Active Directory User Creation Issues

microsoft.public.dotnet.security

14 Sep 2006 4:33 PM

timburda

I know I'm just another in a long list of people who have active
directory developers who have problems, but I'm going to post anyway:

I add a user to the container:

"CN=Users,DC=my,DC=domain,DC=com"

I set the following properties:

oDE = GetDirectoryObject(LDAPDomain);
oDEC = oDE.Children.Add("CN=" + user.UserName, "User");

oDEC.Properties["samAccountName"].Add(user.UserName);
oDEC.Properties["userPrincipalName"].Add(user.UserName);
oDEC.Properties["givenName"].Add(user.FirstName);
oDEC.Properties["sn"].Add(user.LastName);
oDEC.Properties["displayName"].Add(user.FirstName + " " +
user.LastName);
oDEC.Properties["accountExpires"].Add(-1)

I then commit the changes and the user saves fine, with the exception
that they are disabled

I then try to modify the user:

oDEC.Properties["userAccountControl"].Value = 512;

when I commit the changes, I get the dreaded error:

The server is unwilling to process the request.

Can somebody tell me what that error means? Any thoughts on how to
debug or toubleshoot this?

Also, I tried to set the accountExpires to various long integers, but
my result never changes. This is supposed to be some goofy number of
100 nanoseconds (who thought this was a good idea?) since 1/1/1600. -1
will make the account never expire, but other values (even thought I
use a 64 bit integer) don't seem to work.

Any help related to any of this is appreciated!

Thanks -

Tim Burda

14 Sep 2006 7:08 PM

Joe Kaplan

Typically, if AD has a password policy in place, you can't enable a user
until you've set a password. That's probably what's happening here.

I discuss all this stuff in gory detail in ch 10 of my book. That chapter
is provided as a free download by the publisher, and you can find it at the
link in my sig. My guess is that a quick read of it will save you a ton of
time. Our code samples are all on the site as well for free.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
<timbu***@hotmail.com> wrote in message

Show quoteHide quote

news:1158251613.753899.24980@d34g2000cwd.googlegroups.com...
>I know I'm just another in a long list of people who have active
> directory developers who have problems, but I'm going to post anyway:
>
> I add a user to the container:
>
>
> "CN=Users,DC=my,DC=domain,DC=com"
>
>
> I set the following properties:
>
>
> oDE = GetDirectoryObject(LDAPDomain);
> oDEC = oDE.Children.Add("CN=" + user.UserName, "User");
>
>
> oDEC.Properties["samAccountName"].Add(user.UserName);
> oDEC.Properties["userPrincipalName"].Add(user.UserName);
> oDEC.Properties["givenName"].Add(user.FirstName);
> oDEC.Properties["sn"].Add(user.LastName);
> oDEC.Properties["displayName"].Add(user.FirstName + " " +
> user.LastName);
> oDEC.Properties["accountExpires"].Add(-1)
>
>
> I then commit the changes and the user saves fine, with the exception
> that they are disabled
>
>
> I then try to modify the user:
>
>
> oDEC.Properties["userAccountControl"].Value = 512;
>
>
> when I commit the changes, I get the dreaded error:
>
>
> The server is unwilling to process the request.
>
>
> Can somebody tell me what that error means? Any thoughts on how to
> debug or toubleshoot this?
>
>
> Also, I tried to set the accountExpires to various long integers, but
> my result never changes. This is supposed to be some goofy number of
> 100 nanoseconds (who thought this was a good idea?) since 1/1/1600. -1
> will make the account never expire, but other values (even thought I
> use a 64 bit integer) don't seem to work.
>
>
> Any help related to any of this is appreciated!
>
>
> Thanks -
>
>
> Tim Burda
>

14 Sep 2006 7:40 PM

timburda

Joe -

I actually solved my problem.

How? I bought your book! Given my level of frustration, it was well
worth the price.

My luck - you mentioned the chapter I needed is available for free.

Actually, the books looks like it will be really useful for several
other topics.

