Re: Setting a password on an AD account...

Willy,

I misunderstood the question. The development box is not a part of the
domain,
but when I run it on the webserver within the domain the error is: Access is
denied.

The account has full admin access.

I just want to verify that the code I am using does not have an error in it
that I am
not seeing.

Thanks.

See inline...

Willy.

"Joe" <Joe@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:3D246C50-5087-4880-A287-D9DBAE31156D@xxxxxxxxxxxxxxxx
Willy,

This is a Web App as I stated initially. The user does get created but is
disabled. No problems there.

Right, but this doesn't tell me about the "security context" of the web application.
Anyhow, I assume it's running in a restricted account (network service or aspnet) right?
You don't use SSL to bind, and as this runs from a server which is not a domain member (a
BAD thing if you ask me), Kerberos cannot be used to pass the password in a secured way
either.
That means that "SetPassword" will try Win32 API "NetUserSetInfo" to change the users
password. Now, this one fails when the current user is not an administrator on the DC. So I
guess it works from a windows application started from a session which runs with
administrative privileges on the DC.

One solution is to use SSL with server certificates, or delegate the AD access stuff to a
COM+ server style application which runs as a Domain administrator, note that the latter
will need to be a "shadow account" as you are running this on a non-domain member.



DirectoryEntry parent = new DirectoryEntry(
"LDAP://dc.mydomain.local/OU=MyOU,DC=mydomain,DC=local";,
szUsername,
szPassword,
AuthenticationTypes.Secure);

DirectoryEntry user = parent.Children.Add("CN=" + szFName + " " + szLName,
"user");

using(user)
{
...Set properties...
user.CommitChanges();
AdsUserFlags newValue = AdsUserFlags.NormalAccount;
user.Properties["userAccountControl"].Value = newValue;
user.Invoke("SetPassword", new object[]{szPassword});
user.CommitChanges();
user.Dispose();
parent.Dispose();
}

The client is NOT a member of the domain. This code did work when it
was a Windows App.

Here are the errors:
ex.Message: Reason: Exception has been thrown by the target of an invocation.
ex.InnerException.Message: The network path was not found.

Weird thing, this InnerException....

Willy.



.

Relevant Pages

  • Re: FIRED IT ADMIN HAS LOCKED US OUT OF SBS
    ... you have risen to an Administrator this would be a given. ... server and run all LOB apps on these. ... If there are no encrypted files, just reset the DSRM account ...
    (microsoft.public.windows.server.sbs)
  • Re: FIRED IT ADMIN HAS LOCKED US OUT OF SBS
    ... Teneo> Interesting post and Im now gonna be a party pooper... ... connections) before cutting power to the server and to the Internet ... If there are no encrypted files, just reset the DSRM account ... and try old domain Administrator account's passwords. ...
    (microsoft.public.windows.server.sbs)
  • Re: Remote desktop: cannot copy files why still not working
    ... I created a new user on the XP box, set as an administrator ... this new user account is local to the XP system, ... In my environment, when I do an RDP connection to a server, I first log ... member of the local administrators group on the server. ...
    (microsoft.public.windows.server.security)
  • Re: Remote desktop: cannot copy files why still not working
    ... this new user account is local to the XP system, and a member of the local administrator's group on that workstation. ... In my environment, when I do an RDP connection to a server, I first log on to the xp workstation using my regular, non-privileged domain account, run mstsc, and then logon to the server using a domain account that is a member of the local administrators group on the server. ... In addition, I frequently use runas to run privileged applications on the workstation using my "administrator" account, and have found that files cannot be copied between those applications and anything running under the credentials of my regular account - even though my administrator account actually does have full access to everything on the workstation - just not through my regular account's view of that workstation. ...
    (microsoft.public.windows.server.security)
  • Re: Shared Fax device not available anymore after reboot server!?!
    ... the error message one by one to the Newsgroup for accurate research. ... You can send fax by using Administrator account. ... after the reboot of the server no account is able to fax anaymore. ...
    (microsoft.public.windows.server.sbs)