none
Unable to add/remove objects to group due to orphaned SIDs: PrincipalOperationException: An error (1332) occurred RRS feed

  • Question

  • Hey,

    I need to add/remove objects (users, groups) to a local group on a server. I do this as below and it works fine:

    Principal adObject = Principal.FindByIdentity(domainContext, login);
    GroupPrincipal groupPrincipal = GroupPrincipal.FindByIdentity(machineContext, IdentityType.Name, localGroupName);
    groupPrincipal.Members.Add(adObject);
    groupPrincipal.Save();

    Except for the cases when a local group contains some orphaned SIDs (Active Directory users or groups that are already deleted).

    Orphaned-SIDs

    In that case i get below exception:

    System.DirectoryServices.AccountManagement.PrincipalOperationException: An error (1332) occurred while enumerating the group membership. The member's SID could not be resolved.

    This error message appears when i try to add, remove and enumerate members in a local group. While reading current members of a group below workaround works fine:

    DirectoryEntry group = (DirectoryEntry)groupPrincipal.GetUnderlyingObject();
    foreach (object member in (IEnumerable)group.Invoke("Members", null))
    {
       ...
    }

    However converting `GroupPrincipal` into `DirectoryEntry` does not solve the issue for adding and removing new members. I have tried three methods below and none of them works:

    1) group.Invoke("Add", new object[] {@"WinNT://" + domain + "//" + login + ",user"});
    2) group.Invoke("Add", new object[] { @"LDAP://" + adObject.DistinguishedName });
    3) group.Properties["member"].Add(@"LDAP://" + adObject.DistinguishedName);

    All three cases above gives the same error:

    System.DirectoryServices.AccountManagement.PrincipalOperationException: An error (1332) occurred while enumerating the group membership.  The member's SID could not be resolved.
    at System.DirectoryServices.AccountManagement.SAMMembersSet.IsLocalMember(Byte[] sid)
    at System.DirectoryServices.AccountManagement.SAMMembersSet.MoveNextLocal()
    at System.DirectoryServices.AccountManagement.SAMMembersSet.MoveNext()
    at System.DirectoryServices.AccountManagement.PrincipalCollectionEnumerator.MoveNext()
    at System.DirectoryServices.AccountManagement.PrincipalCollection.ContainsEnumTest(Principal principal)
    at System.DirectoryServices.AccountManagement.PrincipalCollection.Add(Principal principal)

    I need to be able to add and remove users to the group without removing those orphaned SIDs. Can someone please suggest me a solution/workaround for the problem?

    Wednesday, July 6, 2016 12:39 PM

Answers

  • It seems i found the workaround for the problem:

    DirectoryEntry group = (DirectoryEntry)groupPrincipal.GetUnderlyingObject();
    IADsGroup nativeGroup = (IADsGroup)group.NativeObject; // https://msdn.microsoft.com/en-us/library/aa706022(v=vs.85).aspx
    nativeGroup.Remove("LDAP://" + adObject.Sid.Value);
    //nativeGroup.Remove(String.Format("WinNT:////{0}//{1}", domain, ID));
    //nativeGroup.Remove(String.Format( "NTDS:////{0}//{1}", domain, ID));
    If you convert `DirectoryEntry` to native object and cast it to `ActiveDs.IADsGroup` - `Add()` and `Remove()` methods works fine
    Thursday, July 7, 2016 11:14 AM

All replies

  • Hi JustinasB,

    As far as I know, the security identifier (SID) is a unique value of variable length that is used to identify a security principal or security group in Windows operating systems.

    From your description, I think maybe you can check your problem like the following options.

    1: May be this issue is due to ghost users still existing in the User Groups in the machine, most likely the Administrators group. In order to resolve the issue, remove the ghost users from the group and try the validation again.
    2: Load the underlying object of the group and use properties["Members"], which is a list of SIDs.
    3: Use GetAuthorizationGroups() of the user (which will also use your non-direct groups, Service-Account has to be member of "Windows Authorization Group" and "PreWindows 2000 Comaptible...." eventually) and use the group list to lookup your Admin group.

    4: May be it was caused by a domain account from another trusted domain (external, non-transitive) being in the local Administrators group on the server. Removing the account from the Admin group.

    Best Regards,
    Li Wang


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.

    Thursday, July 7, 2016 9:55 AM
    Moderator
  • Hey,

    1) Yes, the issue is caused by the ghost SIDs (the ones that do belong to deleted domain users). Unfortunately it is impossible to remove those ghost SIDs.

    2) As mentioned in the problem, calling "group.Properties["member"].Add(@"LDAP://" + adObject.DistinguishedName);" also caused the same error

    3) GetAuthorizatrionGroups() does not exist in Principal class. In my case those objects may be users or groups. Furthermore, the issue is that i am unable to add/remove members to group, not to enumerate

    4) No, the users are from the same domain as server
    Thursday, July 7, 2016 10:58 AM
  • It seems i found the workaround for the problem:

    DirectoryEntry group = (DirectoryEntry)groupPrincipal.GetUnderlyingObject();
    IADsGroup nativeGroup = (IADsGroup)group.NativeObject; // https://msdn.microsoft.com/en-us/library/aa706022(v=vs.85).aspx
    nativeGroup.Remove("LDAP://" + adObject.Sid.Value);
    //nativeGroup.Remove(String.Format("WinNT:////{0}//{1}", domain, ID));
    //nativeGroup.Remove(String.Format( "NTDS:////{0}//{1}", domain, ID));
    If you convert `DirectoryEntry` to native object and cast it to `ActiveDs.IADsGroup` - `Add()` and `Remove()` methods works fine
    Thursday, July 7, 2016 11:14 AM
  • I had the same issue adding/removing users to groups on remote servers. Thanks JustinasB for the workaround.
    Wednesday, April 19, 2017 8:31 PM
  • IADsGroup comes back as "The type or namespace name 'IADsGroup' could not be found (are you missing a using directive or an assembly reference?"  I looked at the link above, but it says you need IDispatch.  If you try inheriting that to your class, it does not appear/is not available.
    Thursday, August 17, 2017 9:41 PM