creating a new user in Active Directory

[Mario Rodriguez]

Hi, I'm trying to add a new user to my active directory, but the problem is
that the following snippet doesn't throws any exception or error, but never
adds the users to the active directory


public DirectoryEntry addUser(UserContainer v_objUserContainer) {

if(impersonateUser(this.LoginUsername, this.DomainName,
this.strPassword)) { // make the operation with an privileged user

DirectoryEntry entry =
objRootActiveDirectory.Children.Add(v_objUserContainer.getLogin(), "user");

/* solamente modifica el password si esta definido */

if(v_objUserContainer.getPassword() != "" &&
v_objUserContainer.getPassword() != null) {

entry.Invoke("SetPassword", new object[]
{v_objUserContainer.getPassword() });

}

invokeProperty(ref entry, "FullName"
,v_objUserContainer.getFullName());

objRootActiveDirectory.CommitChanges();

undoImpersonification();

return entry;

} else {

return null;

}

}



Any idea ?



thanks

 

[richlm]

Just a few thoughts/ideas to try:

1. can you perform the same operation from the same box under the account
you are trying to impersonate using e.g. "AD Users & Computers" snap-in
2. what happens if you don't try to impersonate - does it still fail
silently?
3. Is there anything in the event log (security) on either the box you are
running on or box running AD? If not check the "Local Security Policy" audit
settings and ensure that logon failures are enabled under local audit
policy.
4. Does the impersonating account have kerberos delegation enabled?
(configuration depends on whether this is on Win2K or Win2003)

Hopefully something here might lead you to a solution, or at least narrow
down a bit. Let us know how it goes.

Richard.

 

[Mario Rodriguez]

Thanks Richard. Consider my comments between lines:

1. can you perform the same operation from the same box under the account
you are trying to impersonate using e.g. "AD Users & Computers" snap-in
[Yes, it works perfecty because I'm trying to impersonate with an
administrator's group member]

2. what happens if you don't try to impersonate - does it still fail
silently?
[My user is a simple Domain Users's member, so I have no rights to create
users in Active Directory]

3. Is there anything in the event log (security) on either the box you are
running on or box running AD? If not check the "Local Security Policy"
audit
settings and ensure that logon failures are enabled under local audit
policy.
[the Local Security Policy is Ok and the event log is empty]

4. Does the impersonating account have kerberos delegation enabled?
(configuration depends on whether this is on Win2K or Win2003)
[I'm using Win2K as development box and Active Directory server (different
machines), How do I enable kerberos delegation for impersonating account ?]


thanks

Just a few thoughts/ideas to try:

1. can you perform the same operation from the same box under the account
you are trying to impersonate using e.g. "AD Users & Computers" snap-in
2. what happens if you don't try to impersonate - does it still fail
silently?
3. Is there anything in the event log (security) on either the box you are
running on or box running AD? If not check the "Local Security Policy" audit
settings and ensure that logon failures are enabled under local audit
policy.
4. Does the impersonating account have kerberos delegation enabled?
(configuration depends on whether this is on Win2K or Win2003)

Hopefully something here might lead you to a solution, or at least narrow
down a bit. Let us know how it goes.

Richard.

Hi, I'm trying to add a new user to my active directory, but the problem is
that the following snippet doesn't throws any exception or error, but never
adds the users to the active directory


public DirectoryEntry addUser(UserContainer v_objUserContainer) {

if(impersonateUser(this.LoginUsername, this.DomainName,
this.strPassword)) { // make the operation with an privileged user

DirectoryEntry entry =
objRootActiveDirectory.Children.Add(v_objUserContainer.getLogin(), "user");

/* solamente modifica el password si esta definido */

if(v_objUserContainer.getPassword() != "" &&
v_objUserContainer.getPassword() != null) {

entry.Invoke("SetPassword", new object[]
{v_objUserContainer.getPassword() });

}

invokeProperty(ref entry, "FullName"
,v_objUserContainer.getFullName());

objRootActiveDirectory.CommitChanges();

undoImpersonification();

return entry;

} else {

return null;

}

}



Any idea ?



thanks

 

[Mario Rodriguez]

