我们在同一个林中有很多域(即sw.main.company.com,nw.main.company.com,main.company.com),我可以控制sw.main.company.com中的OU我已经在那里建立了一个通用活动目录组。
我务实(c#)添加" sw"在默认AD端口上使用System.DirectoryServices.AccountManagement .NET 4.5等对该组的域用户,但是当涉及从其他域(nw,mw等)添加用户时,我得到" HResult = -2147016651消息=服务器不愿意处理请求"和"不允许通过GC端口,数据0,v1db1和#34;进行操作;设置新的PrincipalContext时(ContextType.Domain" sw.main.company.com:3268"," DC = main,DC = company,DC = com")。
所有域控制器也是全局编录服务器,调用端口3268允许来自其他域的用户正确解析,但我无法使用GlobalPrincipal.Save()命令提交添加而不会抛出错误。
我已经包含了下面的相关代码以及详细的错误堆栈。我需要帮助。
public void SyncADUsers()
{
AddUserToGroup("MW\\abc123user", "Universal_Group_1");
}
public void AddUserToGroup(string userId, string groupName)
{
try
{
using (PrincipalContext pc = new PrincipalContext(ContextType.Domain, "sw.main.company.com:3268", "DC=main,DC=company,DC=com"))
{
GroupPrincipal group = GroupPrincipal.FindByIdentity(pc, groupName);
group.Members.Add(pc, IdentityType.SamAccountName, userId);
group.Save();
}
}
catch (System.DirectoryServices.DirectoryServicesCOMException E)
{
//doSomething with E.Message.ToString();
}
}
System.InvalidOperationException未处理 HResult = -2146233079消息=服务器不愿意处理请求。 Source = System.DirectoryServices.AccountManagement StackTrace:at System.DirectoryServices.AccountManagement.ADStoreCtx System.DirectoryServices.AccountManagement.ADStoreCtx上的System.DirectoryServices.AccountManagement.SDSUtils.ApplyChangesToDirectory(Principal p,StoreCtx storeCtx,GroupMembershipUpdater updateGroupMembership,NetCred credentials,AuthenticationTypes authTypes)中的.UpdateGroupMembership(Principal group,DirectoryEntry de,NetCred credentials,AuthenticationTypes authTypes)。位于ExampleUsers.SyncAD的c:\ SourceControl \ ExampleUsers \ ExampleUsers \ SyncAD.cs:第33行的ExampleUsers.SyncAD.AddUserToGroup(String userId,String groupName)中的System.DirectoryServices.AccountManagement.Principal.Save()更新(Principal p) c:\ SourceControl \ ExampleUsers \ ExampleUsers \ SyncAD.cs中的.SyncADUsers():ExampleUsers.Program.Main(String [] a中的第18行rgs)在C:\ SourceControl \ ExampleUsers \ ExampleUsers \ Program.cs:System.AppDomain.ExExcuteAssembly(RuntimeAssembly assembly,String [] args)的第62行,System.AppDomain.ExecuteAssembly(String assemblyFile,Evidence assemblySecurity,String [] args )System.Threading上System.Threading.ExecutionContext.RunInternal(ExecutionContext executionContext,ContextCallback回调,Object state,Boolean preserveSyncCtx)的System.Threading.ThreadHelper.ThreadStart_Context(Object state)中的Microsoft.VisualStudio.HostingProcess.HostProc.RunUsersAssembly() System.Threading.ThreadHelper.ThreadStart()InnerException:System.DirectoryServices中的System.Threading.ExecutionContext.Run(ExecutionContext executionContext,ContextCallback回调,对象状态)中的.ExecutionContext.Run(ExecutionContext executionContext,ContextCallback回调,Object状态,Boolean preserveSyncCtx) .DirectoryServicesCOMException HResult = -2147016651 Message =服务器不愿意处理请求。 Source = System.DirectoryServices ErrorCode = -2147016651 ExtendedError = 8245 ExtendedErrorMessage = 00002035:LdapErr:DSID-0C090B3E,comment:不允许通过GC端口操作,数据0,v1db1 StackTrace:在System.DirectoryServices.DirectoryEntry.CommitChanges( )在System.DirectoryServices.AccountManagement.ADStoreCtx.UpdateGroupMembership(主要组,DirectoryEntry de,NetCred凭据,AuthenticationTypes authTypes)InnerException:
答案 0 :(得分:3)
在参考BaldPate的回复时,如果全局目录是只读的,我们需要使用3268端口读取和解析不同域中的用户,然后在相同的上下文中使用389端口保存用户。这可以通过以下代码完成(请注意对3268和默认389端口的单独调用)并感谢BaldPate明确说明:
using System;
using System.Collections;
using System.Data;
using System.Data.SqlClient;
using System.Collections.Generic;
using System.DirectoryServices.AccountManagement;
using System.Linq;
using System.Text;
using System.Threading.Tasks;
using System.Configuration;
namespace OurUsers
{
class SyncAD
{
#region Variables
