deleting computer account from AD c# - c#-4.0

I'm trying to delete a computer account from AD using this code:
string ldapBase = "ldap://x.y.z.com/";
string sFromWhere = ldapBase + "rootDSE";
DirectoryEntry root = new DirectoryEntry(sFromWhere, null, null, AuthenticationTypes.Secure);
string defaultNamingContext = root.Properties["defaultNamingContext"][0].ToString();
/* Retrieving the computer to remove */
sFromWhere = ldapBase + defaultNamingContext;
DirectoryEntry deBase = new DirectoryEntry(sFromWhere, null, null, AuthenticationTypes.Secure);
DirectorySearcher dsLookForDomain = new DirectorySearcher(deBase);
dsLookForDomain.Filter = "(&(cn=waprptest))"; // MACHSUPR is the computer to delete
dsLookForDomain.SearchScope = SearchScope.Subtree;
dsLookForDomain.PropertiesToLoad.Add("cn");
dsLookForDomain.PropertiesToLoad.Add("distinguishedName");
SearchResultCollection srcComputer = dsLookForDomain.FindAll();
// Deleting computer
foreach (SearchResult aComputer in srcComputer)
{
DirectoryEntry computerToDel = aComputer.GetDirectoryEntry();
computerToDel.DeleteTree();
computerToDel.CommitChanges();
}
I'm getting exception #
string defaultNamingContext = root.Properties["defaultNamingContext"][0].ToString();
as the rot.Properties count is 0
Please let me know what I'm doing wrong... I'm a newbie to AD

From my experience, to get the RootDSE folder, you must use this LDAP string:
LDAP://RootDSE
First of all, the LDAP must be in all capital letters, and RootDSE also has a capital R at its beginning. LDAP strings are case sensitive!
Also: if you're using .NET 3.5 or newer, you can use a PrincipalSearcher and a "query-by-example" principal to do your searching (much simpler than using DirectorySearcher!):
// create your domain context
using (PrincipalContext ctx = new PrincipalContext(ContextType.Domain))
{
// define a "query-by-example" principal - here, we search for a ComputerPrincipal
ComputerPrincipal qbeComputer = new ComputerPrincipal(ctx);
// create your principal searcher passing in the QBE principal
PrincipalSearcher srch = new PrincipalSearcher(qbeComputer);
// find all matches
foreach(var found in srch.FindAll())
{
// do whatever here - "found" is of type "Principal"
ComputerPrincipal cp = found as ComputerPrincipal;
if (cp != null)
{
// do something with the computer account
}
}
}
If you haven't already - absolutely read the MSDN article Managing Directory Security Principals in the .NET Framework 3.5 which shows nicely how to make the best use of the new features in System.DirectoryServices.AccountManagement. Or see the MSDN documentation on the System.DirectoryServices.AccountManagement namespace.

Related

How do I get the Active Directory Information with Sharepoint programatically on sharepoint 2013 Farm Solution On Code Behind File?

