we are trying to create some groups in our episerver cms 6 admin backend view, while using the active directory roleprovider as the roleManager. Unfortunatly the Access Rights Service won't allow us to create groups and or assigning users to existing active directory groups. We currently have a connection to the active directory through a user with rights to read and to write. All reading tasks, like login or searching for other users are working just fine. Only the tasks which requires writing are causing trouble.
Anyone who has a hint or even a solution to the problem? Or is this writing to the active directory feature not supported yet?
Updating AD from EPiServer is not supported through the default providers. If you need to create groups that are EPiServer specific then you are better off using the MultiplexingRoleProvider and keep them in the EPiServer database.
If you really need to edit AD then you can create your own provider but personally I think that's a lot of work!
I think you could have 2 role providers both connected to the ad membership provider
Thank you for yours hints.
@David: we can't write a own provider because of the lack of resources and knowledge ;) But to know that updating isn't available for the AD will motivate us to search for other solutions in a different direction.A possible approach is trying to get the members from AD and assigning them to groups created in the SQLRoleProvider. But it seems, that the Multiplexing-Feature won't allow us to mix the different providers as we like.
@Anders: we tried that hint of yours too, but it seems that EPiServer have troubles to handle two role providers mapped to the same ad membership provider.
And additionally the ad role provider won't accept a connections string without a OU declaration.
I was thinking about that you just registert 2 role providers, but the one you say default is the sql one. I thougt all role providers was called. I was not thinking about multiplexing..
We tried your proposed approach. Unfortunatly it didn't work out. It seems, as soon a default provider is declared, all other defined providers are ignored.
An example in this article: http://world.episerver.com/Articles/Items/Membership-and-Roles-in-EPiServer-CMS-5/
confirms that "...three membership and role providers, with the WindowsMembershipProvider and WindowsRoleProvider set as default providers. This means that the other providers will not be used for authentication or authorization"
thank you guys for your effort. we managed to solve our problem with following workaround:
First we're genereting the groups directly on the active directory and assign users to them. And then, we're connecting the webserver with the AD. Now it is possible to read the groups and users from EPiServer if using the WindowsRoleProvider and WindowsMembershipProvider for authentication.
But you users are only visible after the first login.