將用戶從不同的域添加到AD Universal Group C#
[英]Adding Users to AD Universal Group from Different Domains C#
問題描述
我們在同一個目錄林中有許多域(即sw.main.company.com,nw.main.company.com,main.company.com),並且我在sw.main.company.com中擁有一個OU的控制權設置通用Active Directory組。
我在默認的AD端口上使用System.DirectoryServices.AccountManagement .NET 4.5等實用地(c#)將“ sw”域用戶添加到組中沒有任何困難,但是在添加來自其他域(nw,mw,等等),設置新的PrincipalContext(ContextType.Domain“ sw.main”時,出現“ HResult = -2147016651 Message =服務器不願意處理請求”和“不允許通過GC端口,數據0,v1db1進行的操作”。 company.com:3268","DC=主要,DC =公司,DC = com“)。
所有域控制器也是全局編錄服務器,並且調用端口3268允許來自其他域的用戶正確解析,但是我不能使用GlobalPrincipal.Save()命令提交附加操作,而不會引發錯誤。
我在下面包括了相關代碼以及詳細的錯誤堆棧。 我需要這方面的幫助。
public void SyncADUsers()
{
AddUserToGroup("MW\\abc123user", "Universal_Group_1");
}
public void AddUserToGroup(string userId, string groupName)
{
try
{
using (PrincipalContext pc = new PrincipalContext(ContextType.Domain, "sw.main.company.com:3268", "DC=main,DC=company,DC=com"))
{
GroupPrincipal group = GroupPrincipal.FindByIdentity(pc, groupName);
group.Members.Add(pc, IdentityType.SamAccountName, userId);
group.Save();
}
}
catch (System.DirectoryServices.DirectoryServicesCOMException E)
{
//doSomething with E.Message.ToString();
}
}
未處理System.InvalidOperationException HResult = -2146233079 Message =服務器不願意處理該請求。 Source = System.DirectoryServices.AccountManagement StackTrace:位於System.DirectoryServices.AccountManagement.ADStoreCtx.UpdateGroupMembership(主體組,DirectoryEntry de,NetCred憑據,AuthenticationTypes authTypes)位於System.DirectoryServices.AccountManagement.SDSUtils.ApplyChangesToDirectoryMembership(主體p,UpdateCtx,StoreCtx在c的ExampleUsers.SyncAD.AddUserToGroup(String userId,String groupName)的System.DirectoryServices.AccountManagement.ADStoreCtx.Update(Principal p)的System.DirectoryServices.AccountManagement.ADStoreCtx.Update(Principal p)處的updateGroupMembership,NetCred憑證authTypes) \\ SourceControl \\ ExampleUsers \\ ExampleUsers \\ SyncAD.cs:第33行,位於c:\\ SourceControl \\ ExampleUsers \\ ExampleUsers \\ SyncAD.cs:第13行,位於ExampleUsers.Program.Main(String [] args)中c:\\ SourceControl \\ ExampleUsers \\ ExampleUsers \\ Program.cs:System.AppDomain._nExecuteAssembly中的第62行(RuntimeAssembly程序集,String []參數 )在System.AppDomain.ExecuteAssembly(String assemblyFile,Evidence assemblySecurity,String [] args)在Microsoft.VisualStudio.HostingProcess.HostProc.RunUsersAssembly()在System.Threading.ThreadHelper.ThreadStart_Context(Object state)在System.Threading.ExecutionContext。 System.Threading.ExecutionContext.Run(ExecutionContext執行上下文,ContextCallback回調,對象狀態,布爾值保持SyncCtx)在System.Threading.ExecutionContext.Run(ExecutionContext執行上下文,ContextCallback回調,對象狀態,BooleanCallbackSyncCtx) System.Threading.ThreadHelper.ThreadStart()上的對象狀態)InnerException:System.DirectoryServices.DirectoryServicesCOMException HResult = -2147016651 Message =服務器不願意處理該請求。 源= System.DirectoryServices錯誤代碼= -2147016651 ExtendedError = 8245 ExtendedErrorMessage = 00002035:LdapErr:DSID-0C090B3E,注釋:不允許通過GC端口,數據0,v1db1 StackTrace進行操作:位於系統的System.DirectoryServices.DirectoryEntry.CommitChanges()。 DirectoryServices.AccountManagement.ADStoreCtx.UpdateGroupMembership(主體組,DirectoryEntry de,NetCred憑據,AuthenticationTypes authTypes)InnerException:
2 個解決方案
解決方案1
3 已采納 2015-01-14 19:01:23
參考BaldPate的響應,如果Global Catalog是只讀的,我們需要使用3268端口讀取和解析不同域中的用戶,然后在相同的上下文中使用389端口保存用戶。 這可以通過以下代碼(請注意分別對3268和默認389端口的調用)來完成,並感謝BaldPate的明確說明:
using System;
using System.Collections;
using System.Data;
using System.Data.SqlClient;
using System.Collections.Generic;
using System.DirectoryServices.AccountManagement;
using System.Linq;
using System.Text;
using System.Threading.Tasks;
using System.Configuration;
namespace OurUsers
{
class SyncAD
{
#region Variables
private string sDomain = "sw.main.company.com";
private string sDomainGC = "sw.main.company.com:3268";
private string sDefaultOU = "DC=sw,DC=main,DC=company,DC=com";
private string sDefaultRootOU = "DC=main,DC=company,DC=com";
private string sGroupName = "Production_Universal_AD_Group";
