Re: Setting a password on an AD account...

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

See inline...

Willy.

"Joe" <Joe@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:3D246C50-5087-4880-A287-D9DBAE31156D@xxxxxxxxxxxxxxxx
Willy,

This is a Web App as I stated initially. The user does get created but is
disabled. No problems there.

Right, but this doesn't tell me about the "security context" of the web application.
Anyhow, I assume it's running in a restricted account (network service or aspnet) right?
You don't use SSL to bind, and as this runs from a server which is not a domain member (a BAD thing if you ask me), Kerberos cannot be used to pass the password in a secured way either.
That means that "SetPassword" will try Win32 API "NetUserSetInfo" to change the users password. Now, this one fails when the current user is not an administrator on the DC. So I guess it works from a windows application started from a session which runs with administrative privileges on the DC.

One solution is to use SSL with server certificates, or delegate the AD access stuff to a COM+ server style application which runs as a Domain administrator, note that the latter will need to be a "shadow account" as you are running this on a non-domain member.



DirectoryEntry parent = new DirectoryEntry(
"LDAP://dc.mydomain.local/OU=MyOU,DC=mydomain,DC=local";,
szUsername,
szPassword,
AuthenticationTypes.Secure);

DirectoryEntry user = parent.Children.Add("CN=" + szFName + " " + szLName,
"user");

using(user)
{
...Set properties...
user.CommitChanges();
AdsUserFlags newValue = AdsUserFlags.NormalAccount;
user.Properties["userAccountControl"].Value = newValue;
user.Invoke("SetPassword", new object[]{szPassword});
user.CommitChanges();
user.Dispose();
parent.Dispose();
}

The client is NOT a member of the domain. This code did work when it
was a Windows App.

Here are the errors:
ex.Message: Reason: Exception has been thrown by the target of an invocation.
ex.InnerException.Message: The network path was not found.

Weird thing, this InnerException....

Willy.


.

Relevant Pages

  • Re: Setting a password on an AD account...
    ... I assume it's running in a restricted account right? ... You don't use SSL to bind, and as this runs from a server which is not a domain member (a ... this one fails when the current user is not an administrator on the DC. ...
    (microsoft.public.dotnet.languages.csharp)
  • RE: Administrator Logon failure
    ... you have no problem logging on to the server via a Remote Desktop ... The account you use is a member of Domain Power Users or Remote Operators ... By default in SBS Local Security Policy, SBS Remote Operators ... Remove these groups from administrator via a TS session. ...
    (microsoft.public.windows.server.sbs)
  • Re: Cant remove user from administrator group
    ... try lusrmgr instead of usrmgr (if I am remembering NT4 correctly) ... where is name of a member local account or is ... Microsoft MVP (Windows Server: Security) ... > ONLY built in groups/users and the administrator password would be blank. ...
    (microsoft.public.windows.server.security)
  • Re: I shot my foot off almost and the Admin cant log into the server locally
    ... server. ... Keep a backup administrator id around. ... > By default the Administrator should be a member of these groups: ... > Administrators, Domain Admins, Domain Users, Enterprise Admins, Group ...
    (microsoft.public.windows.server.sbs)
  • Re: Which permissions does domain administrators have on member se
    ... Domain Admins are members of the local administrators group. ... When I logon via TS to the member server as domain administrator, ...
    (microsoft.public.windows.server.sbs)