Active Directory and LDAP

Re: General access denied error creating user on local machine, but running as administrator

lneville — Tue, 30 Jun 2009 12:44:44 GMT

Actually I think I spoke to soon about fixing the issue :(

Something very wierd is going on .... I have now tested several different user & group management functions, and some work and others don't. Whether they work or not is affected by 2 things: (i) whether the SAM store on the same server as your ASP.NET app or on a remote server, and (ii) whether the machine/host name or machine IP address is specified in the PrincipalContext.

Here are my findings. If anyone can explain this and suggest a solution I would be verrrry grateful.

FYI, all functions were run through a PrincipalContext set up as follows:

static PrincipalContext _PrincipalContext;
_PrincipalContext = new PrincipalContext(ContextType.Machine, _WindowsServerName, null, "LocalAdminUsername", "LocalAdminPassword");

The ASP.NET process was running under the regular (non-admin) NETWORK SERVICE acccount.

	SAM store on the same server as your ASP.NET app		SAM store on a remote server from your ASP.NET app
Function	machine name in the PrincipalContext	machine IP address in the PrincipalContext	host name in the PrincipalContext (name set up in Hosts file)	machine IP address in the PrincipalContext
Creating a user	"General access denied” * error	OK	OK	OK
Checking if a user exists	OK	OK	OK	OK
Checking if a group exists	OK	OK	OK	OK
Checking if a user is in a group	OK	always returns false	OK	always returns false
Adding a user to a group	OK	OK	OK	OK
Removing a user from a group	"General access denied” ** error	does not error, but no change is made	OK	does not error, but no change is made
Deleting a user	"General access denied” *** error	OK	OK	OK
Disabling & re-enabling a user	"General access denied” **** error	OK	OK	OK
Setting user password	"Exception thrown” ***** error	OK	OK	OK

* General access denied error ---> System.UnauthorizedAccessException: General access denied error at System.DirectoryServices.Interop.UnsafeNativeMethods.IAds.SetInfo() at System.DirectoryServices.DirectoryEntry.CommitChanges() at System.DirectoryServices.AccountManagement.SDSUtils.ApplyChangesToDirectory(Principal p, StoreCtx storeCtx, GroupMembershipUpdater updateGroupMembership, NetCred credentials, AuthenticationTypes authTypes) at System.DirectoryServices.AccountManagement.SDSUtils.InsertPrincipal(Principal p, StoreCtx storeCtx, GroupMembershipUpdater updateGroupMembership, NetCred credentials, AuthenticationTypes authTypes, Boolean needToSetPassword) at System.DirectoryServices.AccountManagement.SAMStoreCtx.Insert(Principal p) at System.DirectoryServices.AccountManagement.Principal.Save()

** General access denied error ---> at System.DirectoryServices.AccountManagement.UnsafeNativeMethods.IADsGroup.Remove(String bstrItemToBeRemoved) at System.DirectoryServices.AccountManagement.SAMStoreCtx.UpdateGroupMembership(Principal group, DirectoryEntry de, NetCred credentials, AuthenticationTypes authTypes) at System.DirectoryServices.AccountManagement.SDSUtils.ApplyChangesToDirectory(Principal p, St

*** General access denied error ---> at System.DirectoryServices.Interop.UnsafeNativeMethods.IAdsContainer.Delete(String className, String relativeName) at System.DirectoryServices.DirectoryEntries.Remove(DirectoryEntry entry) at System.DirectoryServices.AccountManagement.SDSUtils.DeleteDirectoryEntry(DirectoryEntry deToDelete) at System.DirectoryServices.AccountManagement.SAMStoreCtx.Delete(Principal p)

**** General access denied error ---> at System.DirectoryServices.Interop.UnsafeNativeMethods.IAds.SetInfo() at System.DirectoryServices.DirectoryEntry.CommitChanges() at System.DirectoryServices.AccountManagement.SDSUtils.ApplyChangesToDirectory(Principal p, StoreCtx storeCtx, GroupMembershipUpdater updateGroupMembership, NetCred credentials, AuthenticationTypes authTypes)

***** Exception has been thrown by the target of an invocation. ---> at System.DirectoryServices.DirectoryEntry.Invoke(String methodName, Object[] args) at System.DirectoryServices.AccountManagement.SDSUtils.SetPassword(DirectoryEntry de, String newPassword) at System.DirectoryServices.AccountManagement.SAMStoreCtx.SetPassword(AuthenticablePrincipal p, String newPassword)

Re: General access denied error creating user on local machine, but running as administrator

lneville — Thu, 25 Jun 2009 10:20:42 GMT

One other thing I found out, which might help someone:

If the machine name is set to an IP address in the PrincipalContext, some functions (like creating a user) work, but others don't (like finding out if a user is in a group).