I want to Get the Active Directory names in sharepoint in a list.
To got Know that SharePoint 2013 Has some Hidden URL which Shows Current Active Directory User I wan to get it into List.
http://{YourSharepointUrl}/_catalogs/users/simple.aspx
Now I want to have list of all the names Displayed on my sharepoint
I am using the code:
private static void GetAllSiteUsers()
{
// Starting with ClientContext, the constructor requires a URL to the server running SharePoint.
var sharepointContext = new ClientContext("http://yoursharepointurl/");
}
Now I am Getting error it says about assembly reference doesn't exist.So I checked on google and added up this ddl and add the using Microsoft.SharePoint.Client; reference also.Still Not working.
Please Let me Know what needed to be done Guys
Purpose Of Making Program:To have all the AD Users and Make a work Group so that I can Assign them some right in such a way when assigned grp open something some other URL in iframe shows. and if some one else than other URL in iframe is shown to him.
Thanks IN Advance Guys.
You are in Server side (Farms solution), so don't use : ClientContext, this is for Client application, not server.
You just have to get the : User Information List
You could try somthing like :
using(SPSite site = new SPSite("URLsiteCollection")){
using(SPWeb web = site.rootWeb){
SPList userList = web.SiteUserInfoList;
SPListItemCollection allUsers = userList.Items;
foreach(SPListItem userItem in allUsers){
string userEmail = Convert.Tostring(userItem["EMail"]);
string userName = userItem.Title;
....
}
}
}
To get all information about active directory user or group you can use
PrincipalContext pContext = new PrincipalContext (ContextType.Domain, YOUR_DOMAIN);
//For User
UserPrincipal userPrincipal = new UserPrincipal (pContext);
PrincipalSearcher userSearch = new PrincipalSearcher (userPrincipal);
//For Group
GroupPrincipal grpPrincipal = new GroupPrincipal (pContext);
PrincipalSearcher grpSearch = new PrincipalSearcher (grpPrincipal);
foreach (UserPrincipal result in userSearch.FindAll())
{
if (result.SamAccountName!= null)
// Your code
}
foreach (GroupPrincipal result in grpSearch.FindAll())
{
if (result != null)
{
// Your code
}
Assembly
System.DirectoryServices.AccountManagement
Namespace
using System.DirectoryServices.AccountManagement;

