By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
457,911 Members | 1,179 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 457,911 IT Pros & Developers. It's quick & easy.

System.DirectoryServices - Constraint violation

P: n/a
I'm trying to use System.DirectoryServices to update Active Directory from a
Web Service. When I try to commit the changes, I get the following error
message:

"A constraint violation occurred. (Exception from HRESULT: 0x8007202F)"

My code is like this:

<code>

*** method signature and stuff ***

try
{

*** Some other code *** (assignments etc)

// Connect to the Art and Design school directory entry
DirectoryEntry de = new
DirectoryEntry("LDAP://oursever.our.domain:389/OU=Art and
Design,OU=Student,OU=Development,OU=User
Accounts,DC=internal,DC=uwic,DC=ac,DC=uk", "AnAdminUser", "apwd");

// Get the children of the directory entry and then add to the Children
collection
DirectoryEntries users = null; // The Children Collection
DirectoryEntry user; // The user to Add()
if (de != null)
users = de.Children; // Throws COMException on failure
else
throw new Exception("The Directory Entry is null");

// Add the new child, passing in the
user = users.Add("CN=asurname aforename(dv04002701)", "user");

user.Properties["distinguishedName"].Add("CN=asurname
aforename(dv04002701),OU=Art and Design,OU=Student,OU=User Accounts);

user.Properties["cn"].Add("asurname aforename(dv04002701)");
user.Properties["description"].Add(aString);
user.Properties["title"].Add(aString);
user.Properties["givenName"].Add(aForename);
user.Properties["displayName"].Add(aSurname + ", " + aForename);
user.Properties["company"].Add(anEmailAddress);
user.Properties["mail"].Add("dv04002701");
user.Properties["name"].Add(aSurname.ToLower() + " " + aForename.ToLower() +
"(dv04002701)");
user.Properties["userPassword"].Add(aPassword);
//user.Properties["accountDisabled"].Add(false); // Gives error "The
specified directory service attribute or value does not exist." if included
//user.Properties["passwordExpired"].Add(false); // Gives error "The
specified directory service attribute or value does not exist." if included
user.Properties["objectCategory"].Add(anObjectCategory);
user.Properties["objectClass"].Add(anObjectClass);
user.Properties["sAMAccountName"].Add("dv04002701");
user.Properties["instanceType"].Add(4);

user.CommitChanges();
}
catch (COMException ce)
{
string m = ce.Message; // For debug only
throw RaiseException("GetException", "WSSoapException", ce.Message,
"2000", ce.Source, FaultCode.Server);
}
catch (Exception ex)
{
string m = ex.Message; // For debug only
throw RaiseException("GetException", "WSSoapException", ex.Message,
"2000", ex.Source, FaultCode.Server);
}

</code>

According to ADSI Edit, the following fields are mandatory:

- cn
- instanceType
- objectCategory
- objectClass
- sAMAccountName

The user I give has full permissions on Active Directory.

The exception is thrown on the call to CommitChanges().

Putting CommitChanges immediately after the call to Add() gives the same
error. Calling RefreshCache() on the DirecoryEntry (de) immediately after
the call to Add() returns with no error.

Can anyone help?

Peter
Mar 1 '07 #1
Share this Question
Share on Google+
5 Replies


P: n/a
"Peter Bradley" <pb******@uwic.ac.ukwrote in message
news:%2****************@TK2MSFTNGP06.phx.gbl...
I'm trying to use System.DirectoryServices to update Active Directory from a Web Service.
When I try to commit the changes, I get the following error message:

"A constraint violation occurred. (Exception from HRESULT: 0x8007202F)"

My code is like this:

<code>

*** method signature and stuff ***

try
{

*** Some other code *** (assignments etc)

// Connect to the Art and Design school directory entry
DirectoryEntry de = new DirectoryEntry("LDAP://oursever.our.domain:389/OU=Art and
Design,OU=Student,OU=Development,OU=User Accounts,DC=internal,DC=uwic,DC=ac,DC=uk",
"AnAdminUser", "apwd");

// Get the children of the directory entry and then add to the Children collection
DirectoryEntries users = null; // The Children Collection
DirectoryEntry user; // The user to Add()
if (de != null)
users = de.Children; // Throws COMException on failure
else
throw new Exception("The Directory Entry is null");

