locked
Active Directory- changing the LDAP "cn" attribute RRS feed

  • Question

  • Hello, I've been working on a little program that enable/disables users in one of the domains that I administer. One of the processes involves changing the cn attribute and prefixing a "zz." to it. When the account is re-enabled, the "zz." prefix needs to be removed. Here is a sample line of what I was trying to accomplish: This is to disable an account: de.Properties["cn"].Value = "zz." + de.Properties["cn"].Value; <-- When I try to use this, I get an exception de.Properties["cn"].Value = de.Rename("zz." + de.Properties["cn"].Value); <-- When I try this, I get an exception as well This is to enable a disabled account: de.Properties["cn"].Value = de.Properties["cn"].Value.ToString().Replace("zz.",""); <-- haven't check to see if this works, since i'm focusing on getting the disable code to work first I have similar tools in vbscript and I had to use something to the effect of objParent.MoveHere objUser.AdsPath, "cn=" & "zz." & etc... Thanks
    Friday, May 13, 2011 7:38 PM

Answers

  • I got it to work... What needed to happen was since you can't directly change the "cn" property of a user object, I had to create a rename method that would change the "cn" property and then had to insert that into a try/catch block. After numerous tests, everything seems to be functioning flawlessly.
    Thursday, May 26, 2011 3:26 PM

All replies

  • Please post exception details you are getting.
    Thanks,
    A.m.a.L Hashim
    Microsoft Most Valuable Professional
    Dot Net Goodies
    Don't hate the hacker, hate the code
    Friday, May 13, 2011 7:44 PM
  • The one that keeps popping up is "An invalid dn syntax has been specified." 0x80072032
    Friday, May 13, 2011 7:48 PM
  • Following code sample can be used to enable/disable user

    public void Enable(string userDn)
    {
      try
      {
        DirectoryEntry user = new DirectoryEntry(userDn);
        int val = (int)user.Properties["userAccountControl"].Value;
        user.Properties["userAccountControl"].Value = val & ~0x2; 
          //ADS_UF_NORMAL_ACCOUNT;
    
        user.CommitChanges();
        user.Close();
      }
      catch (System.DirectoryServices.DirectoryServicesCOMException E)
      {
        //DoSomethingWith --> E.Message.ToString();
    
      }
    }
    
    public void Disable(string userDn)
    {
      try
      {
        DirectoryEntry user = new DirectoryEntry(userDn);
        int val = (int)user.Properties["userAccountControl"].Value;
        user.Properties["userAccountControl"].Value = val | 0x2; 
           //ADS_UF_ACCOUNTDISABLE;
    
        user.CommitChanges();
        user.Close();
      }
      catch (System.DirectoryServices.DirectoryServicesCOMException E)
      {
        //DoSomethingWith --> E.Message.ToString();
    
      }
    }
    

    Refer the below link to find similar methods

    http://www.codeproject.com/KB/system/everythingInAD.aspx


    Thanks,
    A.m.a.L Hashim
    Microsoft Most Valuable Professional
    Dot Net Goodies
    Don't hate the hacker, hate the code
    Friday, May 13, 2011 7:52 PM
  • This is to disable an account: de.Properties["cn"].Value = "zz." + de.Properties["cn"].Value; de.Properties["cn"].Value = de.Rename("zz." + de.Properties["cn"].Value); This is to enable a disabled account: de.Properties["cn"].Value = de.Properties["cn"].Value.ToString().Replace("zz.",""); I get exceptions with the disable codes I've tried. The enable one I haven't tested yet since I was trying to get the disable part functioning first.
    Friday, May 13, 2011 7:55 PM
  • I have that part of the code working. If you read the post, I have other processes that need to be accomplished besides just 'disabling' the account. The displayName and cn properties need a "zz." prefix as well. The lines of code I added where to see if anyone could assist in changing the cn property as I have to take the value from the AD user object property and change it there. I seem to have exceptions thrown in those instances.
    Friday, May 13, 2011 8:03 PM
  • Hi

     

    This ready to use library is may be very helpfull for you

    http://linqtoad.codeplex.com/SourceControl/changeset/view/12012#

    Best reguards

     


    The complexity resides in the simplicity
    Saturday, May 14, 2011 12:55 PM
  • I got it to work... What needed to happen was since you can't directly change the "cn" property of a user object, I had to create a rename method that would change the "cn" property and then had to insert that into a try/catch block. After numerous tests, everything seems to be functioning flawlessly.
    Thursday, May 26, 2011 3:26 PM
  • @MikeTrudelle

    Yes, you are correct, you can't directly change the "CN" attribute. But, instead of wrapping the set in a try/catch, which I assume looks something like:

    public void Rename(string userDn, string newCN)
    {
    	try
    	{
    		using (DirectoryEntry user = new DirectoryEntry(userDn))
    		{
    			user.Properties["cn"].Value = newCN;
    			user.CommitChanges();
    		}
    	}
    	catch (DirectoryServicesCOMException e)
    	{
    	}
    }
    

    Why not just use the built in Rename method?

    public void Rename(string userDn, string newCN)
    {
    	using (DirectoryEntry user = new DirectoryEntry(userDn))
    	{
    		// NOTE: This is an example and you should check to
    		// NOTE: see if newCN already begins with "CN=" instead
    		// NOTE: of assuming it doesn't and handle it accordingly.
    		user.Rename("CN=" + newCN);
    	}
    }
    

    Now, you shouldn't have to wrap the rename in a try/catch block. Using try/catch to determine flow, IMO, is bad practice.

    Hope this helps.

    Monday, August 20, 2012 9:07 PM