创建用户后将用户添加到 AD 安全组失败
我正在使用 WCF 服务向我们的帮助台工作人员公开某些 Active Directory 管理功能,而不向他们提供直接操作 AD 所需的组成员身份。将用户添加到组中以及从组中删除用户就像使用现有用户一样工作,但是每次我创建新用户时,它都会返回这个有趣的代码:
The server is unwilling to process the request. (Exception from HRESULT: 0x80072035)
我用来将用户添加到组中的代码是
public bool AddGroupToUser(string userDn, string groupDn)
{
try
{
DirectoryEntry groupEntry = LdapTools.GetDirectoryEntry(groupDn);
groupEntry.Properties["member"].Add(userDn);
groupEntry.CommitChanges();
groupEntry.Close();
return true;
}
catch (DirectoryServicesCOMException)
{
return false;
}
}
我读过的所有内容这个主题相当模糊,我似乎无法找出为什么会触发异常。有什么想法吗?
更新
这是我用来在 AD 中创建用户的代码:
try
{
DirectoryEntry container = GetDirectoryEntry(storageOu);
DirectoryEntry newUser = container.Children.Add("CN=" + employee.FullName, "user");
newUser.Properties["sAMAccountName"].Value = employee.Username;
newUser.Properties["displayName"].Value = employee.FullName;
newUser.Properties["givenName"].Value = employee.FirstName;
newUser.Properties["sn"].Value = employee.LastName;
newUser.Properties["department"].Value = departmentName;
newUser.Properties["userPrincipalName"].Value = employee.Username + "@APEX.Local";
newUser.CommitChanges();
newUser.Invoke("SetPassword", new object[] { employee.Password });
newUser.CommitChanges();
AdsUserFlags userSettings = AdsUserFlags.NormalAccount;
newUser.Properties["userAccountControl"].Value = userSettings;
newUser.CommitChanges();
ldapPath = newUser.Path;
newUser.Close();
container.Close();
}
catch (DirectoryServicesCOMException e)
{
// Something went wrong... what???
}
catch (Exception e)
{
// Something else went wrong
}
新用户可以登录,并且可以使用标准 MS 工具进行操作。
I am using a WCF service to expose certain Active Directory management functions to our help desk staff without giving them the group membership required to manipulate AD directly. Adding users to and removing users from groups is working like a champ with existing users, but every time I create a new user it throws back this fun code:
The server is unwilling to process the request. (Exception from HRESULT: 0x80072035)
The code I use to add the user to the group is
public bool AddGroupToUser(string userDn, string groupDn)
{
try
{
DirectoryEntry groupEntry = LdapTools.GetDirectoryEntry(groupDn);
groupEntry.Properties["member"].Add(userDn);
groupEntry.CommitChanges();
groupEntry.Close();
return true;
}
catch (DirectoryServicesCOMException)
{
return false;
}
}
Everything I've read on the subject is rather vague and I can't seem to find out WHY the exception is being triggered. Any ideas?
UPDATE
This is the code I use to create the user in AD:
try
{
DirectoryEntry container = GetDirectoryEntry(storageOu);
DirectoryEntry newUser = container.Children.Add("CN=" + employee.FullName, "user");
newUser.Properties["sAMAccountName"].Value = employee.Username;
newUser.Properties["displayName"].Value = employee.FullName;
newUser.Properties["givenName"].Value = employee.FirstName;
newUser.Properties["sn"].Value = employee.LastName;
newUser.Properties["department"].Value = departmentName;
newUser.Properties["userPrincipalName"].Value = employee.Username + "@APEX.Local";
newUser.CommitChanges();
newUser.Invoke("SetPassword", new object[] { employee.Password });
newUser.CommitChanges();
AdsUserFlags userSettings = AdsUserFlags.NormalAccount;
newUser.Properties["userAccountControl"].Value = userSettings;
newUser.CommitChanges();
ldapPath = newUser.Path;
newUser.Close();
container.Close();
}
catch (DirectoryServicesCOMException e)
{
// Something went wrong... what???
}
catch (Exception e)
{
// Something else went wrong
}
The new user can login, and can be manipulated using the standard MS tools.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(4)
显然,除非我错过了重要的一步,否则问题就是时间。当在尝试将组添加到新用户之前强制系统休眠 8 秒时,该过程将起作用。如果我早于 8 秒标记,它就会失败。
我将这个答案标记为正确,除非有人可以为我提供更好的解决方案。
Apparently, unless I'm missing an important step here, the issue is time. When forcing the system to sleep for 8 seconds before attempting to add groups to the new user the process works. If I do it any sooner than the 8 second mark it fails.
I'm marking this answer as correct unless anybody can provide me a better solution.
尝试:
参考:
http://www.c-sharpcorner.com/UploadFile/dhananjaycoder/ ActiveDirectoryOperations11132009113015AM/ActiveDirectoryOperations.aspx
Try:
Reference:
http://www.c-sharpcorner.com/UploadFile/dhananjaycoder/activedirectoryoperations11132009113015AM/activedirectoryoperations.aspx
正如此处中提到的,您能告诉我们您为新创建的用户设置了密码吗?在参考文献中,它说您应该在对用户执行任何操作之前设置用户的密码。
As it mentioned in here, can you tell us that you set the password of the newly created users? In the reference, it says that you should SetPassword of the user before doing anything with it.
Active Directory 复制问题可能会导致时间问题。
有一次,我向客户提供了一个产品,该产品通过 Active Directory 创建用户,其中包含 10,000 多条记录,并在 SharePoint 表单上提供给定信息,然后程序将用户添加到 SharePoint 组。问题是,SharePoint 抛出有关新创建用户的错误,它表示用户在 AD 中不存在。
因此,我们的一位系统工程师告诉我们有关 Active Directory 上的复制操作的情况,这可能是问题的根源,而且确实如此。
对于解决方案,程序尝试在 1 秒休眠的情况下执行该工作 10 次。到目前为止还没有出现问题。因此,作为解决方案,我建议您检查 AD 是否存在复制方法。
PS:当我向客户系统工程师询问复制操作的问题时,他们都否认AD复制操作的存在,并告诉我程序有问题。他们相信我,当我们从一台计算机在 AD 中创建一个新用户时,我们在另一台计算机上有 5 秒钟看不到该用户。
Time issue could occur from a Active Directory replication issue.
Once, I gave a product to my customer which creates user over Active Directory, which has over 10.000 records in it, with the given informations on a SharePoint form and then program adds the user to a SharePoint group. The problem was, SharePoint throws an error about the newly created user, it says user does not exist in AD.
So, one of out system engineer told us about the replication opearation on the Active Directory that it could be the source of the problem and it was true.
For the solution, program tries to do the job for 10 times with 1 second sleeps. No problem occurred so far. So as a solution, I would suggest you to check out the AD for the existence of replication method.
P.S: When I asked questions to my customers system engineers about the replication operation, they all rejected the existence of AD replication operation and told me that the program has the problem. They believed me when we created a new user in AD from a computer, we couldn't see the user for 5 seconds on an another computer.