Re: SetPassword access denied
- From: systinte5 <systinte5@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Thu, 19 Feb 2009 11:19:01 -0800
Thanks Joe. I am a proud owner of your (and Ryan Dunn) book "The .NET
Developer's Guide to Directory Services Programming". The reason, we
impersonate is because depending on the OU, there may be a different OU
administrator who is delegated admin rights on that OU. This made it
flexible. The service itself is a .NET remoting server and runs with minimal
rights.
Thanks again.
------
"Joe Kaplan" wrote:
It really should work the same way if the same credentials are being used to.
contact the directory.
One thing you could do in your code for debug purposes would be to call
WindowsIdentity.GetCurrent() and dump out the identity groups info somewhere
right before the SetPassword method is called. This will help ensure that
you are really running with the identity and thus the permissions you think
you are.
I still can't think of a reason why the permissions would be lower though if
the same account logged in interactively on the same box can execute the
same steps.
SetPassword under the hood attempts to reset the password either by LDAP,
Kerberos or NetUserSetInfo, depending on what options are available. The
authorization policy is always applied by the DC based on the identity of
the user who executed the LDAP bind. Note that if you did the bind before
you started impersonation, that could potentially cause weird things to
happen. Maybe showing a snip of code would be possible?
I also wonder why you impersonate in code rather than having the service
execute as the privileged user directly? Either should be possible but
impersonation causes you to have to store the plaintext credentials of the
privileged user somewhere instead of just letting the service control
manager take care of that.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
"systinte5" <systinte5@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:01BA1584-7663-4D85-99F8-D3461FFCF3EF@xxxxxxxxxxxxxxxx
.NET 2.0 c# code running as a service (no, it does not use the system
account). The service impersonates an OUAdmin account in order to create a
user account in that OU. We are able to create an account through the
software. However when SetPassword() is invoked, it encounters 0x80070005
E_ACCESSDENIED. The impersonated account is just a domain user account
that
has been delegated administrative control of the OU. The account is also a
member of the local machine built-in Administrators group. The funny thing
is, if we manually login using the impersonated account, we are able to
create new accounts n that OU and set the initial password and set the
change
password at next logon. The access denied only occurs when doen in
software,
that too only at certain client locations. Most places we have tested the
code, it works fine. How can we diagnose the problem? I keep thinking, it
is
not the code, rather COM permissions issue (because 0x80070005 is a COM
error)? When manually creating the account and setting the password, I am
sure Microsoft is not doing this using the same interfaces we developers
are
using?
Thanks for any assistance.
- Follow-Ups:
- Re: SetPassword access denied
- From: systinte5
- Re: SetPassword access denied
- References:
- SetPassword access denied
- From: systinte5
- Re: SetPassword access denied
- From: Joe Kaplan
- SetPassword access denied
- Prev by Date: RE: bridgehead advice
- Next by Date: Re: New Domain/Server
- Previous by thread: Re: SetPassword access denied
- Next by thread: Re: SetPassword access denied
- Index(es):
Relevant Pages
|