Thanks -

Tim

Joe Kaplan wrote:
Show quoteHide quote

> Typically, if AD has a password policy in place, you can't enable a user
> until you've set a password. That's probably what's happening here.
>
> I discuss all this stuff in gory detail in ch 10 of my book. That chapter
> is provided as a free download by the publisher, and you can find it at the
> link in my sig. My guess is that a quick read of it will save you a ton of
> time. Our code samples are all on the site as well for free.
>
> Joe K.
>
> --
> Joe Kaplan-MS MVP Directory Services Programming
> Co-author of "The .NET Developer's Guide to Directory Services Programming"
> http://www.directoryprogramming.net
> --
> <timbu***@hotmail.com> wrote in message
> news:1158251613.753899.24980@d34g2000cwd.googlegroups.com...
> >I know I'm just another in a long list of people who have active
> > directory developers who have problems, but I'm going to post anyway:
> >
> > I add a user to the container:
> >
> >
> > "CN=Users,DC=my,DC=domain,DC=com"
> >
> >
> > I set the following properties:
> >
> >
> > oDE = GetDirectoryObject(LDAPDomain);
> > oDEC = oDE.Children.Add("CN=" + user.UserName, "User");
> >
> >
> > oDEC.Properties["samAccountName"].Add(user.UserName);
> > oDEC.Properties["userPrincipalName"].Add(user.UserName);
> > oDEC.Properties["givenName"].Add(user.FirstName);
> > oDEC.Properties["sn"].Add(user.LastName);
> > oDEC.Properties["displayName"].Add(user.FirstName + " " +
> > user.LastName);
> > oDEC.Properties["accountExpires"].Add(-1)
> >
> >
> > I then commit the changes and the user saves fine, with the exception
> > that they are disabled
> >
> >
> > I then try to modify the user:
> >
> >
> > oDEC.Properties["userAccountControl"].Value = 512;
> >
> >
> > when I commit the changes, I get the dreaded error:
> >
> >
> > The server is unwilling to process the request.
> >
> >
> > Can somebody tell me what that error means? Any thoughts on how to
> > debug or toubleshoot this?
> >
> >
> > Also, I tried to set the accountExpires to various long integers, but
> > my result never changes. This is supposed to be some goofy number of
> > 100 nanoseconds (who thought this was a good idea?) since 1/1/1600. -1
> > will make the account never expire, but other values (even thought I
> > use a 64 bit integer) don't seem to work.
> >
> >
> > Any help related to any of this is appreciated!
> >
> >
> > Thanks -
> >
> >
> > Tim Burda
> >

14 Sep 2006 8:47 PM

Joe Kaplan

We picked that particular chapter for the freebie because it is so practical
and really covers what most people "do" when changing AD data. However, a
lot of people who are newbies struggle with it because we assume that you've
already read the all-important ch 3, 4 and 6 and actually know how to
connect and search. You end up in a "run before you can walk" scenario.

I'm truly hopeful that you find the book useful and worth your money.

Joe K.

Show quoteHide quote

news:1158262830.410028.166060@k70g2000cwa.googlegroups.com...
> Joe -
>
> I actually solved my problem.
>
> How? I bought your book! Given my level of frustration, it was well
> worth the price.
>
> My luck - you mentioned the chapter I needed is available for free.
>
> Actually, the books looks like it will be really useful for several
> other topics.
>
> Thanks -
>
> Tim
>
> Joe Kaplan wrote:
>> Typically, if AD has a password policy in place, you can't enable a user
>> until you've set a password. That's probably what's happening here.
>>
>> I discuss all this stuff in gory detail in ch 10 of my book. That
>> chapter
>> is provided as a free download by the publisher, and you can find it at
>> the
>> link in my sig. My guess is that a quick read of it will save you a ton
>> of
>> time. Our code samples are all on the site as well for free.
>>
>> Joe K.
>>
>> --
>> Joe Kaplan-MS MVP Directory Services Programming
>> Co-author of "The .NET Developer's Guide to Directory Services
>> Programming"
>> http://www.directoryprogramming.net
>> --
>> <timbu***@hotmail.com> wrote in message
>> news:1158251613.753899.24980@d34g2000cwd.googlegroups.com...
>> >I know I'm just another in a long list of people who have active
>> > directory developers who have problems, but I'm going to post anyway:
>> >
>> > I add a user to the container:
>> >
>> >
>> > "CN=Users,DC=my,DC=domain,DC=com"
>> >
>> >
>> > I set the following properties:
>> >
>> >
>> > oDE = GetDirectoryObject(LDAPDomain);
>> > oDEC = oDE.Children.Add("CN=" + user.UserName, "User");
>> >
>> >
>> > oDEC.Properties["samAccountName"].Add(user.UserName);
>> > oDEC.Properties["userPrincipalName"].Add(user.UserName);
>> > oDEC.Properties["givenName"].Add(user.FirstName);
>> > oDEC.Properties["sn"].Add(user.LastName);
>> > oDEC.Properties["displayName"].Add(user.FirstName + " " +
>> > user.LastName);
>> > oDEC.Properties["accountExpires"].Add(-1)
>> >
>> >
>> > I then commit the changes and the user saves fine, with the exception
>> > that they are disabled
>> >
>> >
>> > I then try to modify the user:
>> >
>> >
>> > oDEC.Properties["userAccountControl"].Value = 512;
>> >
>> >
>> > when I commit the changes, I get the dreaded error:
>> >
>> >
>> > The server is unwilling to process the request.
>> >
>> >
>> > Can somebody tell me what that error means? Any thoughts on how to
>> > debug or toubleshoot this?
>> >
>> >
>> > Also, I tried to set the accountExpires to various long integers, but
>> > my result never changes. This is supposed to be some goofy number of
>> > 100 nanoseconds (who thought this was a good idea?) since 1/1/1600. -1
>> > will make the account never expire, but other values (even thought I
>> > use a 64 bit integer) don't seem to work.
>> >
>> >
>> > Any help related to any of this is appreciated!
>> >
>> >
>> > Thanks -
>> >
>> >
>> > Tim Burda
>> >
>