Server is unwilling to process the request - Active Directory - Add User via C#

Question

I used the example in this page to add a user to an Active Directory group, but I get an exception with the message "Server is unwilling to process the request" when executing

dirEntry.Properties["member"].Add(userDn);

Answer 1

This question took me a lot of time to solve. First of all, the error message looks like a joke. Second, there is nothing more, just that message.

Anyway, I managed to fix it by:

1. Making sure that userDn contains the whole path (e.g., "LDAP://server-address/CN=" + userDn + ",OU=optional,DC=your-domain,DC=com". This is actually very important, if you don't supply the full path it will throw an Exception from HRESULT: 0x80005000.

2. Replacing dirEntry.Properties["member"].Add(userDn); by entry.Invoke("Add", new object[] { userDn });

Then I wanted to remove a user and I expected entry.Invoke("Remove", new object[] { userDn }); to work. However, this devilish AD will only work if you use lower case "remove", so entry.Invoke("remove", new object[] { userDn }); worked for me.

Answer 2

I had a similar issue where I was trying to add a member to a group. Specifically trying to add a group to a group and getting the same helpful error 'The server is unwilling to process the request' The answer provided by the OP did not work for me.

For me, the reason I was unable to add a group to my group was because the group I was trying to add members to was a 'global' scoped group whereas it needed to be a 'universal' scoped group. Hope this helps someone.

Answer 3

I got this generic error message when my path did not match the forest domain name. For example, if my forest domain name is ad.example.com, and I am trying to create a group with path CN=Users,DC=example,DC=net one has .com the other has .net - they don't line up. I would need to correct my group to match. My group path should then be CN=Users,DC=example,DC=com.

Answer 4

ldapwiki.com describes potential causes for "The server is unwilling to process the request". Check ExtendedErrorMessage property of your exception to figure out what applies. In my case "00002145: SvcErr: DSID-031A1254, problem 5003 (WILL_NOT_PERFORM)". The following line resolved the issue:

ent.Properties["groupType"].Value = 8;

I had missed to set groupType and so attempted to nest a universal group in a global group. Find more information on groupType attribute in ldapwiki.com

Answer 5

Just look out, because the start of the .properties("distinguished Name") can be different than the .properties("cn"). If the user is created with a , or ; in the .properties("cn"), the start of the .properties("distinguished Name") will be the username with \, or \;.

This can give an error if u are trying to add a user you found by use of .properties("cn") to a Group.

Answer 6

After many days searching i find the problem. when you add user in group you must set "distinguished Name" not LDAP path.

You must write like this:

ent.Properties["member"].Add("CN=YourUserName,OU=optional,DC=yourdomain,DC=com");

This is wrong code:

ent.Properties["member"].Add("LDAP://CN=YourUserName,OU=optional,DC=yourdomain,DC=com");

Also when you do remove mast to save this rule

ent.Properties["member"].Remove("CN=YourUserName,OU=optional,DC=yourdomain,DC=com");

P.S. ent is DirectoryEntry object of group