Search code examples
c#active-directoryldapdistinguishedname

Why in active directory group cannot be created as groupType = Local

I am not able to understand why creating group in active directory as "local" for groupType doesnt work. it throws following exception : 

 System.DirectoryServices.DirectoryServicesCOMException (0x80072035): The server is unwilling to process the request.

while following is the code sample :

        var parentEntry = new DirectoryEntry(ParentContainer);

        var groupToCreate = parentEntry.Children.Add(this.AttributeType + this.Name, "group");

        groupToCreate.Properties["description"].Add(this.Description);

        groupToCreate.Properties["displayName"].Add(Name);

        groupToCreate.Properties["groupType"].Add((int)GroupType.DomainLocalGroup); --> this line throws error. 


        groupToCreate.CommitChanges();

If i change from GroupType.DomainLocalGroup to GroupType.DomainGlobalGroup, everything works fine. Can any body let me know how to get rid of this problem?

enter image description here

Solution

  • According to Microsoft, this how the group type enum is defined:

    • 1 (0x00000001) Specifies a group that is created by the system.
    • 2 (0x00000002) Specifies a group with global scope.
    • 4 (0x00000004) Specifies a group with domain local scope.
    • 8 (0x00000008) Specifies a group with universal scope.
    • 16 (0x00000010) Specifies an APP_BASIC group for Windows Server Authorization Manager.
    • 32 (0x00000020) Specifies an APP_QUERY group for Windows Server Authorization Manager.
    • 2147483648 (0x80000000) Specifies a security group. If this flag is not set, then the group is a distribution group.

    But this is also a flag enum - meaning that values can be combined by adding them together. So yes, 0x80000004 is actually a valid value that means "a domain local security group". (0x4 is a domain local distribution group)

    But you do have to cast to an integer (it won't let you set it with a hex value). I'm surprised the exception you got is "The server is unwilling to process the request" because when I do this:

    (int) 0x80000004

    I get this compiler error:

    CS0221: Constant value '2147483652' cannot be converted to a 'int' (use 'unchecked' syntax to override)

    That's because the decimal value of 0x80000004 is 2147483652, which does not fit in a 32-bit integer.

    But you do need to give it a 32-bit integer (you can't just cast to a long). So you have to follow the suggestion and use unchecked when casting:

    unchecked((int) 0x80000004)

    Which gives you a decimal value of -2147483644.

    So your code should look like this:

    groupToCreate.Properties["groupType"].Add(unchecked((int) GroupType.DomainLocalGroup));