How to add a user in a different Active Directory Domain in C#?

Question

So my goal is to be able to add a user from one Active Directory Domain to another group in a separate Active Directory Domain.

I'd like to do this in C#. I know there is a System.DirectoryServices namespace with classes to communicate with AD, but I can't find any information on adding users across domains.

In the environment there are two domain controllers with the same parent forest. There is a transient trust between the 2 domains, let's call them domains A and B.

I'm able to add a user from B to a Domain Local or Universal group inside of domain A with the Active Directory tool.

Does anyone know how I can do this programmatically using C#?

Answer 1

You need to create a DirectoryEntry object to the Group. Then you add the DN off the user you want to add to the group to the member attribute on the group. For example:

DirectoryEntry group = new DirectoryEntry("LDAP://child.domain.com/cn=group,ou=sample,dc=child,dc=domain,dc=com");

string userDN = "cn=user,ou=sample,dc=domain,dc=com";

group.Properties["member"].Add(userDN);
group.CommitChanges();

Probably your having issues getting bound to the group DirectoryEntry. Make sure you can read attributes off that DE before you try adding a group to make sure your successfully binding.

Answer 2

What worked for me when I wrote code to do this a couple years back:

1. Get a DirectoryEntry for the group to which you want to add a member.
2. Call Invoke on the group DirectoryEntry passing arguments "Add" as the method name and the ADsPath of the member in an array.

Some sample code off the top of my head:

DirectoryEntry group = new DirectoryEntry(@"LDAP://CN=foo,DC=domainA");
string memberADsPath = @"LDAP://CN=bar,DC=domainB";
group.Invoke("Add", new Object[] {memberADsPath});