private string connectionString = "Server=OurServerName\\PROD; Integrated Security=True; Initial Catalog=OurUsers";
private string sqlAdd = "SELECT FullID FROM ViewFolkstoAdd";
private string sqlRemove = "SELECT FullID FROM ViewFolkstoRemove";
#endregion
public void SyncADUsers()
{
// Get Database Ready and Remove Users
SqlConnection connectionRemove = new SqlConnection(connectionString);
SqlCommand commandRemove = new SqlCommand(sqlRemove, connectionRemove);
connectionRemove.Open();
SqlDataReader readerRemove = commandRemove.ExecuteReader();
if (readerRemove.HasRows)
{
int i = 0;
while (readerRemove.Read())
{
string sUserName = readerRemove.GetString(0);
RemoveUserFromGroup(sUserName, sGroupName);
i = i + 1;
Console.WriteLine("{0} {1}", i, sUserName);
}
}
else
{
Console.WriteLine("No rows found.");
}
readerRemove.Close();
// Get Database Ready and Add Users
SqlConnection connectionAdd = new SqlConnection(connectionString);
SqlCommand commandAdd = new SqlCommand(sqlAdd, connectionAdd);
connectionAdd.Open();
SqlDataReader readerAdd = commandAdd.ExecuteReader();
if (readerAdd.HasRows)
{
int i = 0;
while (readerAdd.Read())
{
string sUserName = readerAdd.GetString(0);
AddUserToGroup(sUserName, sGroupName);
i = i + 1;
Console.WriteLine("{0} {1}", i, sUserName);
}
}
else
{
Console.WriteLine("No rows found.");
}
readerAdd.Close();
}
/// Gets a certain user on Active Directory
/// Returns the UserPrincipal Object
public UserPrincipal GetUser(string sUserName)
{
PrincipalContext oPrincipalContext = GetPrincipalContextGC();
UserPrincipal oUserPrincipal = UserPrincipal.FindByIdentity(oPrincipalContext, sUserName);
return oUserPrincipal;
}
/// Adds the user for a given group
/// Returns true if successful
public bool AddUserToGroup(string sUserName, string sGroupName)
{
try
{
UserPrincipal oUserPrincipal = GetUser(sUserName);
GroupPrincipal oGroupPrincipal = GetGroup(sGroupName);
if (oUserPrincipal != null && oGroupPrincipal != null)
{
oGroupPrincipal.Members.Add(oUserPrincipal);
oGroupPrincipal.Save();
}
return true;
}
catch
{
return false;
}
}
/// Removes user from a given group
/// Returns true if successful
public bool RemoveUserFromGroup(string sUserName, string sGroupName)
{
try
{
UserPrincipal oUserPrincipal = GetUser(sUserName);
GroupPrincipal oGroupPrincipal = GetGroup(sGroupName);
if (oUserPrincipal != null && oGroupPrincipal != null)
{
oGroupPrincipal.Members.Remove(oUserPrincipal);
oGroupPrincipal.Save();
}
return true;
}
catch
{
return false;
}
}
/// Gets PrincipalContext from the Local Domain
/// Returns the PrincipalContext
public PrincipalContext GetPrincipalContext()
{
PrincipalContext oPrincipalContext = new PrincipalContext(ContextType.Domain, sDomain, sDefaultOU, ContextOptions.Negotiate);
return oPrincipalContext;
}
/// Gets PrincipalContext from the Global Catalog
/// Returns the PrincipalContext
public PrincipalContext GetPrincipalContextGC()
{
PrincipalContext oPrincipalContext = new PrincipalContext(ContextType.Domain, sDomainGC, sDefaultRootOU, ContextOptions.Negotiate);
return oPrincipalContext;
}
/// Gets a certain group on Active Directory
/// Returns the GroupPrincipal Object
public GroupPrincipal GetGroup(string sGroupName)
{
PrincipalContext oPrincipalContext = GetPrincipalContext();
GroupPrincipal oGroupPrincipal = GroupPrincipal.FindByIdentity(oPrincipalContext, sGroupName);
return oGroupPrincipal;
}
}
}
解決方案2
1 2015-01-14 13:57:36
全局編錄是只讀的。
請連接到LDAP端口(默認為389)以更新組。
C#使用SearchResultCollection枚舉大批AD用戶
[英]C# Using SearchResultCollection to enumerate large group of AD users
使用C#將用戶添加到Active Directory組時遇到問題
[英]Having problems adding users to an Active Directory group using C#
使用存儲在sql數據庫中的AD組名稱授權C#應用程序中的用戶
[英]Using AD group names stored in sql database for authorizing users in C# app
具有Windows身份驗證的C#Web API-獲取具有可讀組名的本地Windows用戶組-無廣告
[英]C# Web API with Windows Authentication - Get Local Windows Users Groups with readable group name- No AD
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.