Principle Operation Exception


  • Hi all,

    I have a code sample like below

    PrincipalContext context = new PrincipalContext(ContextType.Domain, "aaaaa", "aaaa\\bbb", "pppppp");
    var group = GroupPrincipal.FindByIdentity(context, IdentityType.Guid, "253DD8F5-3C6E-438A-899F-8A693B0AD93E");
    PrincipalSearchResult<Principal> users = group.GetMembers(true);
    foreach (UserPrincipal user in users)
     var a =user.Sid.Translate(typeof(NTAccount)).ToString();

    I'm trying to use group to find its member. Some member come from other trusted forest ,so I can't use the 'member of' of user..

    I have several server which's environment are server 2008 , 2008 R2 ,and 2012 etc...

    The application can work well but some server will raise exception.

    One is 

    System.Security.Principal.IdentityNotMappedException: Some or all identity references could not be translated.

    This one is because the sid can't be translate.....but other server is okay....


    The other is 

    System.DirectoryServices.AccountManagement.PrincipalOperationException: While trying to resolve a cross-store reference, the SID of the target principal could not be resolved.  The error code is 5.

    And this one is because can't access the searching result

    Monday, March 20, 2017 1:44 PM

All replies

  • It is possible that identities cannot be translated. It is one of the issues you're code will need to handle. In Windows Explorer, when it has a SID that cannot be translated to an identity it simply shows Account Unknown with the SID. You will probably need to take a similar approach. Wrapping your code in a try-catch for these specific exceptions should allow you to handle them and report a generic account instead.

    Michael Taylor

    Monday, March 20, 2017 1:58 PM
  • Hi Michael,

    Thx for ur reply. Yes, I can use try catch to handle that, but really want to know the real problem.

    Because these code work fine in some server and they query the same data from the same AD....


    Kunde Hong

    Tuesday, March 21, 2017 3:03 AM
  • Hi Kunde Hong,

    Thank you for posting here.

    For your question, based on search, you could refer to the thread in SO.

    The SecurityReference object's Translate method does work on non-local SIDs but only for domain accounts. For accounts local to another machine or in a non-domain setup you would need to PInvoke the function LookupAccountSid specifying the specific machine name on which the look up needs to be performed.

    I hope this would be helpful.

    Best Regards,


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact

    Tuesday, March 21, 2017 7:08 AM
  • Hi Wendy,

    For my first question,I realized that non-local SIDs can't be translate to domain account, but in my case the same sid can't be translated in some environments. The exception is raised at "Win32Native.LsaLookupSids", it raised OutOfMemoryException....

    It still can't be resolved.....

    My second question is more weird .....

    It only happened in some environment and raised exception at "foreach (UserPrincipal user in users)"

    Thursday, March 23, 2017 6:05 AM