This week I was doing a simple script to add groups into the Active Directory. Initially I thought it would be an easy job since I thought Active Directory is just a normal LDAP Server. However, when I tried to add new group into AD using the same technique as adding new entry into the LDAP on a specified Base Context, the AD throws an exception saying that the operation is not allowed.
Well, after hours of struggle and spinning my brain left and right, I finally found a solution which I would like to share with you.
The basic principle is that AD does not allow modifying built-in attributes, but creating new group requires to modify some attributes, especially objectGUID and objectSid. My technique was to add the group by executing the ‘dsadd’ command line through the Java Runtime. In order to know the process result, I obtain the process exit result. If the result is ‘0’ which means successful, then I continue the process by adding members. However this members update was successfully done by changing the member multiple-value attribute using normal LDAP Java API.
So I believe the same technique can be also used to add Users, or other AD objects.