TechQA.

Adding Users to AD Universal Group from Different Domains C#

2k views Asked by At

We have many domains in the same forest (i.e. sw.main.company.com, nw.main.company.com, main.company.com) and I have control of an OU in sw.main.company.com where I have set up a Universal Active Directory Group.

I have no difficulty pragmatically (c#) adding "sw" domain users to the group using System.DirectoryServices.AccountManagement .NET 4.5 etc. on the default AD port, but when it comes to adding users from the other domains (nw, mw, etc.), I get "HResult=-2147016651 Message=The server is unwilling to process the request" and "Operation not allowed through GC port, data 0, v1db1" when setting the new PrincipalContext(ContextType.Domain "sw.main.company.com:3268", "DC=main,DC=company,DC=com").

All of the Domain Controllers are also Global Catalog servers and invoking port 3268 allows the users from the other domains to resolve correctly, but I cannot commit the additions using the GlobalPrincipal.Save() command without throwing the error.

I have included the relevant code below as well as the detailed error stack. I need help with this.

public void SyncADUsers()
{
    AddUserToGroup("MW\\abc123user", "Universal_Group_1");
}

public void AddUserToGroup(string userId, string groupName)
{
    try
    {
        using (PrincipalContext pc = new PrincipalContext(ContextType.Domain, "sw.main.company.com:3268", "DC=main,DC=company,DC=com"))
        {
            GroupPrincipal group = GroupPrincipal.FindByIdentity(pc, groupName);
            group.Members.Add(pc, IdentityType.SamAccountName, userId);
            group.Save();
        }
    }
    catch (System.DirectoryServices.DirectoryServicesCOMException E)
    {
        //doSomething with E.Message.ToString(); 
    }
}

System.InvalidOperationException was unhandled HResult=-2146233079 Message=The server is unwilling to process the request. Source=System.DirectoryServices.AccountManagement StackTrace: at System.DirectoryServices.AccountManagement.ADStoreCtx.UpdateGroupMembership(Principal group, DirectoryEntry de, NetCred credentials, AuthenticationTypes authTypes) at System.DirectoryServices.AccountManagement.SDSUtils.ApplyChangesToDirectory(Principal p, StoreCtx storeCtx, GroupMembershipUpdater updateGroupMembership, NetCred credentials, AuthenticationTypes authTypes) at System.DirectoryServices.AccountManagement.ADStoreCtx.Update(Principal p) at System.DirectoryServices.AccountManagement.Principal.Save() at ExampleUsers.SyncAD.AddUserToGroup(String userId, String groupName) in c:\SourceControl\ExampleUsers\ExampleUsers\SyncAD.cs:line 33 at ExampleUsers.SyncAD.SyncADUsers() in c:\SourceControl\ExampleUsers\ExampleUsers\SyncAD.cs:line 18 at ExampleUsers.Program.Main(String[] args) in c:\SourceControl\ExampleUsers\ExampleUsers\Program.cs:line 62 at System.AppDomain._nExecuteAssembly(RuntimeAssembly assembly, String[] args) at System.AppDomain.ExecuteAssembly(String assemblyFile, Evidence assemblySecurity, String[] args) at Microsoft.VisualStudio.HostingProcess.HostProc.RunUsersAssembly() at System.Threading.ThreadHelper.ThreadStart_Context(Object state) at System.Threading.ExecutionContext.RunInternal(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx) at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx) at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state) at System.Threading.ThreadHelper.ThreadStart() InnerException: System.DirectoryServices.DirectoryServicesCOMException HResult=-2147016651 Message=The server is unwilling to process the request. Source=System.DirectoryServices ErrorCode=-2147016651 ExtendedError=8245 ExtendedErrorMessage=00002035: LdapErr: DSID-0C090B3E, comment: Operation not allowed through GC port, data 0, v1db1 StackTrace: at System.DirectoryServices.DirectoryEntry.CommitChanges() at System.DirectoryServices.AccountManagement.ADStoreCtx.UpdateGroupMembership(Principal group, DirectoryEntry de, NetCred credentials, AuthenticationTypes authTypes) InnerException:

c# dns active-directory groupprincipal
Original Q&A
2

There are 2 answers

0
SpaceStrip On BEST ANSWER

In reference to BaldPate's response, if the Global Catalog is read only, we need to read and resolve users in different domains using the 3268 port and then SAVE the users using the 389 port all in the same context. This can be accomplished with the following code (note the separate calls to the 3268 and default 389 ports) and thanks to BaldPate for making this clear:

using System;
using System.Collections;
using System.Data;
using System.Data.SqlClient;
using System.Collections.Generic;
using System.DirectoryServices.AccountManagement;
using System.Linq;
using System.Text;
using System.Threading.Tasks;
using System.Configuration;

namespace OurUsers
{
class SyncAD
{
    #region Variables

    private string sDomain = "sw.main.company.com";
    private string sDomainGC = "sw.main.company.com:3268";
    private string sDefaultOU = "DC=sw,DC=main,DC=company,DC=com";
    private string sDefaultRootOU = "DC=main,DC=company,DC=com";
    private string sGroupName = "Production_Universal_AD_Group";
    private string connectionString = "Server=OurServerName\\PROD; Integrated Security=True; Initial Catalog=OurUsers";
    private string sqlAdd = "SELECT FullID FROM ViewFolkstoAdd";
    private string sqlRemove = "SELECT FullID FROM ViewFolkstoRemove";

