none
Throw exception when I try to save after remove member in Active Directory C#

    Question

  • I am analyzing and modifying a windows application about to sync data to Active Directory.

    When I move users to another department in active directory,

    I try to remove member in previous department.

    And Member.Remove is fine, but when I try to save it, it throws exception like this

    Server is unwilling to process the request

    So, nothing was changed. Sadly, I'm a newbie of Active Directory, I don't know how to handle it.

    The code is below. Please share your knowledge.

    //ppk: user's department PK value, pk: user PK value

    void MoveUser(string ppk, string pk) { var aduser = adm.GetUser(pk); //get user from AD var adde=aduser.GetUnderlyingObject() as DirectoryEntry; var pde = adm.FindOU(ppk); //get user's department OU if (aduser == null || pde == null) { return; } adde.MoveTo(pde); //move user to user's new department var pgroup = adm.GetGroup(ppk); //get user's department group if (!aduser.IsMemberOf(pgroup)) { var allgroups = adm.GetAllDE(Words.Group); foreach (var sg in allgroups) { var samname = GetSamName(sg); //get group's SamAccount Name var sgroup = adm.GetGroup(samname); //get group if (aduser.IsMemberOf(sgroup)) { sgroup.Members.Remove(aduser); //remove user from member //exception here //message: Server is unwilling to process the request sgroup.Save(); } } pgroup.Members.Add(aduser); pgroup.Save(); } } public UserPrincipal GetUser(string sUserName) { PrincipalContext oPrincipalContext = GetPrincipalContext(); UserPrincipal oUserPrincipal = UserPrincipal.FindByIdentity(oPrincipalContext, sUserName); return oUserPrincipal; } public DirectoryEntry FindOU(string ouName) { DirectorySearcher ds = new DirectorySearcher(GetRootOu()); ds.Filter = "(ou=" + ouName + ")"; try { return ds.FindOne().GetDirectoryEntry(); } catch (Exception) { return null; } } public GroupPrincipal GetGroup(string sGroupName) { PrincipalContext oPrincipalContext = GetPrincipalContext(); GroupPrincipal oGroupPrincipal = GroupPrincipal.FindByIdentity(oPrincipalContext, sGroupName); return oGroupPrincipal; }

    • Moved by Sabah ShariqMVP Tuesday, April 4, 2017 9:32 PM Moved from Visual C#
    Tuesday, April 4, 2017 7:39 AM

Answers

  • AFAIK: You are trying to modify group memberships AFTER you moved the user to a new OU. The move operation breaks the object references... Either modify group memberships before moving the user, or re-get the user after the move.
     
    • Marked as answer by RydenChoi Friday, April 7, 2017 7:49 AM
    Wednesday, April 5, 2017 1:34 PM

All replies

  • Hi Ryden,

    I am moving your thread to Directory Services forum for getting quick response.


    Thanks,
    Sabah Shariq

    [If a post helps to resolve your issue, please click the "Mark as Answer" of that post or click Answered "Vote as helpful" button of that post. By marking a post as Answered or Helpful, you help others find the answer faster. ]

    Tuesday, April 4, 2017 9:31 PM
  • Do you have permissions on the GROUP object from which the user is being removed ?
    Tuesday, April 4, 2017 9:53 PM
  • Hi,

    Where did you get or defined  variable: adm?

    Did you checked the SAVE method from MSDN? to see it's detailed usage?

    >>When I move users to another department in active directory,

    For this line: i suppose you could try using: Move-ADObject cmdlet:

    https://technet.microsoft.com/en-us/library/ee617248.aspx?f=255&MSPPError=-2147217396

    Best regards,

    Andy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, April 5, 2017 6:59 AM
    Moderator
  • AFAIK: You are trying to modify group memberships AFTER you moved the user to a new OU. The move operation breaks the object references... Either modify group memberships before moving the user, or re-get the user after the move.
     
    • Marked as answer by RydenChoi Friday, April 7, 2017 7:49 AM
    Wednesday, April 5, 2017 1:34 PM
  • Yes. It`s a administrator account and has a permission.
    Thursday, April 6, 2017 7:01 AM
  • Oh sorry. adm is a class name. And as you can see, GetUser(pk) method is below of the code.

    I read your link, but I`m not good at AD so it`s hard to understand that. Could you give me another link about that?? 

    Thursday, April 6, 2017 7:08 AM
  • Yeah, come to think of it, that`s correct thing. I`ll try to change it.
    • Edited by RydenChoi Thursday, April 6, 2017 7:11 AM
    Thursday, April 6, 2017 7:10 AM
  • AFAIK: You are trying to modify group memberships AFTER you moved the user to a new OU. The move operation breaks the object references... Either modify group memberships before moving the user, or re-get the user after the move.
     

    I think Martin is right.

    Right after

    adde.MoveTo(pde); //move user to user's new department

    You should call

    adde.CommitChanges();

    And then again get the user in adUser variable, and then check membership, and change group membership.

    var aduser = adm.GetUser(pk); //get user from AD again with new location

    because, user now have modified path.

    Regards,


    Laeeq Qazi|Team Lead(Exchange + Sharepoint + BES + DynamicsCRM) www.HostingController.com


    • Edited by Laeeq Qazi Thursday, April 6, 2017 10:13 AM
    Thursday, April 6, 2017 10:12 AM
  • Yes, he`s right. I changed code based on his advice, it works well. 

    And also thank you for detail explanation. 

    Friday, April 7, 2017 7:48 AM