Access denied office 365 / SharePoint online with Global Admin account

I am going crazy since two days solving an issue. The problem is;
I am making a console APP which is talking to SharePoint Online using global admin account (One which was specified as admin while making a new subscription). What I am trying to achieve is, I want to add a custom action using CSOM to each site collection and subsite of office 365. That code works fine except on the root site collection which is pre-created by office 365 while signing up (i.e. https://xyz.sharepoint.com)
For any tenant for root site collection, it gives me below error;
{
"SchemaVersion":"15.0.0.0","LibraryVersion":"16.0.3912.1201","ErrorInfo":{
"ErrorMessage":"Access denied. You do not have permission to perform
this action or access this
resource.","ErrorValue":null,"TraceCorrelationId":"2a47fd9c-c07b-1000-cfb7-cdffbe3ab83a","ErrorCode":-2147024891,"ErrorTypeName":"System.UnauthorizedAccessException"
},"TraceCorrelationId":"2a47fd9c-c07b-1000-cfb7-cdffbe3ab83a" }
Now the user is global admin. I also added again that user as site collection admin.
The same piece of code works fine on other site collections (search site collection, any newly made site collection...).
here is a code;
using (ClientContext spcollContext = new ClientContext(web.Url))
{
SecureString passWord = new SecureString();
foreach (char c in strAdminPassword.ToCharArray()) passWord.AppendChar(c);
SharePointOnlineCredentials creds = new SharePointOnlineCredentials(strAdminUser, passWord);
spcollContext.Credentials = creds;
Web currentweb = spcollContext.Web;
spcollContext.Load(currentweb);
spcollContext.ExecuteQuery();
// authCookie = creds.GetAuthenticationCookie(new Uri(web.Url));
var existingActions2 = currentweb.UserCustomActions;
spcollContext.Load(existingActions2);
spcollContext.ExecuteQuery();
var actions2 = existingActions2.ToArray();
foreach (var action in actions2)
{
if (action.Description == "CustomScriptCodeForEachsite" &&
action.Location == "ScriptLink")
{
action.DeleteObject();
spcollContext.ExecuteQuery();
}
}
var newAction2 = existingActions2.Add();
newAction2.Description = "CustomScriptCodeForEachsite";
newAction2.Location = "ScriptLink";
newAction2.ScriptBlock = scriptBlock;
newAction2.Update();
spcollContext.Load(currentweb, s => s.UserCustomActions);
spcollContext.ExecuteQuery(); // GETTING ERROR ON THIS LINE.
}
Note: Above error is Fiddler traces.
Most probably this behavior is caused by Custom Script feature, basically
the issue occurs when the Custom Script feature is turned off
How to verify?
You could verify the site permissions using the following console app:
using (var ctx = GetContext(webUri, userName, password))
{
var rootWeb = ctx.Site.RootWeb;
ctx.Load(rootWeb, w => w.EffectiveBasePermissions);
ctx.ExecuteQuery();
var permissions = rootWeb.EffectiveBasePermissions;
foreach (var permission in Enum.GetValues(typeof(PermissionKind)).Cast<PermissionKind>())
{
var permissionName = Enum.GetName(typeof(PermissionKind), permission);
var hasPermission = permissions.Has(permission);
Console.WriteLine("Permission: {0}, HasPermission: {1}", permissionName, hasPermission);
}
}
where
public static ClientContext GetContext(Uri webUri, string userName, string password)
{
var securePassword = new SecureString();
foreach (var ch in password) securePassword.AppendChar(ch);
return new ClientContext(webUri) {Credentials = new SharePointOnlineCredentials(userName, securePassword)};
}
When SP.PermissionKind.AddAndCustomizePages is set to False, the Access denied error occurs while adding user custom action.
Solution
According to Turn scripting capabilities on or off:
For self-service created sites, custom scripting is disabled by
default
Solution: enable Allow users to run custom scripts on self-service created sites
To enable or disable scripting from the SharePoint admin center
Sign in to Office 365 with your work or school account.
Go to the SharePoint admin center.
Select Settings.
Under Custom Script choose:
Prevent users from running custom script on personal sites or Allow
users to run custom script on personal sites.
Prevent users from running custom script on user created sites or
Allow users to run custom script on self-service created sites.
Select OK. It takes about 24 hours for the change to take
effect.
Since any change to the scripting setting made through the SharePoint Online admin center may take up to 24 hours to take effect, you could enable scripting on a particular site collection immediately via CSOM API (SharePoint Online Client Components SDK) as demonstrated below:
public static void DisableDenyAddAndCustomizePages(ClientContext ctx, string siteUrl)
{
var tenant = new Tenant(ctx);
var siteProperties = tenant.GetSitePropertiesByUrl(siteUrl, true);
ctx.Load(siteProperties);
ctx.ExecuteQuery();
siteProperties.DenyAddAndCustomizePages = DenyAddAndCustomizePagesStatus.Disabled;
var result = siteProperties.Update();
ctx.Load(result);
ctx.ExecuteQuery();
while (!result.IsComplete)
{
Thread.Sleep(result.PollingInterval);
ctx.Load(result);
ctx.ExecuteQuery();
}
}
Usage
using (var ctx = GetContext(webUri, userName, password))
{
using (var tenantAdminCtx = GetContext(tenantAdminUri, userName, password))
{
DisableDenyAddAndCustomizePages(tenantAdminCtx,webUri.ToString());
}
RegisterJQueryLibrary(ctx);
}
where
public static void RegisterJQueryLibrary(ClientContext context)
{
var actions = context.Site.UserCustomActions;
var action = actions.Add();
action.Location = "ScriptLink";
action.ScriptSrc = "~SiteCollection/Style Library/Scripts/jQuery/jquery.min.js";
action.Sequence = 1482;
action.Update();
context.ExecuteQuery();
}
If you don't have time for CSOM as described by Vadim, the page also links to a powershell script you can use:
Set-SPOsite <SiteURL> -DenyAddAndCustomizePages 0
But note that SiteUrl needs to be the admin url. If your tenant is https://mysite.sharepoint.com, the url you use is https://mysite-admin.sharepoint.com"
In our case, we were in the midst of a deployment when this hit and could not wait 24 hours (or even one hour!) to continue. Everything had been fine in our testing site collections, but when we deployed to the tenant root, we hit the error described above and this script fixed it. Apparently the feature is turned off by default on the tenant root.
Current site is not a tenant administration site
Turn scripting capabilities on or off
My first response would be that you shouldn't add a CustomAction on the fly through code. That said, I'm sure you have a good reason to need to do so.
Try to set the AllowUnsafeUpdates flag on SPWeb to true as soon as you reference currentWeb. Make sure to also set it back to false after you call the final ExecuteQuery()
By default, AllowUnsafeUpdates is false. It is used to block cross-site scripting attacks.
https://msdn.microsoft.com/en-us/library/Microsoft.SharePoint.SPWeb_properties.aspx

