Please
feel free to let my manager know what you think of the level of service
provided. You can send feedback directly to my manager at:
(e-mail address removed).

==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.

Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscriptions/support/default.aspx.
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Zhi-xin Ye]

Hi, John

I am interested in this issue. Would you mind letting me know the result of
my suggestions? If you need further assistance, please feel free to let me
know. I will be more than happy to be of assistance.

Have a great day!


Sincerely,
Zhi-Xin Ye
Microsoft Online Community Support

Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we can improve the support we provide to you. Please
feel free to let my manager know what you think of the level of service
provided. You can send feedback directly to my manager at:
(e-mail address removed).
This posting is provided "AS IS" with no warranties, and confers no rights.