Why in active directory group cannot be created as groupType = Local

2

I am not able to understand why creating group in active directory as "local" for groupType doesnt work. it throws following exception : 

 System.DirectoryServices.DirectoryServicesCOMException (0x80072035): The server is unwilling to process the request.

while following is the code sample :

        var parentEntry = new DirectoryEntry(ParentContainer);

        var groupToCreate = parentEntry.Children.Add(this.AttributeType + this.Name, "group");

        groupToCreate.Properties["description"].Add(this.Description);

        groupToCreate.Properties["displayName"].Add(Name);

        groupToCreate.Properties["groupType"].Add((int)GroupType.DomainLocalGroup); --> this line throws error. 


        groupToCreate.CommitChanges();

If i change from GroupType.DomainLocalGroup to GroupType.DomainGlobalGroup, everything works fine. Can any body let me know how to get rid of this problem?

enter image description here

c#
active-directory
ldap
distinguishedname
asked on Stack Overflow Jun 28, 2019 by Usman • edited Jun 28, 2019 by Usman

1 Answer

1

According to Microsoft, this how the group type enum is defined:

  • 1 (0x00000001) Specifies a group that is created by the system.
  • 2 (0x00000002) Specifies a group with global scope.
  • 4 (0x00000004) Specifies a group with domain local scope.
  • 8 (0x00000008) Specifies a group with universal scope.
  • 16 (0x00000010) Specifies an APP_BASIC group for Windows Server Authorization Manager.
  • 32 (0x00000020) Specifies an APP_QUERY group for Windows Server Authorization Manager.
  • 2147483648 (0x80000000) Specifies a security group. If this flag is not set, then the group is a distribution group.

But this is also a flag enum - meaning that values can be combined by adding them together. So yes, 0x80000004 is actually a valid value that means "a domain local security group". (0x4 is a domain local distribution group)

But you do have to cast to an integer (it won't let you set it with a hex value). I'm surprised the exception you got is "The server is unwilling to process the request" because when I do this:

(int) 0x80000004

I get this compiler error:

CS0221: Constant value '2147483652' cannot be converted to a 'int' (use 'unchecked' syntax to override)

That's because the decimal value of 0x80000004 is 2147483652, which does not fit in a 32-bit integer.

But you do need to give it a 32-bit integer (you can't just cast to a long). So you have to follow the suggestion and use unchecked when casting:

unchecked((int) 0x80000004)

Which gives you a decimal value of -2147483644.

So your code should look like this:

groupToCreate.Properties["groupType"].Add(unchecked((int) GroupType.DomainLocalGroup));
answered on Stack Overflow Jun 28, 2019 by Gabriel Luci • edited Jun 28, 2019 by Gabriel Luci

User contributions licensed under CC BY-SA 3.0