User Management with Active Directory

The last 2 days I've been working on a concept paper for a project. One aspect covers user management using an active directory.

At the first glance, everything looks easy. One would think AD is just another LDAP server - no worries here. It turns out, AD has a lot of hidden constraints and expect you do things a certain way. For instance, if you want to add a user to a specific group, you are not going to update the user's "memberOf" LDAP attribute. This is read only; you will need to add that user to the group LDAP node. This is just one and quite straight forward example how AD can be a pain in the arse if you have no idea about the internals.

Luckily the guys over at http://en.csharp-online.net/ have assembled a damn good article about all daily tasks you will encounter if you are going to automate some user administration tasks using the Active Directory as your backend. Head over here: http://en.csharp-online.net/User_Management_with_Active_Directory%E2%80%...

I have also stumbled across a wrapper library which abstracts all the LDAP / DirectoryEntry specific calls and focuses on user- and group-centric API: http://www.dotnetactivedirectory.com/ - I have no idea yet if this one is good or not, I guess I will find out soon since I plan to cut down the development times by 2 Days and use this API instead.

update
After looking into the free (lite) version of .NET Active Directory wrapper, I am not so sure about purchasing a license anymore. 400 or 1000 bucks a a pretty hefty price tag for a software not being in development anymore (as it seems, last update 2007) and consisting only from one pseudo class. It can hanlde only one AD connection due to static (!) fields for login and password. Furthermore it does not persist a connection to the AD but re-creates a new Directry Entry with each operation - now do some mass operations on say... 5k users by assigning them to a AD groups or something.  I suppose it will be still more expensive for the project for me to code the mini-api, but after considering those facts, I might be better off. Especially when it comes to multiple AD servers and support requests I might get for this particular module. Geez! Where do ppl learn coding!? I guess good marketing and price tags not reflecting the code quality can still compensate it