Now I'm having the next exception

A constraint violation occurred.
at System.DirectoryServices.Interop.IAds.SetInfo()
at System.DirectoryServices.DirectoryEntry.CommitChanges()
at activedirectory.OadActiveDirectory.agregar(ContenedorUsuario
v_objContened
orUsuario) in c:\documents and settings\mrodriguez\my documents\visual
studio pr
ojects\activedirectory\oadactivedirectory.cs:line 116
at activedirectory.Programa.Main() in c:\documents and
settings\mrodriguez\my
documents\visual studio projects\activedirectory\main.cs:line 27

Any Idea ? The code is the following:

DirectoryEntry de = new
DirectoryEntry("LDAP://CN=Users,DC=avantica,DC=avanticatec,DC=net");

Console.WriteLine("Schema es: "+de.SchemaClassName);

DirectoryEntry user = de.Children.Add("CN=sugef2", "user");

user.CommitChanges(); // <= the exception is thrown here

de.CommitChanges();

Just a few thoughts/ideas to try:

1. can you perform the same operation from the same box under the account
you are trying to impersonate using e.g. "AD Users & Computers" snap-in
2. what happens if you don't try to impersonate - does it still fail
silently?
3. Is there anything in the event log (security) on either the box you are
running on or box running AD? If not check the "Local Security Policy" audit
settings and ensure that logon failures are enabled under local audit
policy.
4. Does the impersonating account have kerberos delegation enabled?
(configuration depends on whether this is on Win2K or Win2003)

Hopefully something here might lead you to a solution, or at least narrow
down a bit. Let us know how it goes.

Richard.

Hi, I'm trying to add a new user to my active directory, but the problem is
that the following snippet doesn't throws any exception or error, but never
adds the users to the active directory


public DirectoryEntry addUser(UserContainer v_objUserContainer) {

if(impersonateUser(this.LoginUsername, this.DomainName,
this.strPassword)) { // make the operation with an privileged user

DirectoryEntry entry =
objRootActiveDirectory.Children.Add(v_objUserContainer.getLogin(), "user");

/* solamente modifica el password si esta definido */

if(v_objUserContainer.getPassword() != "" &&
v_objUserContainer.getPassword() != null) {

entry.Invoke("SetPassword", new object[]
{v_objUserContainer.getPassword() });

}

invokeProperty(ref entry, "FullName"
,v_objUserContainer.getFullName());

objRootActiveDirectory.CommitChanges();

undoImpersonification();

return entry;

} else {

return null;

}

}



Any idea ?



thanks

 

[richlm]

Hi Mario

In the code snippet you provide it doesn't look like you are setting the
password.
That could well be the cause of the specific error message you are getting
(the "constraint" probably relates to password complexity rules defined by
domain group policy)

Richard.

Now I'm having the next exception

A constraint violation occurred.
at System.DirectoryServices.Interop.IAds.SetInfo()
at System.DirectoryServices.DirectoryEntry.CommitChanges()
at activedirectory.OadActiveDirectory.agregar(ContenedorUsuario
v_objContened
orUsuario) in c:\documents and settings\mrodriguez\my documents\visual
studio pr
ojects\activedirectory\oadactivedirectory.cs:line 116
at activedirectory.Programa.Main() in c:\documents and
settings\mrodriguez\my
documents\visual studio projects\activedirectory\main.cs:line 27

Any Idea ? The code is the following:

DirectoryEntry de = new
DirectoryEntry("LDAP://CN=Users,DC=avantica,DC=avanticatec,DC=net");

Console.WriteLine("Schema es: "+de.SchemaClassName);

DirectoryEntry user = de.Children.Add("CN=sugef2", "user");

user.CommitChanges(); // <= the exception is thrown here

de.CommitChanges();

Just a few thoughts/ideas to try:

1. can you perform the same operation from the same box under the account
you are trying to impersonate using e.g. "AD Users & Computers" snap-in
2. what happens if you don't try to impersonate - does it still fail
silently?
3. Is there anything in the event log (security) on either the box you are
running on or box running AD? If not check the "Local Security Policy" audit
settings and ensure that logon failures are enabled under local audit
policy.
4. Does the impersonating account have kerberos delegation enabled?
(configuration depends on whether this is on Win2K or Win2003)

Hopefully something here might lead you to a solution, or at least narrow
down a bit. Let us know how it goes.

Richard.

