Add enabled Computer to Active Directory OU

StackOverflow https://stackoverflow.com/questions/21428263

Question

I am trying to programmatically add a computer to the Active Directory of my company.
I was searching the internet for so long now, but i couldn't find a solution.

My code:

DirectoryEntry dirEntry = new DirectoryEntry("LDAP://OU=ou2example,OU=ou1example,DC=site,DC=company,DC=com");
dirEntry.Username = "username";
dirEntry.Password = "password";
DirectoryEntry newComputer = dirEntry.Children.Add("CN=" + ComputerName, "computer");
newComputer.CommitChanges();

My problem:

The computer is added to the Active Directory. But it is flagged as disabled.

enter image description here

I tried to following to enable the computer:

newComputer.Properties["userAccountControl"].Value = 0x200;

But I get an DirectoryServicesCOMException --> The server can not complete the request.

or

newComputer.Properties["Enabled"].Value = true;

But I get an DirectoryServicesCOMException --> The requested operation does not satisfy at least one constraint that is for this object class condition.

Please note that the exceptions are translated from german to english!

Thanks for helping!

Was it helpful?

Solution

I think two things can be wrong but it's been a long time since I did anything like this so I maybe wrong...

First of all, when do you set the userAccountControl flag? I seem to remember you should do this after the CommitChanges for the new entry. So like this:

DirectoryEntry newComputer =
    dirEntry.Children.Add("CN=" + ComputerName, "computer");
newComputer.CommitChanges();
newComputer.Properties["userAccountControl"].Value = 0x200;
newComputer.CommitChanges();

Second, can you try setting the UF_WORKSTATION_TRUST_ACCOUNT flag (0x1000) instead of UF_NORMAL_ACCOUNT (0x200).

Can you also check whether the sAMAccountType of the entry is SAM_MACHINE_ACCOUNT (0x30000001). I think this should be automatic but doesn't hurt to check.

OTHER TIPS

Nearly one year later and also one year wiser, I know exactly what I was doing wrong.

So I want to share with you the correct way, even though I already selected an answer.

Code

DirectoryEntry dirEntry = new DirectoryEntry(“LDAP Path”);
DirectoryEntry newComputer = dirEntry.Children.Add(“CN=Hostname”, “computer”);
newComputer.Properties[“sAMAccountName”].Value = Hostname + “$”;
newComputer.Properties[“UserAccountControl”].Value = 0x1020;
newComputer.CommitChanges();

Explanation

sAMAccountName

Explanation found here

The sAMAccountName attribute of a computer object is the NetBIOS name of the computer with a trailing dollar sign, "$", appended. Besides flagging the object as a computer (which has class user), it also helps ensure uniqueness. The sAMAccountName value must be unique in the domain. Note, the Common Name of computer objects (the value of the cn attribute) does not have a trailing "$", but cn also does not uniquely identify the object in AD. The Common Name only needs to be unique in the OU or container.

Machine accounts are always given a trailing dollar sign "$" in their sAMAccountName attribute; this causes them to not be enumerated by certain APIs and therefore not displayed in certain user interfaces where one would expect to see only "user" accounts.

UserAccountControl

UserAccountControl Flag Values

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top