private string sDomain = "sw.main.company.com";
private string sDomainGC = "sw.main.company.com:3268";
private string sDefaultOU = "DC=sw,DC=main,DC=company,DC=com";
private string sDefaultRootOU = "DC=main,DC=company,DC=com";
private string sGroupName = "Production_Universal_AD_Group";
private string connectionString = "Server=OurServerName\\PROD; Integrated Security=True; Initial Catalog=OurUsers";
private string sqlAdd = "SELECT FullID FROM ViewFolkstoAdd";
private string sqlRemove = "SELECT FullID FROM ViewFolkstoRemove";
#endregion
public void SyncADUsers()
{
// Get Database Ready and Remove Users
SqlConnection connectionRemove = new SqlConnection(connectionString);
SqlCommand commandRemove = new SqlCommand(sqlRemove, connectionRemove);
connectionRemove.Open();
SqlDataReader readerRemove = commandRemove.ExecuteReader();
if (readerRemove.HasRows)
{
int i = 0;
while (readerRemove.Read())
{
string sUserName = readerRemove.GetString(0);
RemoveUserFromGroup(sUserName, sGroupName);
i = i + 1;
Console.WriteLine("{0} {1}", i, sUserName);
}
}
else
{
Console.WriteLine("No rows found.");
}
readerRemove.Close();
// Get Database Ready and Add Users
SqlConnection connectionAdd = new SqlConnection(connectionString);
SqlCommand commandAdd = new SqlCommand(sqlAdd, connectionAdd);
connectionAdd.Open();
SqlDataReader readerAdd = commandAdd.ExecuteReader();
if (readerAdd.HasRows)
{
int i = 0;
while (readerAdd.Read())
{
string sUserName = readerAdd.GetString(0);
AddUserToGroup(sUserName, sGroupName);
i = i + 1;
Console.WriteLine("{0} {1}", i, sUserName);
}
}
else
{
Console.WriteLine("No rows found.");
}
readerAdd.Close();
}
/// Gets a certain user on Active Directory
/// Returns the UserPrincipal Object
public UserPrincipal GetUser(string sUserName)
{
PrincipalContext oPrincipalContext = GetPrincipalContextGC();
UserPrincipal oUserPrincipal = UserPrincipal.FindByIdentity(oPrincipalContext, sUserName);
return oUserPrincipal;
}
/// Adds the user for a given group
/// Returns true if successful
public bool AddUserToGroup(string sUserName, string sGroupName)
{
try
{
UserPrincipal oUserPrincipal = GetUser(sUserName);
GroupPrincipal oGroupPrincipal = GetGroup(sGroupName);
if (oUserPrincipal != null && oGroupPrincipal != null)
{
oGroupPrincipal.Members.Add(oUserPrincipal);
oGroupPrincipal.Save();
}
return true;
}
catch
{
return false;
}
}
/// Removes user from a given group
/// Returns true if successful
public bool RemoveUserFromGroup(string sUserName, string sGroupName)
{
try
{
UserPrincipal oUserPrincipal = GetUser(sUserName);
GroupPrincipal oGroupPrincipal = GetGroup(sGroupName);
if (oUserPrincipal != null && oGroupPrincipal != null)
{
oGroupPrincipal.Members.Remove(oUserPrincipal);
oGroupPrincipal.Save();
}
return true;
}
catch
{
return false;
}
}
/// Gets PrincipalContext from the Local Domain
/// Returns the PrincipalContext
public PrincipalContext GetPrincipalContext()
{
PrincipalContext oPrincipalContext = new PrincipalContext(ContextType.Domain, sDomain, sDefaultOU, ContextOptions.Negotiate);
return oPrincipalContext;
}
/// Gets PrincipalContext from the Global Catalog
/// Returns the PrincipalContext
public PrincipalContext GetPrincipalContextGC()
{
PrincipalContext oPrincipalContext = new PrincipalContext(ContextType.Domain, sDomainGC, sDefaultRootOU, ContextOptions.Negotiate);
return oPrincipalContext;
}
/// Gets a certain group on Active Directory
/// Returns the GroupPrincipal Object
public GroupPrincipal GetGroup(string sGroupName)
{
PrincipalContext oPrincipalContext = GetPrincipalContext();
GroupPrincipal oGroupPrincipal = GroupPrincipal.FindByIdentity(oPrincipalContext, sGroupName);
return oGroupPrincipal;
}
}
}
答案 1 :(得分:1)
全局目录是只读的。
请连接到LDAP端口(默认为389)以更新组。