Reputation: 165
c# Create Computer in Active Directory - Primary group issue
I'm having issues creating computers via LDAP in C#:
The following is my code:
C#
string connectionPrefix = "LDAP://" + ldapPath;
DirectoryEntry dirEntry = new DirectoryEntry(connectionPrefix, GlobalVar.adUser, GlobalVar.adUserPassword);
DirectoryEntry newComputer = dirEntry.Children.Add("CN=" + computerName, "computer");
newComputer.Properties["samaccountname"].Value = computerName;
newComputer.Properties["dnshostname"].Value = computerName + ".[privacy].[domain].[here]";
newComputer.Properties["description"].Value = GlobalVar.adUser;
newComputer.Properties["location"].Value = "IT";
This works flawlessly with one exception: the computer is created in the correct folder. However the primary group is "Domain Users" instead of "Domain computers" when I create a computer directly in AD, the computer is automatically assigned the primary group "Domain Computers"
The result is that I cannot add the computer to the domain without editing it manually in ad.
Any solutions?
Best Regards,
Julian
Upvotes: 1
Views: 1070
Answers (3)
Reputation: 1
I was having the same issue and was brought here initially after searching the web. Found the solution here.
To get a "valid" computer object, you have to set the attribute userAccountControl to 0x1020 = (PASSWD_NOTREQD | WORKSTATION_TRUST_ACCOUNT) and it's also recommended to set the sAMAccountName to the computername (in uppercase) followed by a '$' (same as if you create the object from the Management Console).
newComputer.Properties["userAccountControl"].Value = 0x1020;
This resolved the issue for me.
Upvotes: 0
Reputation: 786
I would use System.DirectoryServices.AccountManagement to do this...
LDAPusername = username with permissions to edit LDAP.
Pass the computername once it's created, then pass the group.
Sorry if this isn't perfect, this is my vb.net code I converted.
//The following code changes the principal group of an existing computer
PrincipalContext pc1 = new PrincipalContext(
ContextType.Domain,
"subdomain.domain.com",
LDAPusername,
LDAPpassword
);
dynamic cp = ComputerPrincipal.FindByIdentity(pc1, "computername");
dynamic computer = (DirectoryEntry)cp.GetUnderlyingObject();
// distinguishedname = "CN=Domain Users,CN=Users,DC=domain,DC=com"
string @group = "groupdistinguishedname";
DirectoryEntry groupdirentry = new DirectoryEntry(
"LDAP://" + @group,
LDAPusername,
LDAPpassword
);
groupdirentry.Invoke("Add", new object[] { computer.Path });
groupdirentry.CommitChanges();
groupdirentry.Invoke(
"GetInfoEx",
new object[] {
new object[] { "primaryGroupToken" },
0
}
);
object primaryGroupToken = groupdirentry.Invoke(
"Get",
new object[] { "primaryGroupToken" }
);
computer.Invoke(
"Put",
new object[] {"primaryGroupID",primaryGroupToken}
);
computer.CommitChanges();
Upvotes: 1
Reputation: 355
You need to set the primaryGroupId to 515 I believe (Domain Computers)
newComputer.Properties["primaryGroupId"].Value = 515
Upvotes: 0
Related Questions
- Why in active directory group cannot be created as groupType = Local
- C# add active directory user to group
- How to add a new group in Active Directory using LDAP in C#
- Create Computer in Active Directory
- Having problems adding users to an Active Directory group using C#
- Creating a new group and setting permissions in Active Directory using C#
- C#.NET, Adding AD user to AD group - The object already exists
- Creating a new group in Active Directory
- Active Directory Group Members Issue
- Add user to Active Directory group results in "Access Denied"