locked
Setting sAMAccountName when group is created. RRS feed

  • Question

  • I need to set the sAMAccountName field along with the CN for a group I am creating.  The reason is that the code I am using to check membership appears to be using the sAMAccountName to verify group membership (I infer from its operation that it is using sAMAccountName to look up the group).  I will post first the code I am using to verify user membership. 
    Dim
     PermissionName As
     String
     = String
    .Format("GGAppAthena{0}_BuyOutDetailsDelete"
    , gSelectedCompany)
    Dim
     WindowsID As
     Principal.WindowsIdentity = WindowsIdentity.GetCurrent()
    Dim
     curUser As
     WindowsPrincipal = New
     WindowsPrincipal(WindowsID)
    If
     curUser.IsInRole(PermissionName) Then
    
        MessageBox.Show("Yep"
    )
    Else
    
        MessageBox.Show("Nope:"
    )
    End
     If
    
    
    I have verified that the concatenation for the permission name is NOT part of the issue.  Here is the code I am using to create groups.
    Dim
     strPath as
     string
    
    strPath = "LDAP://servername:389/ou=appname,ou=Application,ou=groups,OU=NSK1,dc=company,dc=net"
    
    Dim
     objADAM As
     DirectoryEntry   ' Binding object.
    
    Dim
     objGroup As
     DirectoryEntry  ' Group object.
    
    objADAM = New
     DirectoryEntry(strPath)
    objADAM.Username = txtUsername.Text
    objADAM.Password = txtPassword.Text
    objADAM.AuthenticationType = AuthenticationTypes.Secure
    objADAM.RefreshCache()
    objGroup = objADAM.Children.Add(strGroup, "group"
    )
    objGroup.Properties("displayName"
    ).Add(strDisplayName)
    objGroup.Properties("description"
    ).Add(strDescription)
    objGroup.CommitChanges()
    
    Now the above code works like charm to insert a group.

    When I add
    objGroup.Properties("sAMAccountName"
    ).Add(strGroupName<br/>
    
    
    objGroup.Properties("sAMAccountName"
    ).Value = strGroup
    

    I get an error.  "A device attached to the system is not functioning.  (Exception from HResult: 0x8007001F)"

    If anyone has any ideas on how I can set the sAMAccountName during or after group creation that would be great.  If your looking in your own AD using the AD Gui with windows, the field I want to change is listed as the group name (pre windows 2000).  Normally when you manually create a group using the GUI, both fields are set to the same value at the same time.  What I want to do is achieve this using vb.net code.  A c# example will be fine, I can read/write c# too.

    Cheers,
    B




    --------------------------------------------------------------------------------------------- No warranties are expressed or implied with any code being posted/emailed.
    Tuesday, June 9, 2009 4:30 PM

Answers

  • Hello B,

    For your question is tightly related to Active Directory development, instead of a pure VB.NET issue. I would like to suggest you go to the following newsgroup to ask it. It is more appropriate for your question because experts there are more familiar with the ADSI.
    microsoft.public.adsi.general

    Actually, to get some opinions from this forum, I think you need to indicates what is the strGroupName value. I am sorry that I am not an experts on LDAP. But based on my research, the error message "A device attached to the system is not functioning" may be misleading. See the following disucssion,
    http://directoryprogramming.net/forums/thread/2074.aspx
    http://forum.tools4ever.com/viewtopic.php?t=57

    "Error 0X8007001F: Creating AD user account in container/OU 'LDAP://<DOMAINCONTROLLER>/CN=Users,DC=constellations,DC=com'. Cannot commit user 'John Smith' creation process. A device attached to the system is not functioning.
    This error is generated when the sAMAccountName syntax is invalid for Active Directory, probably because it is too long. Format the variable assigned to the samaccountname (default %Username%) so that it contains a maximum of 20 charaters. "

    The document of SAM-Account-Name also indicates that the length of it should be less than 20 characters.
    http://msdn.microsoft.com/en-us/library/ms679635(VS.85).aspx


    Hope it helps.


    Regards,
    Ji Zhou
    Wednesday, June 10, 2009 10:16 AM
    Moderator

All replies

  • Hello B,

    For your question is tightly related to Active Directory development, instead of a pure VB.NET issue. I would like to suggest you go to the following newsgroup to ask it. It is more appropriate for your question because experts there are more familiar with the ADSI.
    microsoft.public.adsi.general

    Actually, to get some opinions from this forum, I think you need to indicates what is the strGroupName value. I am sorry that I am not an experts on LDAP. But based on my research, the error message "A device attached to the system is not functioning" may be misleading. See the following disucssion,
    http://directoryprogramming.net/forums/thread/2074.aspx
    http://forum.tools4ever.com/viewtopic.php?t=57

    "Error 0X8007001F: Creating AD user account in container/OU 'LDAP://<DOMAINCONTROLLER>/CN=Users,DC=constellations,DC=com'. Cannot commit user 'John Smith' creation process. A device attached to the system is not functioning.
    This error is generated when the sAMAccountName syntax is invalid for Active Directory, probably because it is too long. Format the variable assigned to the samaccountname (default %Username%) so that it contains a maximum of 20 charaters. "

    The document of SAM-Account-Name also indicates that the length of it should be less than 20 characters.
    http://msdn.microsoft.com/en-us/library/ms679635(VS.85).aspx


    Hope it helps.


    Regards,
    Ji Zhou
    Wednesday, June 10, 2009 10:16 AM
    Moderator
  • Hello B,

    Does my last post help? Could you please verify if the issue is caused by the length of sAMAccountName.


    Regards,
    Ji Zhou
    Monday, June 15, 2009 10:32 AM
    Moderator
  • It is possible that it is caused by the length.  The main problem is that when you create a group name using the interface that is provided by Microsoft, it lets you have a group name greater than 20 characters and when you query said group name, it returns the group name as the aAMAccountName variable.  Hence, if Microsoft can do it, why can't I?  That is the rub.  I need a way to create like 187 groups for security on some software I am creating and I would really like to do this using code.  Since every time they deploy the database, they need to create 187 new groups this would be time consuming to deploy without a tool to do the work for them.

    In my post you see two types of code, the first is how I am verifying group membership.  From my testing, this code verifies group membership by querying the group name stored as the sAMAccountName variable of the group, and checking for membership there.  When I create the groups using the code in the second part of the post the group name is correct, but the sAMAccountName is a randomly generated value that is like you said under 20 characters in length.  When I go in and modify the group that I created using code the randomly created string appears under the Windows 2000 Group Name field in the AD Group Editor screen.  When I copy and paste the group from Group Name to Windows 2000 Group Name it works like a charm, and my code that verifies membership starts working again (with that group anyway).

    What you said may certainly apply, but it does not solve the issue that I originally proposed.  I need a way to make the sAMAccountName the same as the group name and since MS can do it, there should be no reason why I cannot (unless we are dealing with an unpublished API).  I am voting your post as helpful because I did not know where to find other resources and you certainly helped me that that very much.  Thank you for that and your post is at the very least a partial answer to my question because it shows that there are in fact limits to field lengths that it appears that microsoft is ignoring for its own purposes.


    --------------------------------------------------------------------------------------------- No warranties are expressed or implied with any code being posted/emailed.
    Friday, June 19, 2009 3:49 PM
  • The document of SAM-Account-Name also indicates that the length of it should be less than 20 characters.

     

    thanks a lot 

    Friday, September 2, 2011 2:52 AM