Solved

Adding to AD group with ASP and AccountManagement namespace

Posted on 2011-02-25
4
312 Views
Last Modified: 2012-08-14
Greetings,
I wan to use the following code as a template to add user to a particular group in AD. The problem I'm encountering is how to add to an OU group that has the same name as others. For example, Users in Miami in Florida in US versus Users in Madrid in Spain. Thanks.
GroupPrincipal grp = GroupPrincipal.FindByIdentity(ctx,
                                                   IdentityType.Name,
                                                   "Domain Admins");
if (grp != null)
{
    grp.Members.Remove(ctx, IdentityType.Name, "John Smith");          
    grp.Members.Add(ctx, IdentityType.Name, "Jim Daly");
    grp.Save();
    grp.Dispose();
}
ctx.Dispose();



0
Comment
Question by:centem
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 33

Accepted Solution

by:
Todd Gerbert earned 500 total points
ID: 34982746
There's a difference between an OU and a group.

An OU is a container in Active Directory, and contains things like Users, Computer Accounts and Groups.  OUs are primarily an organizational tool.  You cannot assign file access rights or operating system privileges to an OU.  An example of an OU would be the "Domain Controllers" OU, which would normally contain the computer accounts for all of the domain's controllers.  An object, like a user, can only exist in one OU at any one time.  OUs are generally referred to by their paths, which necessarily distinguishes between any two.  In your example, the two OUs might have LDAP paths such as "OU=Users,OU=Miami,OU=Florida,OU=USA,DC=somdomain,DC=com" and "OU=Users,OU=Madrid,OU=Spain,OU=Europe,DC=someDomain,DC=com" Notice that the paths work kinda like filenames - they read left-to-right most-specific to least-specific, i.e. since Miami is more specific than Florida, it's to the left.  If you imagine the tree in Active Directory Users & Computers, the top of that tree would be the right-most component of the OU's path, and one particular OU would be the left-most.  OUs generally are referred to by their LDAP path.

A group, or more accurately a "Security Group", behaves more like a special kind of user account that contains a list of other users and groups.  Groups can only contain users and other groups.  A user can be a member of any number of groups, or none.  Security privileges, like file access and privileges can be assigned to groups.  In any given domain there can not be more than one group of any given name, they each must be unique (even if they're in separate OUs).  Examples of groups would be "Domain Admins" and "Domain Users"  Security groups generally are referred to by their "user" name syntax, such as "MYDOMAIN\Domain Admins" or "MYDOMAIN\Domain Users" - but they can also be referred to by their LDAP paths (usually only when writing code though, or some similar type of activity).  So if your Miami/Users OU had a "Miami Admins" group, it's LDAP path might be "CN=Miami Admins,OU=Users,OU=Miami,OU=Florida,OU=USA,DC=somdomain,DC=com"

Are you talking about groups or OUs?

(CN = Common Name, OU = Organizational Unit, DC= Domain Context)
0
 

Author Comment

by:centem
ID: 34982941
That was extremely helpful. Thank you. I'm going to experiment a bit and let you know. Thanks
0
 
LVL 33

Expert Comment

by:Todd Gerbert
ID: 34983241
Glad it made sense to you,  reads like gobbeldygook to me.
0
 

Author Closing Comment

by:centem
ID: 34989265
Not just helpful but also educational. Value added info.
0

Featured Post

Online Training Solution

Drastically shorten your training time with WalkMe's advanced online training solution that Guides your trainees to action. Forget about retraining and skyrocket knowledge retention rates.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Always backup Domain, SYSVOL etc.using processes according to Microsoft Best Practices. This is meant as a disaster recovery process for small environments that did not implement backup processes and did not run a secondary domain controller that ne…
This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
Suggested Courses

635 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question