8
votes

When I try to update the Name field (corresponds to the CN) on UserPrincipal (Principal, really), I get an error "The server is unwilling to process the request" on the call to UserPrincipal.Save().

I've checked to make sure there isn't another object in the same OU with the same Name (CN).

The PrincipalContext I'm operating at is the domain root (not exactly at the OU level where the user account exists).

What reason might there be for this error? Is it something that might be security policy related (even though I'm able to update all the other fields)?

using (var context = new PrincipalContext(ContextType.Domain, ConfigurationManager.AppSettings["domain"], ConfigurationManager.AppSettings["rootDN"], ContextOptions.Negotiate, ConfigurationManager.AppSettings["username"], ConfigurationManager.AppSettings["password"])) {
    var user = UserPrincipal.FindByIdentity(context, IdentityType.Sid, "..."); // SID abbreviated

    user.Name = "Name, Test";

    user.Save();
}

The user I am using to create the PrincipalContext has the security rights to modify AD objects. If I update any other of the other fields (e.g. Surname, GivenName), everything works fine.

EDIT:

I've been able to accomplish what I need to do (using ADSI), but I have to run the following code under impersonation. The impersonation code is ugly, and the code below breaks away from the other way I'm updating AD data (using DirectoryServices.AccountManagement), so I'd like to get a better solution.

using (var companyOU = new DirectoryEntry("LDAP://" + company.UserAccountOU)) {
    companyOU.Invoke("MoveHere", "LDAP://" + user.DistinguishedName, "cn=Name\, Test");
}
2
please show some code... another point: are the permissions you use to sufficient ? - Yahia
The code is fairly simple. I've posted some, nonetheless. The user has enough permissions to make edits to AD objects. - Chris
Thanks - Does this problem come up every time you try it? I am thinking along the line - what if this specific user is currently logged on ? - Yahia
Yes, it happens every time. No, the user is not logged in. In fact, just now I was able to accomplish what I need to, but in an ugly way - using DirectoryEntry instead and calling Invoke("MoveHere", ....). But I want to wait to see if anyone has a cleaner solution. - Chris
try it without any special character like user.Name = "TestUserName";... - Yahia

2 Answers

16
votes

This is a cleaner way

using (var context = new PrincipalContext(ContextType.Domain))
{
    var group = GroupPrincipal.FindByIdentity(context, groupName);
    group.SamAccountName = newGroupName;
    group.DisplayName = newGroupName;
    group.Save();

    var dirEntry = (DirectoryEntry)group.GetUnderlyingObject();    
    dirEntry.Rename("CN=" + newGroupName);
    dirEntry.CommitChanges();
}
3
votes

The only way I've found to do this is in the EDIT section in my question. Basically, you cannot use the UserPrincipal class. There is something special about the CN attribute, and you need to drop down a level and use DirectoryEntry, an LDAP string, and invoke the "MoveHere" ADSI command to rename the user account.