Hi guys, I've written a small app which gets the groups from AD fom a db . Using these groups I want to find out the members of the groups and then submit that to the database. The code I have written works well in some customer sites but falls over badly in others, funny thing being one of the sites has 4000+ groups and about 400000 group members so I pretty confident of the scalability of the code. However when the code falls over it does so with a number of error messages:
System.DirectoryServices.AccountManagement.PrincipalOperationException: While trying to resolve a cross-store reference, the SID of the target principal could not be resolved. The error code is 1332.
at System.DirectoryServices.AccountManagement.ADStoreCtx.ResolveCrossStoreRefToPrincipal(Object o)
at System.DirectoryServices.AccountManagement.ADUtils.DirectoryEntryAsPrincipal(DirectoryEntry de, ADStoreCtx storeCtx)
at System.DirectoryServices.AccountManagement.ADDNLinkedAttrSet.get_CurrentAsPrincipal()
at System.DirectoryServices.AccountManagement.PrincipalCollectionEnumerator.MoveNext()
and
System.DirectoryServices.AccountManagement.PrincipalOperationException: While trying to resolve a cross-store reference, the target principal could not be found in the domain indicated by the principal's SID.
at System.DirectoryServices.AccountManagement.ADStoreCtx.ResolveCrossStoreRefToPrincipal(Object o)
at System.DirectoryServices.AccountManagement.ADUtils.DirectoryEntryAsPrincipal(DirectoryEntry de, ADStoreCtx storeCtx)
at System.DirectoryServices.AccountManagement.ADDNLinkedAttrSet.get_CurrentAsPrincipal()
at System.DirectoryServices.AccountManagement.PrincipalCollectionEnumerator.MoveNext().
After a number of these errors, say about 40 or so, the application dies totally. Seems to run out of memory, although I not 100% sure about that. From discussions with MS these are due to FSP in the group, and we have pretty much confirmed that with the customer. The code I have is as follows:
foreach
(Entity.tblADUser ad in adGroups)
{
//remove builtin and users container groups for speed.
if (!ad.ADLDAP.Contains("CN=Builtin") && !ad.ADLDAP.Contains("CN=Users"))
{
var currGrp = GroupPrincipal.FindByIdentity(ctx, IdentityType.SamAccountName, ad.ADSAMAccountName);
if (currGrp != null)
{
try
{
//create an enumerator to catch the groups.
System.Collections.IEnumerator groupEnum = currGrp.Members.GetEnumerator();
//only take out the users instead of all of the principals
//foreach (var up in currGrp.Members)
while (groupEnum.MoveNext())
{
try
{
var vup = groupEnum.Current;
if (vup.GetType().ToString() == "System.DirectoryServices.AccountManagement.UserPrincipal")
{
UserPrincipal up = (UserPrincipal)vup;
if (up.SamAccountName != "" || up.SamAccountName != null)
{
//add this user to the class of users.
ADGroupUsers adgu =
new ADGroupUsers();
adgu.ADGUID = 0;
adgu.ADGUDelete = 0;
adgu.ADGUGroupADID = 0;
adgu.ADGUGroupSAMAccountName = ad.ADSAMAccountName;
adgu.ADGUUserADID = 0;
adgu.ADGUUserSAMAccountName = up.SamAccountName;
adGroupList.Add(adgu);
}
up.Dispose();
}
}
catch (Exception ex)
{
}
}
}
catch (Exception ex)
{
string sEvent;
if (ex.InnerException != null)
sEvent =
"Group Users Full Group Joiners Error Event - " + ex.Message + " , Inner Exception: " + ex.InnerException.ToString() + " , Source: " + ex.Source + ", Extras: " + ex.GetBaseException();
else
sEvent =
"Group Users Full Group Joiners Error Event - " + ex.Message + " , Source: " + ex.Source + ", Extras: " + ex.GetBaseException();
Error newError =
new Error();
newError.WriteLog(sEvent);
}
currGrp.Dispose();
}
}
}
The problem seems to stem from the FindByIdentity method, I've found a few references in places talking of errors with this, but nothing concrete. I've a case with MS Developer support at the moment but was wondering if anyone had seen this behaviour before.
Thanks
Eamonn