    #endregion
    public void SyncADUsers()
    {
        // Get Database Ready and Remove Users
        SqlConnection connectionRemove = new SqlConnection(connectionString);
        SqlCommand commandRemove = new SqlCommand(sqlRemove, connectionRemove);
        connectionRemove.Open();
        SqlDataReader readerRemove = commandRemove.ExecuteReader();

        if (readerRemove.HasRows)
        {
            int i = 0;
            while (readerRemove.Read())
            {
                string sUserName = readerRemove.GetString(0);
                RemoveUserFromGroup(sUserName, sGroupName);
                i = i + 1;
                Console.WriteLine("{0} {1}", i, sUserName);
            }
        }
        else
        {
            Console.WriteLine("No rows found.");
        }
        readerRemove.Close();

        // Get Database Ready and Add Users
        SqlConnection connectionAdd = new SqlConnection(connectionString);
        SqlCommand commandAdd = new SqlCommand(sqlAdd, connectionAdd);
        connectionAdd.Open();
        SqlDataReader readerAdd = commandAdd.ExecuteReader();

        if (readerAdd.HasRows)
        {
            int i = 0;
            while (readerAdd.Read())
            {
                string sUserName = readerAdd.GetString(0);
                AddUserToGroup(sUserName, sGroupName);
                i = i + 1;
                Console.WriteLine("{0} {1}", i, sUserName);
            }
        }
        else
        {
            Console.WriteLine("No rows found.");
        }
        readerAdd.Close();
    }

    /// Gets a certain user on Active Directory
    /// Returns the UserPrincipal Object
    public UserPrincipal GetUser(string sUserName)
    {
        PrincipalContext oPrincipalContext = GetPrincipalContextGC();
        UserPrincipal oUserPrincipal = UserPrincipal.FindByIdentity(oPrincipalContext, sUserName);
        return oUserPrincipal;
    }

    /// Adds the user for a given group
    /// Returns true if successful
    public bool AddUserToGroup(string sUserName, string sGroupName)
    {
        try
        {
            UserPrincipal oUserPrincipal = GetUser(sUserName);
            GroupPrincipal oGroupPrincipal = GetGroup(sGroupName);
            if (oUserPrincipal != null && oGroupPrincipal != null)
            {
                oGroupPrincipal.Members.Add(oUserPrincipal);
                oGroupPrincipal.Save();
            }
            return true;
        }
        catch
        {
            return false;
        }
    }

    /// Removes user from a given group
    /// Returns true if successful
    public bool RemoveUserFromGroup(string sUserName, string sGroupName)
    {
        try
        {
            UserPrincipal oUserPrincipal = GetUser(sUserName);
            GroupPrincipal oGroupPrincipal = GetGroup(sGroupName);
            if (oUserPrincipal != null && oGroupPrincipal != null)
            {
                oGroupPrincipal.Members.Remove(oUserPrincipal);
                oGroupPrincipal.Save();
            }
            return true;
        }
        catch
        {
            return false;
        }
    }

    /// Gets PrincipalContext from the Local Domain
    /// Returns the PrincipalContext
    public PrincipalContext GetPrincipalContext()
    {
        PrincipalContext oPrincipalContext = new PrincipalContext(ContextType.Domain, sDomain, sDefaultOU, ContextOptions.Negotiate);
        return oPrincipalContext;
    }

    /// Gets PrincipalContext from the Global Catalog
    /// Returns the PrincipalContext
    public PrincipalContext GetPrincipalContextGC()
    {
        PrincipalContext oPrincipalContext = new PrincipalContext(ContextType.Domain, sDomainGC, sDefaultRootOU, ContextOptions.Negotiate);
        return oPrincipalContext;
    }

    /// Gets a certain group on Active Directory
    /// Returns the GroupPrincipal Object
    public GroupPrincipal GetGroup(string sGroupName)
    {
        PrincipalContext oPrincipalContext = GetPrincipalContext();
        GroupPrincipal oGroupPrincipal = GroupPrincipal.FindByIdentity(oPrincipalContext, sGroupName);
        return oGroupPrincipal;
    }
}
}
0
baldpate On

Global catalog is read-only.

Please connect to the LDAP port (default 389) to update the group.

Related Questions in C#

Related Questions in DNS

Related Questions in ACTIVE-DIRECTORY

Related Questions in GROUPPRINCIPAL

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Trending Questions