Directory Programming .NET

Active Directory and ADAM programming support for .NET developers
Welcome to Directory Programming .NET Sign in | Join | Help
in Search
Home Forums Files Roller
Directory Programming .NET » General Discussions » Active Directory/ADAM LDAP Dis... » Re: add user to trusted domain

add user to trusted domain

Last post 02-25-2010, 11:01 PM by joe. 3 replies.
Sort Posts: Previous Next

  •  02-18-2010, 7:07 PM 7854

    add user to trusted domain

    I've been working on this problem for about a week and nearly drove me crazy.

     I have two domain ("Domain A") that contains a group ("COUNTRY-CN") and I want to add users from the trusted domain ("Domain B") to the group ("COUNTRY-CN") .  I can manually add the users to the group without any problem,using Active Directory Users and Computers.

    I can use the code to add user to the group in the same domain. But when I tried to add user to trusted domain,

    the error showed: The server is unwilling to process the request. (Exception from HRESULT: 0x80072035)

    the code:


                DirectoryEntry oGroup = new DirectoryEntry(@"LDAP://CN=COUNTRY-CN,OU=ByCountry,OU=Groups,OU=Standard,DC=A,DC=com
    ", @"A\lei", "XXXXXX"); // AuthenticationTypes.Secure);}
               
                DirectoryEntry oUser = GetDirectoryEntryByAccount(UserName, DomainReference, "");

                string strDomain = "B.com";


                String UserPath = "LDAP://" + strDomain + "/<SID=" + sid + ">";

                if (oGroup != null && oUser != null )
                {

                    oGroup.Invoke("Add", new Object[] { UserPath });   //the error messge stopped at this line
                    oGroup.CommitChanges();

                    return true;
                }

              // UserPath    LDAP://B.com/<SID=S-1-5-21-3913676305-412022068-3582600154-1180>

             // oGroup

    LDAP://CN=COUNTRY-CN,OU=ByCountry,OU=Groups,OU=Standard,DC=A,DC=com

    Could anyone help to look at it ? thanks much. Lei

  •  02-19-2010, 12:02 PM 7855 in reply to 7854

    Re: add user to trusted domain

    I'm assuming that you are absolutely certain the SID for the user in B.com is correctly, right?

    If so, here are a couple other things to try:

    • Use an serverless binding path in your LDAP path for the add operation (LDAP://<SID=xxxx>)
    • Modify the member attribute directly using the SID DN (without the LDAP:// prefix)

    Assuming the state of the trusts is correct and this works in the GUI, I would expect this to work here too. On the other hand, this type of thing is often problematic for various reasons and has been discussed on the forum a few times in the past. There may also be other threads you can dig up via search that have additional useful hints I'm forgeting right now.

  •  02-25-2010, 6:52 PM 7875 in reply to 7855

    Re: add user to trusted domain

    Thanks for your suggestion.

    I tried the way you mentioned, but it also failed. the error message was same as before.

    Lucky, I found the way to resolve it.

    not using SID, using user.property[distinguishname].value to add to group. it worked.

    I don't know why. I think SID is more reliable.

     

  •  02-25-2010, 11:01 PM 7877 in reply to 7875

    Re: add user to trusted domain

    I think I remember a similar thread a few years ago that I asked a dev from the AD team to look at and this may have turned out to be the same result. I recall some confusion by him as to why the SID didn't work as well but I don't know if we ever figured out the root problem.

    In any regard, I'm glad it worked for you. I wish I knew exactly why the SID didn't work.
View as RSS news feed in XML
© Dunn & Kaplan, 2008