Hi, I'm trying to add a new user to my active directory, but the

problem
is

that the following snippet doesn't throws any exception or error, but never
adds the users to the active directory


public DirectoryEntry addUser(UserContainer v_objUserContainer) {

if(impersonateUser(this.LoginUsername, this.DomainName,
this.strPassword)) { // make the operation with an privileged user

DirectoryEntry entry =
objRootActiveDirectory.Children.Add(v_objUserContainer.getLogin(), "user");

/* solamente modifica el password si esta definido */

if(v_objUserContainer.getPassword() != "" &&
v_objUserContainer.getPassword() != null) {

entry.Invoke("SetPassword", new object[]
{v_objUserContainer.getPassword() });

}

invokeProperty(ref entry, "FullName"
,v_objUserContainer.getFullName());

objRootActiveDirectory.CommitChanges();

undoImpersonification();

return entry;

} else {

return null;

}

}



Any idea ?



thanks

 

[Marc Scheuner [MVP ADSI]]

Any Idea ? The code is the following:

DirectoryEntry de = new
DirectoryEntry("LDAP://CN=Users,DC=avantica,DC=avanticatec,DC=net");

DirectoryEntry user = de.Children.Add("CN=sugef2", "user");
user.CommitChanges(); // <= the exception is thrown here

You have to AT LEAST set the required / mandatory attributes, and one
of them is the SAMACcountName for users - once you add this line, you
should be fine:

user.Properties["samAccountName"].Value = "sugef2";

*BEFORE* the .CommitChanges() !

Marc

 

[Mario Rodriguez]

Now I change the code as follows:
DirectoryEntry de = new
DirectoryEntry("LDAP://CN=Users,DC=avantica,DC=avanticatec,DC=net");

Console.WriteLine("Schema es: "+de.SchemaClassName);

DirectoryEntry user = de.Children.Add("CN=sugef2", "user");

user.Properties["FullName"].Value = "test";

user.Properties["Description"].Value = "sugef";

user.Properties["samAccountName"].Value = "sugef2";

user.Properties["Password"].Value = "sugef2";

de.CommitChanges();

user.CommitChanges();


but throws the next exception:

The specified directory service attribute or value does not exist.
at System.DirectoryServices.Interop.IAds.SetInfo()
at System.DirectoryServices.DirectoryEntry.CommitChanges()
at activedirectory.OadActiveDirectory.agregar(ContenedorUsuario
v_objContened
orUsuario) in c:\documents and settings\mrodriguez\my documents\visual
studio pr
ojects\activedirectory\oadactivedirectory.cs:line 142
at activedirectory.Programa.Main() in c:\documents and
settings\mrodriguez\my
documents\visual studio projects\activedirectory\main.cs:line 27

Any Idea ? The code is the following:

DirectoryEntry de = new
DirectoryEntry("LDAP://CN=Users,DC=avantica,DC=avanticatec,DC=net");

DirectoryEntry user = de.Children.Add("CN=sugef2", "user");
user.CommitChanges(); // <= the exception is thrown here

You have to AT LEAST set the required / mandatory attributes, and one
of them is the SAMACcountName for users - once you add this line, you
should be fine:

user.Properties["samAccountName"].Value = "sugef2";

*BEFORE* the .CommitChanges() !

Marc

 

[Marc Scheuner [MVP ADSI]]

DirectoryEntry user = de.Children.Add("CN=sugef2", "user");

user.Properties["FullName"].Value = "test";

There is no property called "FullName" in LDAP. Check out the LDAP
documentation - you're probably wanting to set the "displayName"
attribute.

user.Properties["Password"].Value = "sugef2";

You CANNOT set the password like this. You have to first set the
"normal" user properties, call .CommitChanges(), and then use

user.Invoke("SetPassword", new object[] { "newpassword" });

Marc

 

[Marc Scheuner [MVP ADSI]]

DirectoryEntry user = de.Children.Add("CN=sugef2", "user");

user.Properties["FullName"].Value = "test";
user.Properties["Description"].Value = "sugef";
user.Properties["samAccountName"].Value = "sugef2";
user.Properties["Password"].Value = "sugef2";

You might want to have a look at my BeaverTail ADSI Browser - it will
show you your existing AD object, nad all their properties with a
value. That'll show you what the attributes are called in LDAP.

