Reputation: 21
While trying to resolve a cross-store reference, the SID of the target principal could not be resolved. The error code is 1788
I came across few similar articles but it didn't help to fix the problem.
This is the code snippet i am using:
private void GetUsersFromGroup(
PrincipalContext principalContext,
string groupName,
bool isAdminGroup,
IList<User> users,
HashSet<string> userIds)
{
log.Info($"Attempting to find {groupName} group");
GroupPrincipal group = GroupPrincipal.FindByIdentity(principalContext, groupName);
log.Info($"Successfully found {groupName} group");
log.Info($"Attempting to read users from group {group.DistinguishedName}");
var addedUserIds = new List<string>();
foreach (var userPrincipal in group.Members.OfType<UserPrincipal>())
{
if ((userPrincipal.Enabled ?? false) && !userIds.Contains(userPrincipal.UserPrincipalName))
{
users.Add(new User(userPrincipal.UserPrincipalName, userPrincipal.Sid.Value, userPrincipal.DisplayName, userPrincipal.EmailAddress, isAdminGroup));
userIds.Add(userPrincipal.UserPrincipalName.ToLower());
addedUserIds.Add(userPrincipal.UserPrincipalName);
}
}
log.Info($"Successfully read users from group {group.DistinguishedName}. Users read: {string.Join(", ", addedUserIds)}");
}
Error details
System.DirectoryServices.AccountManagement.PrincipalOperationException: While trying to resolve a cross-store reference, the SID of the target principal could not be resolved. The error code is 1788. at System.DirectoryServices.AccountManagement.ADStoreCtx.ResolveCrossStoreRefToPrincipal(Object o) at System.DirectoryServices.AccountManagement.ADUtils.DirectoryEntryAsPrincipal(DirectoryEntry de, ADStoreCtx storeCtx) at System.DirectoryServices.AccountManagement.ADDNLinkedAttrSet.get_CurrentAsPrincipal() at System.DirectoryServices.AccountManagement.PrincipalCollectionEnumerator.MoveNext() at System.Linq.Enumerable.d__95`1.MoveNext()
Please advise.
Thank you.
Upvotes: 0
Views: 620
Answers (1)
Reputation: 40988
It's likely that the group contains an account from another domain that doesn't exist anymore.
When a group contains a user from an external trusted domain (not in the same AD forest) it stores a "foreign security principal" object, which contains the SID of the object. The domain that the account is on really has no idea that the account is added to a group on another domain. So if that account is deleted, the group is not automatically updated.
When you look at the Members collection, it tries to look up the account and give you a UserPrincipal object, but it cannot because the account doesn't exist anymore.
Upvotes: 0
Related Questions
- While trying to resolve a cross-store reference, the SID of the target principal could not be resolved. The error code is 1332
- C# Active Directory PrincipalContext / UserPrincipal.IsMemberOf error
- UserPrincipal.FindByIdentity returning null with Machine Context type
- PrincipalContext: Exception Details: System.DirectoryServices.DirectoryServicesCOMException: An operations error occurred
- The LDAP Server is Unavailable using PrincipalContext and ADLDS
- Active Directory UserPrincipal issue
- UserPrincipal.FindByIdentity throws exception - There is no such object on the server
- UserPrincipal.FindByIdentity - throwing error on dev
- UserPrincipal.FindByIdentity throws PrincipalServerDownException
- UserPrincipal Object, Active Directory Query: DirectoryServicesCOMException