AD IP - AddUserToGroup

Feb 24, 2012 at 11:02 AM

Hi all. I have discovered strange behavior when i try to add a user to group.

All works fine, but when i look at eventlog on my dc i have seen too many security logs with ID 4728 "A member was added to a security-enabled global group" and than too many logs 4729 "A member was removed from a security-enabled global group".

For example, we want to add new user "X" to group "G". Group have include some members "A", "B", "C" ... etc. What happens, start activity AddUserToGroup, users "A", "B", "C" have been deleted from group "G" and than users "A", "B", "C" and "X" have been add to group "G".

Why?? Sorry for my english.

Feb 24, 2012 at 1:28 PM

Hey,

I will try to replicate this in my environment.

-Ryan

From: sdn1485 [email removed]
Sent: Friday, February 24, 2012 5:03 AM
To: Ryan Andorfer
Subject: AD IP - AddUserToGroup [scorch:344668]

From: sdn1485

Hi all. I have discovered strange behavior when i try to add a user to group.

All works fine, but when i look at eventlog on my dc i have seen too many security logs with ID 4728 "A member was added to a security-enabled global group" and than too many logs 4729 "A member was removed from a security-enabled global group".

For example, we want to add new user "X" to group "G". Group have include some members "A", "B", "C" ... etc. What happens, start activity AddUserToGroup, users "A", "B", "C" have been deleted from group "G" and than users "A", "B", "C" and "X" have been add to group "G".

Why?? Sorry for my english.

Feb 24, 2012 at 2:04 PM
Edited Feb 24, 2012 at 2:09 PM

Hey,

The relevant bit of code is

String userLDAPPath = request.Inputs["User LDAP Path"].AsString();
String groupLDAPPath = request.Inputs["Group LDAP Path"].AsString();

try
{
    DirectoryEntry dirEntry = new DirectoryEntry(groupLDAPPath, credentials.UserName + "@" + credentials.Domain, credentials.Password);

    string FormattedUserLDAPPath = userLDAPPath.Substring(7);
    dirEntry.Properties["member"].Add(FormattedUserLDAPPath);

    dirEntry.CommitChanges();
    dirEntry.Close();
}
catch (Exception ex)
{
    response.LogErrorMessage(ex.Message.ToString());
}

response.WithFiltering().PublishRange(getGroupMembers(groupLDAPPath));
This code is the recommended way from Microsoft to add users to groups. http://msdn.microsoft.com/en-us/library/ms676310(v=vs.85).aspx
Given this I am not sure why you are seeing the problem you are
Feb 27, 2012 at 10:43 AM

Hey, 

 I'm sorry. I tested the MS integration pack "System_Center_2012_Orchestrator_Integration_Pack_for_Microsoft_Active_Directory_Beta.EXE".

Your AD OIP works fine.