It's C#, it's available with full source code, and it's free for any
use:

http://adsi.mvps.org/adsi/CSharp/beavertail.html

Marc

 

[Mario Rodriguez]

Bad news Marc, see the last code changes;


DirectoryEntry de = new
DirectoryEntry("LDAP://CN=Users,DC=avantica,DC=avanticatec,DC=net");

Console.WriteLine("Schema es: "+de.SchemaClassName);

DirectoryEntry user = de.Children.Add("CN=sugef2", "user");

user.Properties["displayName"].Value = "test";

user.Properties["Description"].Value = "sugef";

user.Properties["samAccountName"].Value = "sugef2";

user.Invoke("SetPassword", new object[] { "sugef2" }); // The exception
was raised here

de.CommitChanges();

user.CommitChanges();



And the "SetPassword" line throws this exception:



Exception has been thrown by the target of an invocation.
at System.RuntimeType.InvokeDispMethod(String name, BindingFlags
invokeAttr,
Object target, Object[] args, Boolean[] byrefModifiers, Int32 culture,
String[]
namedParameters)
at System.RuntimeType.InvokeMember(String name, BindingFlags invokeAttr,
Bind
er binder, Object target, Object[] args, ParameterModifier[] modifiers,
CultureI
nfo culture, String[] namedParameters)
at System.Type.InvokeMember(String name, BindingFlags invokeAttr, Binder
bind
er, Object target, Object[] args)
at System.DirectoryServices.DirectoryEntry.Invoke(String methodName,
Object[]
args)
at activedirectory.OadActiveDirectory.agregar(ContenedorUsuario
v_objContened
orUsuario) in c:\documents and settings\mrodriguez\my documents\visual
studio pr
ojects\activedirectory\oadactivedirectory.cs:line 136
at activedirectory.Programa.Main() in c:\documents and
settings\mrodriguez\my
documents\visual studio projects\activedirectory\main.cs:line 27

DirectoryEntry user = de.Children.Add("CN=sugef2", "user");
user.Properties["FullName"].Value = "test";
user.Properties["Description"].Value = "sugef";
user.Properties["samAccountName"].Value = "sugef2";
user.Properties["Password"].Value = "sugef2";

You might want to have a look at my BeaverTail ADSI Browser - it will
show you your existing AD object, nad all their properties with a
value. That'll show you what the attributes are called in LDAP.

It's C#, it's available with full source code, and it's free for any
use:

http://adsi.mvps.org/adsi/CSharp/beavertail.html

Marc

 

[Mario Rodriguez]

Partial good news Marc, now I can create users in Active Directory, but all
the new users created are inactive, some idea how to create active users?


This is the code:
DirectoryEntry de = new
DirectoryEntry("LDAP://CN=Users,DC=avantica,DC=avanticatec,DC=net");

Console.WriteLine("Schema es: "+de.SchemaClassName);

DirectoryEntry user = de.Children.Add("CN=sugef2", "user");

user.Properties["name"].Value = "sugef2";

user.Properties["givenName"].Value = "sugef2";

user.Properties["Description"].Value = "sugef2";

user.Properties["samAccountName"].Value = "sugef2";

de.CommitChanges();

user.CommitChanges();



BTW, any of the following files throws exceptions:

user.Invoke("SetPassword", new object[] { "sugef2" });

user. Properties["sn"].Add("test");

user. Properties["givenName"].Add("sugef");

user.Invoke("Put", new object[] {"FullName", "sugef2"});

user.Invoke("Put", new object[] {"Description", "descripcion sugef2"});

user.Properties["userPrincipalName"].Value =
"(e-mail address removed)";

user.Properties["displayName"].Value = "sugef2";

user.Password = "sugef2";

DirectoryEntry user = de.Children.Add("CN=sugef2", "user");
user.Properties["FullName"].Value = "test";
user.Properties["Description"].Value = "sugef";
user.Properties["samAccountName"].Value = "sugef2";
user.Properties["Password"].Value = "sugef2";

You might want to have a look at my BeaverTail ADSI Browser - it will
show you your existing AD object, nad all their properties with a
value. That'll show you what the attributes are called in LDAP.