// Add the new child, passing in the
user = users.Add("CN=asurname aforename(dv04002701)", "user");

user.Properties["distinguishedName"].Add("CN=asurname aforename(dv04002701),OU=Art and
Design,OU=Student,OU=User Accounts);

user.Properties["cn"].Add("asurname aforename(dv04002701)");
user.Properties["description"].Add(aString);
user.Properties["title"].Add(aString);
user.Properties["givenName"].Add(aForename);
user.Properties["displayName"].Add(aSurname + ", " + aForename);
user.Properties["company"].Add(anEmailAddress);
user.Properties["mail"].Add("dv04002701");
user.Properties["name"].Add(aSurname.ToLower() + " " + aForename.ToLower() +
"(dv04002701)");
user.Properties["userPassword"].Add(aPassword);
//user.Properties["accountDisabled"].Add(false); // Gives error "The specified
directory service attribute or value does not exist." if included
//user.Properties["passwordExpired"].Add(false); // Gives error "The specified directory
service attribute or value does not exist." if included
user.Properties["objectCategory"].Add(anObjectCategory);
user.Properties["objectClass"].Add(anObjectClass);
user.Properties["sAMAccountName"].Add("dv04002701");
user.Properties["instanceType"].Add(4);

user.CommitChanges();
}
catch (COMException ce)
{
string m = ce.Message; // For debug only
throw RaiseException("GetException", "WSSoapException", ce.Message, "2000", ce.Source,
FaultCode.Server);
}
catch (Exception ex)
{
string m = ex.Message; // For debug only
throw RaiseException("GetException", "WSSoapException", ex.Message, "2000", ex.Source,
FaultCode.Server);
}

</code>

According to ADSI Edit, the following fields are mandatory:

- cn
- instanceType
- objectCategory
- objectClass
- sAMAccountName

The user I give has full permissions on Active Directory.

The exception is thrown on the call to CommitChanges().

Putting CommitChanges immediately after the call to Add() gives the same error. Calling
RefreshCache() on the DirecoryEntry (de) immediately after the call to Add() returns with
no error.

Can anyone help?

Peter


Remove all this:

user.Properties["userPassword"].Add(aPassword);
//user.Properties["accountDisabled"].Add(false); // Gives error "The
specified directory service attribute or value does not exist." if included
//user.Properties["passwordExpired"].Add(false); // Gives error "The
specified directory service attribute or value does not exist." if included
user.Properties["objectCategory"].Add(anObjectCategory);
user.Properties["objectClass"].Add(anObjectClass);
user.Properties["instanceType"].Add(4);

These properties can't be set like this.
The password can only be set by calling the SetPassword method, using
user.Invoke("SetPassword", password );
but you can only do this after the user has been comitted.
accountDisabled can only be set by means of the userAccountControl property, something like
this will do:
user.Properties["userAccountControl"].Add(ADS_UF_NORMAL_ACCOUNT|ADS_UF_PASSWD_CANT_CHAN GE);

search MSDN for the values of ADS_UF_XXXXX, or add a reference to activeds.tlb to your
project.
all other properties are added automatically and are tied to the "user" type object.

Willy.
Mar 1 '07 #2

P: n/a
Remove all this:
>
user.Properties["userPassword"].Add(aPassword);
//user.Properties["accountDisabled"].Add(false); // Gives error "The
specified directory service attribute or value does not exist." if
included
//user.Properties["passwordExpired"].Add(false); // Gives error "The
specified directory service attribute or value does not exist." if
included
user.Properties["objectCategory"].Add(anObjectCategory);
user.Properties["objectClass"].Add(anObjectClass);
user.Properties["instanceType"].Add(4);

These properties can't be set like this.
The password can only be set by calling the SetPassword method, using
user.Invoke("SetPassword", password );
but you can only do this after the user has been comitted.
accountDisabled can only be set by means of the userAccountControl
property, something like this will do:
user.Properties["userAccountControl"].Add(ADS_UF_NORMAL_ACCOUNT|ADS_UF_PASSWD_CANT_CHAN GE);

search MSDN for the values of ADS_UF_XXXXX, or add a reference to
activeds.tlb to your project.
all other properties are added automatically and are tied to the "user"
type object.

Willy.
Many thanks for that Willy.

