0

I'm writing an application in VB.Net which accepts an AD account input by the user and deprovisions and disables it automatically. As part of this, it strips all AD groups it can from the user.

Note that certain users may be members of groups that the person running the program does not have permission to modify, and that's OK for my requirements. These groups do not have a standard naming convention or format.

The following code removes the user from all groups they are a member of successfully, skipping any groups the person operating the program does not have permission to modify, but the catch is the program then appears to soft lock after attempting to remove a group it cannot (such as Domain Users)! What can I do to prevent this?

Dim ctx As DirectoryServices.AccountManagement.PrincipalContext = New DirectoryServices.AccountManagement.PrincipalContext(DirectoryServices.AccountManagement.ContextType.Domain, "net.mydomain.co.uk")
Dim user As DirectoryServices.AccountManagement.UserPrincipal = DirectoryServices.AccountManagement.UserPrincipal.FindByIdentity(ctx, tbxUsertoDeprovision.Text)
For Each group As DirectoryServices.AccountManagement.GroupPrincipal In user.GetGroups(ctx)
    Try
        group.Members.Remove(user)
        group.Save()
        group.Dispose()
    Catch ex As Exception
        Continue For
    End Try
Next

If I insert a Message Box into the Catch as follows:

Catch ex As Exception
    MessageBox.Show(ex.ToString())
    Continue For

Then run the code, it displays the following message box, but only once:

System.InvalidOperation.Exception: The member can not be removed from the Group object's Members property because it has this group as its primary group. (This is at the group.Members.Remove(user) line).

The program then goes no further and no code after Next is ever executed. I'm forced to close the application.

MattOverton
  • 67
  • 7
  • Note that I have tried removing the `Continue For` line, the behaviour seems to be the same, with or without that present. – MattOverton Aug 02 '17 at 18:53
  • In the politest way, that is not how exceptions are supposed to be used. I would suggest learning how to use try..catch..end try, but for the moment run the code without and exception handling so that your program does crash and visual studio can show you what the error is. – David Wilson Aug 03 '17 at 07:35
  • Thanks, I'm still learning EVERYTHING let alone Try Catch! Very much experimenting and learning as I go with this project of mine. I'll remove the Try early this afternoon and run a couple of tests to see what exception it actually throws. – MattOverton Aug 03 '17 at 10:24
  • Ok here's what I get: System.InvalidOperation.Exception: The member can not be removed from the Group object's Members property because it has this group as its primary group. It's failing at the following line specifically: `group.Members.Remove(user)` – MattOverton Aug 03 '17 at 11:51
  • Which is expected, and I'm fully aware the group cannot be removed, but I want it to skip that group and keep going to remove any other groups it can, before exiting the For statement. – MattOverton Aug 03 '17 at 11:53
  • Also, quite interestingly, if I put the Try Catch back in and make the Catch output `ex.ToString()` in a Message Box, the message box only displays once. So maybe it isn't looping it's just... stopping altogether? – MattOverton Aug 03 '17 at 11:59
  • I would suggest now that you add the error information into your question. Sadly I don't know enough about active directory. – David Wilson Aug 03 '17 at 12:45

0 Answers0