It's C#, it's available with full source code, and it's free for any
use:

http://adsi.mvps.org/adsi/CSharp/beavertail.html

Marc

 

[Mario Rodriguez]

Finally I Could do it

this is the solution:


DirectoryEntry de = new
DirectoryEntry("LDAP://CN=Users,DC=avantica,DC=avanticatec,DC=net");

Console.WriteLine("Schema es: "+de.SchemaClassName);

DirectoryEntry user = de.Children.Add("CN=sugef2", "user");

user.Properties["name"].Value = "sugef2";

user.Properties["givenName"].Value = "sugef2";

user.Properties["Description"].Value = "sugef2";

user.Properties["samAccountName"].Value = "sugef2";




user.CommitChanges();

//this should be invoked after the first CommitChanges

user.Invoke("SetPassword", new object[]{"sugef2"});


//This enables the new user:

user.Properties["userAccountControl"].Value = 0x200; //ADS_UF_NORMAL_ACCOUNT

user.CommitChanges();

de.CommitChanges();



Thanks to all you guys for the help

Partial good news Marc, now I can create users in Active Directory, but all
the new users created are inactive, some idea how to create active users?


This is the code:
DirectoryEntry de = new
DirectoryEntry("LDAP://CN=Users,DC=avantica,DC=avanticatec,DC=net");

Console.WriteLine("Schema es: "+de.SchemaClassName);

DirectoryEntry user = de.Children.Add("CN=sugef2", "user");

user.Properties["name"].Value = "sugef2";

user.Properties["givenName"].Value = "sugef2";

user.Properties["Description"].Value = "sugef2";

user.Properties["samAccountName"].Value = "sugef2";

de.CommitChanges();

user.CommitChanges();



BTW, any of the following files throws exceptions:

user.Invoke("SetPassword", new object[] { "sugef2" });

user. Properties["sn"].Add("test");

user. Properties["givenName"].Add("sugef");

user.Invoke("Put", new object[] {"FullName", "sugef2"});

user.Invoke("Put", new object[] {"Description", "descripcion sugef2"});

user.Properties["userPrincipalName"].Value =
"(e-mail address removed)";

user.Properties["displayName"].Value = "sugef2";

user.Password = "sugef2";

DirectoryEntry user = de.Children.Add("CN=sugef2", "user");
user.Properties["FullName"].Value = "test";
user.Properties["Description"].Value = "sugef";
user.Properties["samAccountName"].Value = "sugef2";
user.Properties["Password"].Value = "sugef2";

You might want to have a look at my BeaverTail ADSI Browser - it will
show you your existing AD object, nad all their properties with a
value. That'll show you what the attributes are called in LDAP.

It's C#, it's available with full source code, and it's free for any
use:

http://adsi.mvps.org/adsi/CSharp/beavertail.html

Marc

 

[Marc Scheuner [MVP ADSI]]

Partial good news Marc, now I can create users in Active Directory, but all

the new users created are inactive, some idea how to create active users?

Sure - you need to set the userAccountControl flag to the appropriate
values. Check up on MSDN for this

http://tinyurl.com/2h62f

I'd use

int iNormalAccount = ActiveDs.ADS_UF_NORMAL_ACCOUNT;
user.Properties["userAccountControl"].Value = iNormalAccount;

before the call to .CommitChanges();

DirectoryEntry de = new
DirectoryEntry("LDAP://CN=Users,DC=avantica,DC=avanticatec,DC=net");

de.CommitChanges();

This is not necessary - you don't need to commit changes to the
container you're creating a user in - just call the .CommitChanges()
no the user object you've created.

user. Properties["sn"].Add("test");
user. Properties["givenName"].Add("sugef");

Yes - as long as your user doesn't have a VALUE for these properties,
then the Properties["...."] will return a NULL pointer, so you can't
ADD something to where nothing is.

user.Invoke("Put", new object[] {"FullName", "sugef2"});

Yes - again - there IS *NO* attribute called "FullName" on a LDAP
user object ! You can't set a value for a non-existing attribute.

Marc

================================================================
Marc Scheuner May The Source Be With You!
Bern, Switzerland m.scheuner(at)inova.ch

 

[Marc Scheuner [MVP ADSI]]

DirectoryEntry de = new

DirectoryEntry("LDAP://CN=Users,DC=avantica,DC=avanticatec,DC=net");

DirectoryEntry user = de.Children.Add("CN=sugef2", "user");

user.Properties["displayName"].Value = "test";
user.Properties["Description"].Value = "sugef";
user.Properties["samAccountName"].Value = "sugef2";

user.Invoke("SetPassword", new object[] { "sugef2" }); // The exception
was raised here

user.CommitChanges();

Yes, as I mentioned - you have to CREATE the user first, including the
call to user.CommitChanges(), before you can call the "SetPassword"
method on it !

Marc

================================================================
Marc Scheuner May The Source Be With You!
Bern, Switzerland m.scheuner(at)inova.ch