seeking example using ADSI API to programmatically create a Windows Group

Question

Seeking example using ADSI API to programmatically create a Windows Group. AD is Windows Active Directory http://en.wikipedia.org/wiki/Active_Directory

'SI' maybe Service Interface?

Anyway, this area is just not well documented. . . I have seen some PowerShell scripts . . . but really do not want to have to ensure PowerShell is installed etc. A simple program that runs and makes sure MY_XYZ_GROUP is added to the Window's set of Groups.....

Should be easy.... Appears not so easy.

Answer 1

ADSI = Active Directory Service Interfaces - it's an API to talk to Active Directory to create users, groups, computer accounts in Active Directory - the network based LDAP directory for Microsoft networks.

So do you need to create local users on a local machine/server, or do you need to create groups in your Active Directory??

If you're programming in .NET 3.5 and up, you should check out the System.DirectoryServices.AccountManagement (S.DS.AM) namespace. Read all about it here:

• Managing Directory Security Principals in the .NET Framework 3.5
• MSDN docs on System.DirectoryServices.AccountManagement

Basically, you can define a domain context and easily find users and/or groups in AD:

// set up domain context
PrincipalContext ctx = new PrincipalContext(ContextType.Domain);

// find a user
UserPrincipal user = UserPrincipal.FindByIdentity(ctx, "SomeUserName");

if(user != null)
{
   // do something here....     
}

// create a group 
GroupPrincipal group = new GroupPrincipal(ctx, "Group01");
// set other properties on the group here.....
group.Save();  

The new S.DS.AM makes it really easy to play around with users and groups in AD!

Update: unforutnately, the new S.DS.AM doesn't work with local groups :-( it's only intended for Active Directory use.

If you need to create a local Windows group, you need to use the older DirectoryEntry approach - something like:

// bind to your machine's WinNT:// provider
DirectoryEntry computer = new DirectoryEntry("WinNT://YourMachineNameHere");

// create a new local group on your computer
DirectoryEntry newGroup = computer.Children.Add("NewGroupName", "Group");

// save that group to the local machine
newGroup.CommitChanges();

// refresh the property cache so you can set properties like "Description" or others
newGroup.RefreshCache();
newGroup.Properties["description"].Value = "Description for your group....";
newGroup.CommitChanges();

Richard Mueller has a great list of Excel sheets showing all the various properties available, both on the LDAP-based Active Directory objects, as well as the very limited WinNT properties.