One of the processes that gets completed is to find what groups a user should be in based on their department and add the user to that group.
In doing this, I use the following code to search for the group based on their name.
Dim domainContext As PrincipalContextdomainContext = New PrincipalContext(ContextType.Domain, "campus", "OU=" & Me.Department & ",OU=" & Me.accountType & ",DC=domain,DC=com")Dim group As GroupPrincipalgroup = GroupPrincipal.FindByIdentity(domainContext, Me.Department)
Problem
A problem arose while searching for some of our departments. For example our Communications department is identified as 'CO' and our Education department is identified as 'ED'. When we searched for the value 'CO' assigned to Me.Department, the identity found was the well known SID "Creator Owner." When we would search for 'ED', the group found was "Enterprise Domain Controllers" instead of the expected group 'ED'.We would also receive the following error when trying to create the user account.
This principal object represents a well-known SID and does not correspond to an actual store object. This operation is not supported on it.
Solution
The solution to the problem was actually pretty quick.
Change
group = GroupPrincipal.FindByIdentity(domainContext, Me.Department)
to
group = GroupPrincipal.FindByIdentity(domainContext, IdentityType.SamAccountName, Me.Department)
so you are only searching against the sAMAccountName or you can choose a different IdentityType to search against. The options include
- DistinguishedName
- Guid
- sAMAccountName
- Name
- Sid
- UserPrincipalName
Additionally trying to catch the MultipleMatchesException did not resolve the problem because it was never thrown during the search process.
Hopefully this will help save some searching.
Even eight years later, this is useful. Even though you haven't posted in six years, I wonder if you have any ideas about dealing with the MultipleMatchesException when there genuinely are multiple matches, for example if searching by Name.
ReplyDelete