Creating Groups in Active Directory and ADAM

Creating groups in Active Directory and ADAM is actually a straightforward process. The tricky part comes later, when we need to manage their members! Only two attributes really matter when creating a group in Active Directory: They are sAMAccountName and groupType.[1]

[1] Back in Chapter 3, we mentioned that Windows Server 2003 will provide a default value for sAMAccountName if we do not provide one. This rule applies to both user and group objects. As such, only Window 2000 Server requires that sAMAccountName be set explicitly. However, as we suggested in Chapter 3, it is generally better to provide an explicit value, as the randomly generated default is generally not what we want. On the other hand, all versions of Active Directory will default the value of groupType to make the group a global security group. However, creating anything other than a global security group requires changing this attribute. Once again, we recommend being explicit for code clarity.

The sAMAccountName attribute contains the pre-Windows 2000 NT-compatible name for the group object. It must be unique within the domain. When we see a group name appear in the format domainsome group, the some group part is the sAMAccountName. As such, it is important for security purposes.

The groupType attribute controls which type and scope of group is created: security or distribution, and universal, global, or local scoped. We can create any of these group types with just a few combinations of constants, as shown in Listing 11.1.

Listing 11.1. Group Constants

//Group Constants (uint) ADS_GROUP_TYPE_BUILTIN_LOCAL_GROUP = 0x00000001; ADS_GROUP_TYPE_GLOBAL_GROUP = 0x00000002; ADS_GROUP_TYPE_DOMAIN_LOCAL_GROUP = 0x00000004; ADS_GROUP_TYPE_SECURITY_ENABLED = 0x80000000; ADS_GROUP_TYPE_UNIVERSAL_GROUP = 0x00000008;

Using these constants, we can construct an enumeration that represents the typical valid combinations we might want to create. One such enumeration is shown in Listing 11.2.

Listing 11.2. Valid Group Type Combinations

[Flags] public enum GroupType : uint { LocalDistribution = ADS_GROUP_TYPE_DOMAIN_LOCAL_GROUP, LocalSecurity = ADS_GROUP_TYPE_DOMAIN_LOCAL_GROUP | ADS_GROUP_TYPE_SECURITY_ENABLED, GlobalDistribution = ADS_GROUP_TYPE_GLOBAL_GROUP, GlobalSecurity = ADS_GROUP_TYPE_GLOBAL_GROUP | ADS_GROUP_TYPE_SECURITY_ENABLED, UniversalDistribution = ADS_GROUP_TYPE_UNIVERSAL_GROUP, UniversalSecurity = ADS_GROUP_TYPE_UNIVERSAL_GROUP | ADS_GROUP_TYPE_SECURITY_ENABLED }

Once we have our sAMAccountName and groupType attributes, it is a simple matter to create the group. In Listing 11.3, we will use the technique we learned in Chapter 3 to create the security group. We will specify three things: a common name (CN), the sAMAccountName attribute, and the groupType attribute. Once this is done, we can commit it to the directory using CommitChanges.

Listing 11.3. Creating a Security Group

string groupOU = "LDAP://OU=Groups,DC=domain,DC=com"; string groupName = "Group1"; //this is where the group will be created DirectoryEntry parent = new DirectoryEntry( groupOU, null, null, AuthenticationTypes.Secure ); using (parent) { DirectoryEntry group = parent.Children.Add( String.Format("CN={0}", groupName), "group" ); using (group) { //this is the default if not specified GroupType type = GroupType.GlobalSecurity; group.Properties["sAMAccountName"].Add(groupName); group.Properties["groupType"].Add((int)type); group.CommitChanges(); } }

Note that we may wish to do a search to verify whether a group with this sAMAccountName already exists in the domain before attempting to add it. We can use the techniques for searching that we covered in Chapter 4 to check this easily. If we attempt to add a group whose sAMAccountName is already in use, we will receive a COMException.

Things do not change much when creating a group using ADAM. The biggest difference is that there are no required attributes. This is because similar to user objects (see Chapter 10), the sAMAccountName attribute is not used with ADAM. Additionally, although ADAM supports setting different groupType values, they do not control any behavior in ADAM. This is because ADAM does not support the concept of domains, so setting the scope to local, universal, or global does not make sense. In practice, as long as groupType has the ADS_GROUP_TYPE_SECURITY_ENABLED flag set, there are no differences between any of the group types in ADAM. Given this behavior, we should typically accept the default groupType that corresponds to GroupType.GlobalSecurity from Listing 11.2 and not bother trying to set it explicitly.

Manipulating Group Membership

Категории