Getting all Active Directory Properties with DirectorySearcher

I am accessing Active Directory. If I call it like this
DirectorySearcher srch = new DirectorySearcher(de);
//Filter to return only users and deleted users and not system accounts
srch.Filter = "(|(&(objectCategory=person)(objectClass=user)(sn=*))(&(isDeleted=TRUE)(objectClass=user)))";
srch.SearchScope = SearchScope.OneLevel;
srch.ExtendedDN = ExtendedDN.Standard;
srch.FindAll();
then it returns a list of users with some of the properties... I want to see the "whenChanged" property but when i try adding the line
srch.PropertiesLoad.Add("whenChanged");
then it doesn't return any users. Could this be due to deleted user's not having that property and that it can't uniformly apply all the properties so it returns 0 results? How can I view all the users, both deleted and active and see the "whenChanged" property for all even it results in a null
Several points:
To get deleted objects you need to set srch.Tombstone = true;
Deleted objects are stored under "CN=Deleted Objects,DC=domain,DC=com".
So to search for all users plus deleted objects, would better use domain root as search root and use SearchScope.Subtree as scope
Any attributes added to DirectorySearcher.PropertiesLoad should not remove any results.
This may due to reason other than srch.PropertiesLoad.Add("whenChanged");
Why put sn=* in search? this filter out users whose last name is not set.
Is this intended?
Tested following code that can get the users plus deleted user successfully, plus obtain the "whenChanged" property. Please give a try.
DirectoryEntry de = new DirectoryEntry("LDAP://domain.com/dc=domain,dc=com", "user", "pwd");
DirectorySearcher srch = new DirectorySearcher(de);
//Filter to return only users and deleted users and not system accounts
srch.Filter = "(|(&(objectCategory=person)(objectClass=user)(sn=*))(&(isDeleted=TRUE)(objectClass=user)))";
srch.SearchScope = SearchScope.Subtree;
srch.ExtendedDN = ExtendedDN.Standard;
srch.Tombstone = true;
srch.PropertiesToLoad.Add("whenChanged");
srch.PropertiesToLoad.Add("distinguishedName");
using (SearchResultCollection results = srch.FindAll())
{
foreach (SearchResult result in results)
{
string dn = result.Properties["distinguishedName"][0] as string;
Console.WriteLine("- {0}", dn);
ResultPropertyValueCollection prop = result.Properties["whenChanged"];
if (prop != null)
{
Console.WriteLine(" {0}", (DateTime)prop[0]);
}
}
}

Symfony 2.1 - $this->get('security.context')->isGranted('ROLE_ADMIN') returns false even if Profiler says I have that role

I have a Controller action (the Controller has $this->securityContext set to $this->get('security.context') via JMSDiExtraBundle):
$user = $this->securityContext->getToken()->getUser();
$groupRepo = $this->getDoctrine()->getRepository('KekRozsakFrontBundle:Group');
if ($this->securityContext->isGranted('ROLE_ADMIN') === false) {
$myGroups = $groupRepo->findByLeader($user);
} else {
$myGroups = $groupRepo->findAll();
}
When I log in to the dev environment and check the profiler, I can see that I have the ROLE_ADMIN role granted, but I still get the filtered list of Groups.
I have put some debugging code in my Controller, and Symfony's RoleVoter.php. The string representation of the Token in my Controller ($this->securityContext->getToken()) and the one in RoleVoter.php are the same, but when I use $token->getRoles(), I get two different arrays.
My Users and Roles are stored in the database via the User and Role entities. Is this a bug that I found or am I doing something wrong?
Finally got it. A dim idea hit my mind a minute ago. The problem was caused my own RoleHierarchyInterface implementation. My original idea was to copy Symfony's own, but load it from the ORM instead of security.yml. But because of this, I had to totally rewrite the buildRoleMap() function. The diff is as follows:
private function buildRoleMap()
{
$this->map = array();
$roles = $this->roleRepo->findAll();
foreach ($roles as $mainRole) {
$main = $mainRole->getRole();
- $this->map[$main] = array();
+ $this->map[$main] = array($main);
foreach ($mainRole->getInheritedRoles() as $childRole) {
$this->map[$main][] = $childRole->getRole();
// TODO: This is one-level only. Get as deep as possible.
// BEWARE OF RECURSIVE NESTING!
foreach ($childRole->getInheritedRoles() as $grandchildRole) {
$this->map[$main][] = $grandchildRole->getRole();
}
}
}
}
This case - roles are set and are displayed in Symfony's profiler but isGranted returns false - can be happened when the role names does not start with prefix ROLE_.
Bad role name: USER_TYPE_ADMIN
Correct role name: ROLE_USER_TYPE_ADMIN

