Active Directory将用户移动到其他OU [英] Active Directory move a user to a different OU

问题描述

我正在开发一个程序，该程序将为离开我们网络的用户自动执行分离过程。它执行的任务之一是将用户帐户从所在的OU移到前雇员 OU。即使使用 DirectoryServices 进行其他处理也没有任何问题，但我在执行此步骤时遇到了问题。到目前为止，这是我的代码（请注意：我知道我需要停止捕获并处理所有异常。在发布之前将解决并更正此问题。关于应该捕获哪些异常以及不应该捕获的异常的任何建议也将受到赞赏）：

I'm working on a program that will automate the separation process for users leaving our network. One of the tasks it performs is moving the user account from the OU it is in, to a Former Employees OU. I've been having problems with this step even though I've not had any issues doing other processes with DirectoryServices. Here's my code thus far (note: I know I need to stop catching and eating all exceptions. This will be addressed and corrected before release. Any advice on which exceptions I should catch and which I should not would be appreciated too):

private const string AD_DOMAIN_NAME = "domain.com";
private const string AD_NEW_PASSWORD = "TestPassword123";
private const string AD_FORMER_EMPLOYEES_OU = "LDAP://OU=Former Employees,DC=domain,DC=com";

static DirectoryEntry CreateDirectoryEntry(string connectionPath, 
        string adUserName, string adPassword)
{
    DirectoryEntry ldapConnection = null;

    try
    {
        ldapConnection = new DirectoryEntry(AD_DOMAIN_NAME, adUserName, adPassword);
        ldapConnection.Path = connectionPath;
        ldapConnection.AuthenticationType = AuthenticationTypes.Secure;                
    }

    catch (Exception ex)
    {
        MessageBox.Show("Exception Caught in createDirectoryEntry():\n\n" + ex.ToString());
    }

    return ldapConnection;
}

private void btnProcessSeparation_Click(object sender, EventArgs e)
{
    if (cboOffice.SelectedItem != null && lstUsers.SelectedItem != null)
    {
        string userOU = cboOffice.SelectedItem.ToString();
        string userName = lstUsers.SelectedItem.ToString();
        string userDn = "LDAP://OU=" + userOU + ",OU=Employees,DC=domain,DC=com";

        using (DirectoryEntry ldapConnection = CreateDirectoryEntry(userDn))
        {
            using (DirectorySearcher searcher = CreateDirectorySearcher(ldapConnection,
                SearchScope.OneLevel, "(samaccountname=" + userName + ")", "samaccountname"))
            {
                SearchResult result = searcher.FindOne();

                if (result != null)
                {
                    using (DirectoryEntry userEntry = result.GetDirectoryEntry())
                    {
                        if (userEntry != null)
                        {
                            using (DirectoryEntry formerEmployees = CreateDirectoryEntry(
                                AD_FORMER_EMPLOYEES_OU))
                            {
                                userEntry.MoveTo(formerEmployees); // This line throws an DirectoryServicesCOMException.
                            }

                            userEntry.CommitChanges();
                            userEntry.Close();
                            MessageBox.Show("Separation for {0} has completed successfully.", userName);
                        }
                    }
                }
            }
        }
    }

    else
    {
        MessageBox.Show("Error, you did not select an OU or a user. Please try again.");
    }
}

上面的代码在 userEntry.MoveTo（formerEmployees）; 行。该行引发 DirectoryServicesCOMException ，并附带其他信息，指出指定了无效的dn语法。这很奇怪，因为我m使用与其他 DirectoryEntry 相同的格式就可以了。我添加了一个断点，并确认 formerEmployees 设置为： LDAP：// OU =前雇员，DC =域，DC = com 。我直接从Active Directory中OU的 distinguishedName 属性中复制了 LDAP：// 后的所有内容，以确保它是正确的。

The above code works just fine until the userEntry.MoveTo(formerEmployees); line. That line throws a DirectoryServicesCOMException with the additional information saying An invalid dn syntax has been specified. It is strange because I'm using the same format as the other DirectoryEntry's that work just fine. I've added a break point and confirmed that formerEmployees is set to: LDAP://OU=Former Employees,DC=domain,DC=com. I copied everything after LDAP:// directly from the OU's distinguishedName attribute in Active Directory to make sure it was correct.

OU名称中的空格是否引起了问题？我使它可以正常工作，然后转到其他任务，并且必须进行了一些更改，以使此功能失效。我考虑的代码太多了，似乎无法理解为什么它认为我发送了无效的dn。

Is the space in the OU name causing the problem? I got this to work once just fine and moved on to the other tasks and must have changed something that broke this. I've been looking at the code too much I think and just can't seem to see why it thinks I'm sending an invalid dn.

感谢所有帮助！

推荐答案

@David之后向我指出了正确的方向，以确保我对OU拥有正确的权限，从而发现了问题。我添加了一个重载的CreateDirectoryEntry方法，该方法使用用户名和密码（这是我在上面的代码中输入的内容）。但是，如果您在上面的代码中注意到，我将调用仅采用连接路径的方法。

After @David pointed me in the right direction of making sure I had the correct permissions to the OU, I discovered the problem. I added an overloaded CreateDirectoryEntry method that uses the username and password (which is what I put in the code above). However, if you notice in the code above, I call the method that only takes the connection path.

感谢@David的帮助！

Thanks for the help @David!

这篇关于Active Directory将用户移动到其他OU的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！