In actual fact I managed to get it to work without removing any of those.
The spec was wrong. The objectCategory, according to the spec, was to be
set to "Person". In fact it needed to be set to
"CN=Person,CN=Schema,CN=Configuration,DC=internal, DC=uwic,DC=ac,DC=uk".

The objectCategory, objectClass and instanceType properties all appear to
have been set correctly.

However you may well be correct about the setting of the password and the
other things. I notice the account is disabled in AD.

Cheers
Peter
Mar 2 '07 #3

P: n/a
"Peter Bradley" <pb******@uwic.ac.ukwrote in message
news:%2***************@TK2MSFTNGP02.phx.gbl...
>Remove all this:

user.Properties["userPassword"].Add(aPassword);
//user.Properties["accountDisabled"].Add(false); // Gives error "The
specified directory service attribute or value does not exist." if included
//user.Properties["passwordExpired"].Add(false); // Gives error "The
specified directory service attribute or value does not exist." if included
user.Properties["objectCategory"].Add(anObjectCategory);
user.Properties["objectClass"].Add(anObjectClass);
user.Properties["instanceType"].Add(4);

These properties can't be set like this.
The password can only be set by calling the SetPassword method, using
user.Invoke("SetPassword", password );
but you can only do this after the user has been comitted.
accountDisabled can only be set by means of the userAccountControl property, something
like this will do:
user.Properties["userAccountControl"].Add(ADS_UF_NORMAL_ACCOUNT|ADS_UF_PASSWD_CANT_CHAN GE);

search MSDN for the values of ADS_UF_XXXXX, or add a reference to activeds.tlb to your
project.
all other properties are added automatically and are tied to the "user" type object.

Willy.

Many thanks for that Willy.

In actual fact I managed to get it to work without removing any of those. The spec was
wrong. The objectCategory, according to the spec, was to be set to "Person". In fact it
needed to be set to
"CN=Person,CN=Schema,CN=Configuration,DC=internal, DC=uwic,DC=ac,DC=uk".
That's correct, but you don't have to set it, it's set automatically when you add the "user"
object type to the container (as user is a person after all).
The objectCategory, objectClass and instanceType properties all appear to have been set
correctly.

However you may well be correct about the setting of the password and the other things. I
notice the account is disabled in AD.
Yep, you can't set some attributes like this, some can be set through the
"userAccountControl" property while others need to be set by explicit method calls. Please
refer to the ADSI docs for details .

Willy.

Mar 2 '07 #4

P: n/a
Yep, you can't set some attributes like this, some can be set through the
"userAccountControl" property while others need to be set by explicit
method calls. Please refer to the ADSI docs for details .

Willy.
Thanks Willy. I've got there in the end. Certainly the accounts are now
enabled when created, and I'm pretty sure that a password has been created.
The only thing I don't appear to be able to do is to set the
userAccountControl property directly at all. I notice that the
documentation says, "This value is set by the system". It seems to set it
to 544 (rather than the 531 the user wanted), but I notice that a lot of
live accounts already on the system have this value (544), too.

So I'm letting my users check over the accounts I've created to see if
they're happy with them.

(Another problem solved by indirection)

:)
Peter
Mar 2 '07 #5

P: n/a
"Peter Bradley" <pb******@uwic.ac.ukwrote in message
news:eT*************@TK2MSFTNGP03.phx.gbl...
>Yep, you can't set some attributes like this, some can be set through the
"userAccountControl" property while others need to be set by explicit method calls.
Please refer to the ADSI docs for details .

Willy.

Thanks Willy. I've got there in the end. Certainly the accounts are now enabled when
created, and I'm pretty sure that a password has been created. The only thing I don't
appear to be able to do is to set the userAccountControl property directly at all. I
notice that the documentation says, "This value is set by the system". It seems to set it
to 544 (rather than the 531 the user wanted), but I notice that a lot of live accounts
already on the system have this value (544), too.

So I'm letting my users check over the accounts I've created to see if they're happy with
them.

(Another problem solved by indirection)

:)
Peter


Weird, what the user wanted (544) means: normal user, account disabled, account locked-out
and logon script enabled.
what you have set is: normal account and password not required.

Don't know how you tried to set userAccountControl, but IMO you got it wrong.
Mind to post some code?

Willy.

Mar 2 '07 #6

This discussion thread is closed

Replies have been disabled for this discussion.