由于孤立的SID,无法将对象添加/删除到组:PrincipalOperationException:发生错误(1332)

时间:2016-07-06 12:44:48

标签: c# exception active-directory adsi

我需要将对象(用户,组)添加/删除到服务器上的本地组。我这样做如下,它工作正常:

Principal adObject = Principal.FindByIdentity(domainContext, login);
GroupPrincipal groupPrincipal = GroupPrincipal.FindByIdentity(machineContext, IdentityType.Name, localGroupName);
groupPrincipal.Members.Add(adObject);
groupPrincipal.Save();

除了本地组包含一些孤立的SID(Active Directory用户或已删除的组)的情况。

Orphaned-SIDs

在这种情况下,我得到以下异常:

System.DirectoryServices.AccountManagement.PrincipalOperationException: An error (1332) occurred while enumerating the group membership. The member's SID could not be resolved.

当我尝试添加,删除和枚举本地组中的成员时,会出现此错误消息。阅读以下解决方法的当前成员的工作正常:

DirectoryEntry group = (DirectoryEntry)groupPrincipal.GetUnderlyingObject();
foreach (object member in (IEnumerable)group.Invoke("Members", null))
{
   ...
}

但是,将GroupPrincipal转换为DirectoryEntry并不能解决添加和删除新成员的问题。我尝试了以下三种方法,但没有一种方法有效:

1) group.Invoke("Add", new object[] {@"WinNT://" + domain + "//" + login + ",user"});
2) group.Invoke("Add", new object[] { @"LDAP://" + adObject.DistinguishedName });
3) group.Properties["member"].Add(@"LDAP://" + adObject.DistinguishedName);

上述三种情况都会出现同样的错误:

System.DirectoryServices.AccountManagement.PrincipalOperationException: An error (1332) occurred while enumerating the group membership.  The member's SID could not be resolved.
at System.DirectoryServices.AccountManagement.SAMMembersSet.IsLocalMember(Byte[] sid)
at System.DirectoryServices.AccountManagement.SAMMembersSet.MoveNextLocal()
at System.DirectoryServices.AccountManagement.SAMMembersSet.MoveNext()
at System.DirectoryServices.AccountManagement.PrincipalCollectionEnumerator.MoveNext()
at System.DirectoryServices.AccountManagement.PrincipalCollection.ContainsEnumTest(Principal principal)
at System.DirectoryServices.AccountManagement.PrincipalCollection.Add(Principal principal)

我需要能够在不删除这些孤立的SID的情况下向该组添加和删除用户。有人可以建议我解决问题的解决方案/解决方法吗?

1 个答案:

答案 0 :(得分:0)

我似乎找到了问题的解决方法:

DirectoryEntry group = (DirectoryEntry)groupPrincipal.GetUnderlyingObject();
IADsGroup nativeGroup = (IADsGroup)group.NativeObject; // https://msdn.microsoft.com/en-us/library/aa706022(v=vs.85).aspx
nativeGroup.Remove("LDAP://" + adObject.Sid.Value);
//nativeGroup.Remove(String.Format("WinNT:////{0}//{1}", domain, ID));
//nativeGroup.Remove(String.Format( "NTDS:////{0}//{1}", domain, ID));

如果您将DirectoryEntry转换为原生对象并将其转换为ActiveDs.IADsGroup - Add()Remove()方法正常

相关问题
最新问题