Get all users from active directory to sharepoint

I have to populate my autocomplete PeopleEditor-like control based on brililant ASPTokenInput with all people from my AD domain. Reflecting PeopleEditor shows a real mess in their Active Directory search engine and all potentially helpful classes are internal.
My test method works fine, but I need to get ALL users from AD(not sharepoint site ones) to populate my list:
public string GetUsers(string filter)
{
var spWeb = SPContext.Current.Web;
SPUserCollection allusers = spWeb.AllUsers;
List<SPUser> users = allusers.Cast<SPUser>().ToList();
var query = from spUser in users.Select(usr => new {id = usr.ID, name = usr.Name})
.Where(p => p.name.IndexOf(filter, StringComparison.InvariantCultureIgnoreCase) >= 0)
select new {id = spUser.id.ToString(), spUser.name};
return new JavaScriptSerializer().Serialize(query);
}
How can I query active directory like this? Is it possible to retrieve all AD connection settings from sharepoint itself? I need just id and user name to fill my dropdownlist Converting this to SPUserCollection is another big deal.
It would be great to use some built-in SP methods like this:
[SubsetCallableExcludeMember(SubsetCallableExcludeMemberType.UnsupportedSPType)]
public static IList<SPPrincipalInfo> SearchWindowsPrincipals(SPWebApplication webApp, string input, SPPrincipalType scopes, int maxCount, out bool reachMaxCount)
Solution was simple, the only thing I needed was SharePoint Group search implementation (If specified in Field Editor Control). SP has a nice built-in method, so I use it.
/// <summary>
/// Provides searching for AD or SharePoint group if specified in field setting
/// </summary>
public static class ActiveDirectorySearchProvider
{
public static IList<SPPrincipalInfo> Search(string filter, string selectionGroup, string principalType)
{
var site = SPContext.Current.Site.WebApplication;
bool reachmaxcount;
var scope = SPUtils.GetSpPrincipalType(principalType);
if (!String.IsNullOrEmpty(selectionGroup)) //search for users in SPGroup if present
{
var rawSPGroupList = SPUtility.GetPrincipalsInGroup(SPContext.Current.Web, selectionGroup, 100,
out reachmaxcount).ToList();
string lowerFilter = filter.ToLowerInvariant();
var filteredGroupList =
rawSPGroupList.Where(
pInfo =>
pInfo.LoginName.Substring(pInfo.LoginName.IndexOf('\\') + 1).StartsWith(lowerFilter) ||
pInfo.DisplayName.ToLowerInvariant().StartsWith(lowerFilter) ||
pInfo.DisplayName.ToLowerInvariant().Substring(pInfo.DisplayName.IndexOf(' ') + 1).StartsWith(
lowerFilter)).ToList();
return filteredGroupList;
}
return SPUtility.SearchWindowsPrincipals(site, filter, scope, 100, out reachmaxcount); //Search in AD instead
}
I can think of two options here.
You can use System.DirectoryServices and query all users from your Active Directory in your c# code.
You can setup User Profile Sync so that your SharePoint user DB is upto date.

Resources