locked
Identical First, Middle and Last Name in Active Directory RRS feed

  • Question

  • User1840112551 posted

    Hello Experts! I'm creating AD accounts via a C# app. If a new account has identical first, middle and last name of an already existing account, it is not getting created. What is the solution to this problem? What exception I need to catch to override this behavior?

    Monday, February 20, 2012 11:56 AM

Answers

  • User1508394307 posted

    Regarding PrincipalExistsException - check this post.

    The best way is to search for an object with given attributes and raise an error when found.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Wednesday, February 22, 2012 12:07 PM

All replies

  • User1508394307 posted

    Is the login name the same too? In general, you can check it as

     if (!DirectoryEntry.Exists("LDAP://" + path))
        {
            try
            {
                DirectoryEntry entry = new DirectoryEntry("LDAP://" + path);
                ...
                u.CommitChanges();
            }
            catch (Exception e)
            {
                Console.WriteLine(e.Message.ToString());
            }
        }
        else { Console.WriteLine(path + " already exists"); }

    or you can check it by getting back Guid of the user

    u.CommitChanges();
    string g = u.Guid.ToString();

    and if it's null then there is no user created.

    Hope this helps.

    Tuesday, February 21, 2012 1:54 PM
  • User636753033 posted

    Hello Experts! I'm creating AD accounts via a C# app. If a new account has identical first, middle and last name of an already existing account, it is not getting created. What is the solution to this problem? What exception I need to catch to override this behavior?

    Accounts can have the same information in just about any field except the samaccountname. What you may want to do is setup a function that checks for the existance of the samaccountname in the directory before the account gets created and if it does, return to the page and allow the name to be changed. This is where you will see names listed as john.smith, john.smith1, john.smith23.

    What I did on mine was add this bit of code on the server side but I also created an AJAX call in the input field for the account name. So if the name existed a popup would alert you.

    Tuesday, February 21, 2012 5:27 PM
  • User1840112551 posted

    Thanks guys, sorry didnt mention this: the app is a process instead of a web app. It works off of a CSV on a schedule.

    The Exception I need to catch is DirectoryServices.AccountManagement.PrincipalExistsException (smirnov, catch Exception can be counter productive or less informational).

    After catching it, what do I need to do. I don't think

    Accounts can have the same information in just about any field except the samaccountname.
    If it would I wouldnt have this issue. The samaccountname in my case are different for the identical names.

    I guess I will have to trial and error here on displayName, givenName, mi, sn attributes unless anyone has a better suggestion.

     

    Wednesday, February 22, 2012 11:40 AM
  • User1508394307 posted

    Regarding PrincipalExistsException - check this post.

    The best way is to search for an object with given attributes and raise an error when found.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Wednesday, February 22, 2012 12:07 PM
  • User636753033 posted

    Thanks guys, sorry didnt mention this: the app is a process instead of a web app. It works off of a CSV on a schedule.

    The Exception I need to catch is DirectoryServices.AccountManagement.PrincipalExistsException (smirnov, catch Exception can be counter productive or less informational).

    After catching it, what do I need to do. I don't think

    Accounts can have the same information in just about any field except the samaccountname.
    If it would I wouldnt have this issue. The samaccountname in my case are different for the identical names.

    I guess I will have to trial and error here on displayName, givenName, mi, sn attributes unless anyone has a better suggestion.

     

    If you have access to ADUC trying making the account and see if it throws an error. If it does then its something set in AD that is preventing the account from being created. If that is the case you would not be able to counter the exception. Next I would suggest checking the password. It could not conform the the requirements set in the directory.

    It shouldnt matter but you may try changing the CN and see if it lets you create the account. AD should allow the same CN since it would have different SIDs as long as the login names are different. Last, try creating accounts with the bare minimum needed to create it and add properties until it fails. The minimum properties should be "CN" when adding the account to AD and then setting "givenname", "sn", "samaccountname", and "userprincipalname" and then setting the password.

    Wednesday, February 22, 2012 5:32 PM
  • User1840112551 posted

    smirnov, i read that post. thats good information. but i did not notice our existing user being deleted when a new object is created and Save() is called (identical names for both users).

    also, that post is from 2008, maybe the bug is fixed?

    Thursday, February 23, 2012 1:45 PM
  • User1840112551 posted

    gww, thats true, we have started inserting unique CN, which allows same FN MI LN for different samaccountnames. good stuff!

    by the way, since we were using UserPrincipal object instead of DirectoryEntry, we had to use Extension methods.

        
    [DirectoryObjectClass("user")]
    [DirectoryRdnPrefix("CN")]//Relative Distinguished Name prefix
    public class UserPrincipalEx : UserPrincipal
    {
        public UserPrincipalEx(PrincipalContext context) : base(context) { }
        public UserPrincipalEx(PrincipalContext context, string samAccountName, string password, bool enabled) : base(context, samAccountName, password, enabled) { }
    
        [DirectoryProperty("cn")]
        public string cn
        {
            get
            {
                if (ExtensionGet("cn").Length != 1)
                    return null;
    
                return (string)ExtensionGet("cn")[0];
            }
            set { this.ExtensionSet("cn", value); }
        }
    }
    

    So basically now we are using UserPrincipalEx instead of UserPrincipal. This post is worth a read also: http://www.rlmueller.net/Name_Attributes.htm

    Thursday, February 23, 2012 1:48 PM
  • User1508394307 posted

    ...that post is from 2008, maybe the bug is fixed?

    Can't test it myself. The comments say that was not fixed in 2010-2011. 

    Thursday, February 23, 2012 10:21 PM