Adding and removing users from Active Directory groups in .NET
Solution 1
Ugh. LDAP. If you're using the .Net Framework 3.5 or above, I highly recommend using the System.DirectoryServices.AccountManagement namespace. That makes things so much easier.
public void AddUserToGroup(string userId, string groupName)
{
try
{
using (PrincipalContext pc = new PrincipalContext(ContextType.Domain, "COMPANY"))
{
GroupPrincipal group = GroupPrincipal.FindByIdentity(pc, groupName);
group.Members.Add(pc, IdentityType.UserPrincipalName, userId);
group.Save();
}
}
catch (System.DirectoryServices.DirectoryServicesCOMException E)
{
//doSomething with E.Message.ToString();
}
}
public void RemoveUserFromGroup(string userId, string groupName)
{
try
{
using (PrincipalContext pc = new PrincipalContext(ContextType.Domain, "COMPANY"))
{
GroupPrincipal group = GroupPrincipal.FindByIdentity(pc, groupName);
group.Members.Remove(pc, IdentityType.UserPrincipalName, userId);
group.Save();
}
}
catch (System.DirectoryServices.DirectoryServicesCOMException E)
{
//doSomething with E.Message.ToString();
}
}
Solution 2
The server is part of the groupDn variable value. For example:
LDAP://myServer/CN=MyGroup,CN=Groups,CN=MyContainer,DN=mydomain.com
The whole thing is the LDAP path for the group. The first part (myServer) is the server name.
The part after the server name (e.g. CN=...) is the DN (distinguished name) of the group.
Solution 3
When deleting a member in
public void RemoveUserFromGroup(string userDn, string groupDn)
dirEntry.Properties["member"].Remove(userDn)
does not work for me.
dirEntry.Properties["member"].RemoveAt(dn.IndexOf(dn))
works.
Solution 4
You can put the LDAP server in the path argument to DirectoryEntry, so "LDAP://" + ldapServer + ldapQuery.
Use the DirectoryEntry(String path, String userId, String password) if you need to authenticate
Ben Aston
Updated on October 06, 2020Comments
-
Ben Aston over 3 years
I am writing the following methods to add and remove users from active directory in C#.
void AddUserToGroup(string userId, string groupName); void RemoveUserFromGroup(string userId, string groupName);
How best to implement these methods?
Here is some code from CodeProject. I can't see where the AD server is specified in these examples though? (is it implicitly supplied by the .NET framework when using the LDAP protocol?). Are these examples worth following?
public void AddToGroup(string userDn, string groupDn) { try { DirectoryEntry dirEntry = new DirectoryEntry("LDAP://" + groupDn); dirEntry.Properties["member"].Add(userDn); dirEntry.CommitChanges(); dirEntry.Close(); } catch (System.DirectoryServices.DirectoryServicesCOMException E) { //doSomething with E.Message.ToString(); } } public void RemoveUserFromGroup(string userDn, string groupDn) { try { DirectoryEntry dirEntry = new DirectoryEntry("LDAP://" + groupDn); dirEntry.Properties["member"].Remove(userDn); dirEntry.CommitChanges(); dirEntry.Close(); } catch (System.DirectoryServices.DirectoryServicesCOMException E) { //doSomething with E.Message.ToString(); } }
-
Mike Marshall over 14 yearsThe only thing I would say is that in a good AD setup, you should not have to specify the server. The .NET AD/low level AD calls should resolve the nearest available server for you. But this is more AD/domain setup and not so much code. If your AD setup is solid, you should be able to exclude the server (e.g. LDAP://CN=MyGroup,CN=Groups,CN=MyContainer,DN=mydomain.com)
-
Mike Marshall over 14 yearsSorry didn't really answer your questions. yes, the examples do seem clean. If you are still unsure, I highly recommend the .NET Developer's Guide to Directory Services Programming (amazon.com/gp/product/0321350170)
-
regex over 11 yearsSystem.DirectorServices.AccountManagement is only available in >= 3.5, rather than 3.0
-
Ram over 11 yearsBelow code worked for me group.Members.Remove(UserPrincipal.FindByIdentity(pc, userId)); instead of "group.Members.Remove(pc, IdentityType.UserPrincipalName, userId);" . Note: my user id is just "USERNAME" without appending with domain name
-
Jacob Proffitt over 11 yearsYeah, that overload works, too, it's just an extra call into the LDAP service to get the user identity before sending the remove call. Frankly, it's possible that they're equivalent in function as the API probably calls into the LDAP for the identity based on user name before doing the remove, too.
-
Ju66ernaut almost 9 yearsHad a similar issue to the described above. I had to change the line that removes the user from the group from IdentityType.UserPrincipalName to IdentityType.SAMAccountName
-
Kiquenet over 8 yearsWhat is userId ?
-
forcewill over 7 yearsThe only issue with the System.DirectorServices.AccountManagement is that if the machine is not in the domain it gets me an error >.<
-
vapcguy over 7 yearsI know it was said in the above comments, but it wasn't clarified. If you send in
DOMAIN\someUserId
as your user, that's when you have to change it toIdentityType.SamAccountName
, instead ofUserPrincipalName
. The latter will give you an exception:No principal matching the specified parameters was found
. But note, too, it will also give you an exception withSamAccountName
, if the user is already in the group. -
vapcguy over 7 yearsOn the removal from the group - if the user was never in the group to begin with, it doesn't provide an exception - it will just go through the
.Save()
operation, regardless. You have to check if theUserPrincipal
object for the user.IsMemberOf(group)
, to discover this. Submitted an edit.userId
should be inDOMAIN\username
form to send toUserPrincipal.FindByIdentity(pc, userId);
, however, which would requireSamAccountName
in theIdentityType
. -
fripp13 about 7 yearsWhat is the
dn
variable? -
codeMonkey about 7 years@Rama I would post that as a separate answer--that helped me a ton!
-
Aravin over 6 yearsWhat does
company
means in that both method? -
Mathias Maes about 6 years@fripp13, in the context of an Active Directory, dn almost always means DistinguishedName.
-
vbhosale over 3 years@vapcguy Getting this error- No principal matching the specified parameters was found.'
-
vapcguy over 3 years@vbhosale Read my comments above. I specified why that happens. Use
IdentityType.SamAccountName
, instead, but then you have to make sure they are not in the group, to begin with, too. Do you know they are in the group, but are not getting found? Then you can look for them by their SSID.