I've noticed that my application behaves strangely when I work with Active Directory.
I have a distributed application in c #. NET 3.5 as follows:
Web Server - Application Server - AD Server
The problem apparently lies in the application server that is communicating with the Active Directory server.
An error occurs particularly when I´m setting user permissions on an object created by the application. The strange thing is that this error occurs randomly, sometimes it happens and sometimes it does not. The error message is:"(0x8007202F) The directory property
cannot be found in the cache" and the causing code is one frequently used to set permits and is contained in the following how to: http://support.microsoft.com/kb/899553/en-us
public static void SetPermissions(string containerDn, string UserName)
{
ADsSecurity objADsSec;
SecurityDescriptor objSecDes;
AccessControlList objDAcl;
AccessControlEntry objAce1;
AccessControlEntry objAce2;
Object objSIdHex;
ADsSID objSId;
objADsSec = new ADsSecurityClass();
objSecDes = (SecurityDescriptor)(objADsSec.GetSecurityDescriptor(containerDn));
objDAcl = (AccessControlList)objSecDes.DiscretionaryAcl;
objSId = new ADsSIDClass();
objSId.SetAs((int)ADSSECURITYLib.ADS_SID_FORMAT.ADS_SID_SAM, UserName);
objSIdHex = objSId.GetAs((int)ADSSECURITYLib.ADS_SID_FORMAT.ADS_SID_SDDL);
// Add a new access control entry (ACE) object (objAce) so that the user has Full Control permissions on NTFS file system files.
objAce1 = new AccessControlEntryClass();
objAce1.Trustee = (objSIdHex).ToString();
objAce1.AccessMask = (int)ActiveDs.ADS_RIGHTS_ENUM.ADS_RIGHT_GENERIC_ALL;
objAce1.AceType = (int)ActiveDs.ADS_ACETYPE_ENUM.ADS_ACETYPE_ACCESS_ALLOWED;
objAce1.AceFlags = (int)ActiveDs.ADS_ACEFLAG_ENUM.ADS_ACEFLAG_INHERIT_ACE | (int)ActiveDs.ADS_ACEFLAG_ENUM.ADS_ACEFLAG_INHERIT_ONLY_ACE | 1;
objDAcl.AddAce(objAce1);
// Add a new access control entry object (objAce) so that the user has Full Control permissions on NTFS file system folders.
objAce2 = new AccessControlEntryClass();
objAce2.Trustee = (objSIdHex).ToString();
objAce2.AccessMask = (int)ActiveDs.ADS_RIGHTS_ENUM.ADS_RIGHT_GENERIC_ALL;
objAce2.AceType = (int)ActiveDs.ADS_ACETYPE_ENUM.ADS_ACETYPE_ACCESS_ALLOWED;
objAce2.AceFlags = (int)ActiveDs.ADS_ACEFLAG_ENUM.ADS_ACEFLAG_INHERIT_ACE | 1;
objDAcl.AddAce(objAce2);
objSecDes.DiscretionaryAcl = objDAcl;
// Set permissions on the NTFS file system folder.
objADsSec.SetSecurityDescriptor(objSecDes, containerDn);
}
It must be cleared that the credentials running the code have got the administrative permissions, and as I mentioned before, sometimes it does not work and throws the error (0x8007202F).
For example if some users are created within organizational units and some other users are created in other OU this error does not occur. Take into consideration that the OUs and the users are always generated with the same credentials and execute the same
code.
A test I did was restarting the server in a test environment and the error did not occur for that OU.
However, in the production environment these problems still occur, beyond some eventual reset.
It is very strange for me... it seems to be a problem with the cache, since it stops happening when I restart, but later it happens again on another OU.
Suggestions?
