Okay, it's been nearly a year since the last post on this thread. Thanks to Ryan for saving our collective butts with his excellent posts!

Now, has the scene changed? Has there been a more elegant way to SetPassword without resorting to hardcoded Dllimport impersonations or COM+ hacks?

I mean, we shouldn't have to grease IIS/AD this hard to do such a basic function!

Now I see why Forms Authentication (with underlying SQL or XML datastores; not AD) enjoy such prominence among Microsofts examples of authenticated web applications.

Anyway, I've hit the same 'feature' as the main post... I'm providing a secure userID/password on the DirectoryEntry constructor that has been 'Delegate Control' enabled to perform most all admin functions for the OU folder in my AD where the User objects are happily created, but no joy on setting an initial password.

Shouldn't using that fargin ID be enuf already?

Whoa. This almost never happens: I think I've got the fix here!

On Win2003Server, using AD Users and Computers console, select View->Advanced Features menu. This enables extra visibility to Security tabs that otherwise remain invisible.

For my college, I've created a new Organizational Unit (OU) called 'Students', under the main AD domain called mycollege.edu.

I need my Web application to create new AD Users under that OU. Okay so far?

Here's my draft C# code to add a student:

private bool AddUser (string UserName, string Password)
{
if (UserExists (UserName)) return false;

try
{
string path = "LDAP://server.mycollege.edu/OU=Students,DC=mycollege,DC=edu";

DirectoryEntry entry = new DirectoryEntry (path,"mycollege.edu\\registrar","secret",AuthenticationTypes.Secure);

DirectoryEntry user = entry.Children.Add ("CN="+UserName, "User");

user.Properties["samAccountName"].Add (UserName);
user.Properties["description"].Add ("Student Account");
user.Properties["givenName"].Add ("TBA");
user.Properties["sn"].Add ("TBA");
user.CommitChanges();

user.Invoke ("SetPassword", new object[] {Password}); // User has to be saved prior to this step
user.Properties["userAccountControl"].Value = 0x200; // Create and enable a ADS_UF_NORMAL_ACCOUNT
user.CommitChanges();
}
catch (Exception ex)
{
lblStatusExt.Text = ex.Message; // Write out exception text to Label
return false;
}
return true;
}

Now, in AD select the Students OU, select Properties, select the Security tab and add the registrars account with full control permissions. The final trick needed is to click Advanced Permissions and, for the registrar account, ensure the Apply To field denotes 'This object and all child objects'. No workie without this last tweak.

While this functions, I'm wondering what others would suggest to avoid hard-coding the registrars username/password above. Web Application settings in Web.config? How secure is Web.config really? Any other ideas?

Anyone?

There is more information about SetPassword and samples in another post : view post 316534

I would recommend reading the post - it is long, but informative. Also, I would recommend using the sample code in this post rather than the sample posted above.

Hi,

I've implemented the same solution but I'm still getting error. Below are my coding. Anything I've done wrongly? App + Web and the AD server is on Win 2k platform.

DirectoryEntry de = oDE = new DirectoryEntry(LDAPConnectionString, adminID, AdminPassword, AuthenticationTypes.Secure);

DirectorySearcher deSearch = new DirectorySearcher();
deSearch.SearchRoot = de;

deSearch.Filter = "(&(objectClass=user)(objectCategory=person)(samaccountname=" + UserID + "))";
deSearch.SearchScope = SearchScope.Subtree;
SearchResult searchResult = deSearch.FindOne();

IntPtr token = IntPtr.Zero;
bool result = LogonUser(adminID, Domain, AdminPassword, 3, 0, ref token);

if (!result)
{
 int errCode = GetLastError();
        string errMessage = String.Empty;

        switch (errCode)
        {
            case 5:
                errMessage = "Access Denied";
                break;

                case 1326:
                errMessage = "Logon failure: unknown user name or bad password.";
                break;
        }
        throw new Exception(String.Format("GetLastError() returned: {0}, \"{1}\"", errCode, errMessage));
}
else
{
 WindowsIdentity wi = new WindowsIdentity((token));
 WindowsImpersonationContext wic = wi.Impersonate();

 // Reset user's password
 UserEntry.Invoke("SetPassword", new object[] { resetPwd });
        UserEntry.CommitChanges();

        wic.Undo();
        CloseHandle(token);
}

Thanks.  

 

This code looks so helpful but-

I'm trying to implement it in my project and it's failing when I call SetPassword.

The error I get is "System.Runtime.InteropServices.COMException: The directory property cannot be found in the cache"

Do you have any suggestions why this might be happening, what I can do?

Thanks

may be you are using a library that does not belong to the framework and needs to be published in the COM.