2

I am trying to create a Principal like this:

PrincipalContext pc = new PrincipalContext(ContextType.Machine);
GroupPrincipal group = new GroupPrincipal(pc);

group.Name = "Some Group Name";
group.Description = "Some Group Name Description";

group.Save();

However, when the code is executed, I get the following exception message:

System.DirectoryServices.AccountManagement: Property is not valid for this store type.

If I do not set the Description property, the above code works perfectly fine, just doesn’t have a description for a group.

Am I doing something wrong?

Thanks in advance.

EDIT: I believe I have found a work-around for this (for anyone who maybe interested). A group can be created in the same way as above:

PrincipalContext pc = new PrincipalContext(ContextType.Machine);
GroupPrincipal group = new GroupPrincipal(pc);
group.Save();

Now you create a DirectoryEntry and link it to the newly created Group like this:

string path = "WinNT://" + machineName + "/" + group.SamAccountName;
DirectoryEntry dEntry = new DirectoryEntry(path);

This allows access to the Properties of that group, but the one I was interested in is Description, so:

dEntry.Properties["description"].Add("Some Decription");
dEntry.CommitChanges();

And that should do it.

Kiquenet
  • 14,494
  • 35
  • 148
  • 243
AlexYu
  • 145
  • 2
  • 8
  • I assume you have googled this and found this thread? http://directoryprogramming.net/forums/thread/2163.aspx. It says something about it working with domain controllers, but not with SAM, but doesn't provide a solution for the latter. – Abel Jan 18 '10 at 15:10
  • Yea, the only similar problem out there, but sadly with no solution. – AlexYu Jan 18 '10 at 15:17
  • PS: it helps to urge Microsoft to solve the issue by clicking the Important button and the "I can reproduce this too" link: https://connect.microsoft.com/VisualStudio/feedback/ViewFeedback.aspx?FeedbackID=525688 – Abel Jan 19 '10 at 12:52
  • I would gladly give you an UpVote, but I need 15 rep points to be able to do that :). As soon as I have those - I will come back to this and do my duty :) Also Added a workaround – AlexYu Jan 19 '10 at 13:12

2 Answers2

7

Answer rewritten

I've got your answer, but you may not really like it. The information on the internet is scarce, but in code, it is explainable:

  • When you create your GroupPrincipal, a Context is added to it. This Context is internally of a hidden type: SAMStoreCtx, which inherits from an abstract type StoreCtx;
  • Each property on the GroupPrincipal that you call will call IsValidProperty, an internal member of SamStoreCtx;
  • However, it doesn't do so for the Name property;

  • Inside SAMStoreCtx, there's a piece of code that looks as follows (Reflector output):

    internal override bool IsValidProperty(Principal p, string propertyName)
{
    ObjectMask none = ObjectMask.None;
    if (!ValidPropertyMap.TryGetValue(propertyName, out none))
    {
        return false;
    }
    if ((MaskMap[p.GetType()] & none) <= ObjectMask.None)
    {
        return false;
    }
    return true;
}
  • Look closely at that code (it took me a moment) and you'll spot the bug. The line comparing a bit flag to none using the and-operator will always result in ObjectMask.None. The second if-statement is therefor always true.
  • The calling code (the Property Settor of Description) throws an exception when this method returns false.

I believe this to be a bug in the Microsoft library. It only happens with the SAMStoreCtx. Perhaps it is on purpose, but because the code is there but always returns false makes me believe the programmers intended the use of the or-operator instead. Checking my findings with other properties like DisplayName throws the same exception as expected.

You can contact Microsoft about this and show them this thread. I haven't checked the new betas of .NET 4.0 which might show up differently. You can check this for yourself by downloading Reflector and loading the relevant .NET assembly.

EDIT: I've contacted Microsoft for you and reported the bug through connect.microsoft.com here. You can follow the issue there if you like.

Abel
  • 56,041
  • 24
  • 146
  • 247
  • 1
    Thats The problem. When I DO NOT set the description, the code works fine, the group is created etc... It does not have description, simply because it wasn't set. But, now I want to set a description for the group, and I cannot do that, because I get this error -> "System.DirectoryServices.AccountManagement: Property is not valid for this store type". Am I being confusing? – AlexYu Jan 18 '10 at 15:12
  • @GertArnold, it seems like the page was only removed very recently, as it is still available in Google Search and in the Sitemap (http://connect.microsoft.com/Sitemap0.aspx, warning, very large page!). I didn't get any warning of it and it doesn't seem to be moved... It wasn't resolved as far as I know. – Abel Nov 14 '12 at 11:11
  • Thanks Abel, looks like some authorization issue. I can't access the site map either although I am logged in. Well, not your piece of cake. – Gert Arnold Nov 14 '12 at 11:27
3

You can use the GetUnderlyingObject to get the DirectoryEntry for the group instead of searching for it.

var newGroup = new GroupPrincipal(context, groupName);

// You must save first           
newGroup.Save();

var entry = (DirectoryEntry) newGroup.GetUnderlyingObject();

entry.Properties["description"].Add(description);
entry.CommitChanges();
sloth
  • 99,095
  • 21
  • 171
  • 219
Nicklas Petersson
  • 31
  • 1
  • This worked for me today when I wanted to assign the sAmAccountName attribute of an AD LDS UserPrincipal. Assigning the SamAccountName property directly was not supported. Thanks! – boggy May 30 '20 at 02:19