For example, the following always returns false (even though the user1 and group1 objects are found):

UserPrincipal user1 = UserPrincipal.FindByIdentity(_PrimaryPrincipalContext, IdentityType.SamAccountName, username);

GroupPrincipal group1 = GroupPrincipal.FindByIdentity(_PrimaryPrincipalContext, IdentityType.SamAccountName, groupname);

(user1 != null && group1 != null)

{

return user1.IsMemberOf(group1);

}

Re: General access denied error creating user on local machine, but running as administrator

lneville — Thu, 25 Jun 2009 10:03:35 GMT

After weeks of frustration I finally found out that there was nothing wrong with my original code. It seems there is something "wrong" with my Windows XP dev machine. At least when I ran the same code on another XP machine and on a Win 2003 server it worked fine. What exactly is wrong with my machine I don't know. The problem in a nutshell is that, even though a username & pwd are specified in the PrincipalContext to connect to the local machine's security store with, and that user is an administrator, they are not used and the ASP.NET security context (ASPNET user on Win XP) is used instead.

Minor point of interest - in my original post I said that even when I made the ASPNET user an administrator it still couldn't create users. Actually this does work, it just doesn't come into effect immediately you promote the ASPNET user. Not sure what got it to work, maybe restarting the machine, maybe restarting IIS or the worker process.

Here's the code I am now using:

static PrincipalContext _PrimaryPrincipalContext;

_PrimaryPrincipalContext = new PrincipalContext(ContextType.Machine, _PrimaryWindowsServerName, null, "Username", "Password");

UserPrincipal user = UserPrincipal.FindByIdentity(_PrimaryPrincipalContext, IdentityType.SamAccountName, username);
if (user != null)
{
      LogEntry("CreateUserAccount", "Windows user: " + username + " already exists on server: " + _PrimaryWindowsServerName);
}
else
{
     user = new UserPrincipal(_PrimaryPrincipalContext);
     user.Name = username;
     user.DisplayName = name;
     user.Description = description;
     user.SetPassword(password);
     user.Enabled = true;
     user.UserCannotChangePassword = true;
     user.PasswordNeverExpires = true;
     user.Save();
}

Re: General access denied error creating user on local machine, but running as administrator

sumitd — Tue, 12 May 2009 17:35:46 GMT

Refer below urls, it might help you:

http://www.thejackol.com/2004/08/03/create-a-local-windows-user-account-cnet/

http://msdn.microsoft.com/en-us/library/bb299773.aspx

http://www.codeproject.com/KB/system/everythingInAD.aspx?fid=399045&df=90&mpp=25&noise=3&sort=Position&view=Quick&select=2946181

Refer below discussion:

http://objectmix.com/csharp/356216-create-windows-account-programmatically-c.html

Re: General access denied error creating user on local machine, but running as administrator

lneville — Tue, 12 May 2009 17:12:26 GMT

Thanks for the replies but noone seems to have understood the problem. I am trying to create accounts on the LOCAL server. There is no Active Directory involved, so there is no Windows Authorization Access group.

Also, it is my understanding that the ASP.NET code runs in the context of the local ASPNET account (on XP) or NETWORK SERVICE (on Win 2003), so that is the account that needs to be given permission to create accounts (not Anonymous Login or anything like that).

It seems like a u/n & pwd can be specified in the PrincipalContext for interacting with the security accounts system, but as I said in 1st post I can't get this to work.

Does anyone know how the System.DirectoryServices.AccountManagement objects can be used to create a LOCAL account through ASP.NET?

Re: General access denied error creating user on local machine, but running as administrator

sumitd — Fri, 01 May 2009 05:17:06 GMT

You need to add Anonymous Logon to Windows Authorization Access group of the Active Directory to work with anonymous acess.

Re: General access denied error creating user on local machine, but running as administrator

lneville — Thu, 30 Apr 2009 20:57:10 GMT

I can't uncheck anonymous access in IIS. The site needs to be available to anonymous users.

Re: General access denied error creating user on local machine, but running as administrator

sumitd — Thu, 30 Apr 2009 17:08:27 GMT

Have you unchecked anonymous access in IIS, only windows integrated should be checked.

Re: General access denied error creating user on local machine, but running as administrator

lneville — Thu, 30 Apr 2009 17:01:44 GMT

I read the article but it doesn't help. It talks about specifying the right container, but that applies only to creating accounts in Active Directory. In my case I am creating an account on the local machine and the MS documentation says that in that case Container should be Null. Just in case I tried setting the Container parameter to Null in the PrincipalContext creation but it made no difference.

PrincipalContext context = new PrincipalContext(ContextType.Machine, PrimaryWindowsServer, null, "HostUser", "HostPassword");

I also tried creating a Console app running the same function. I got the same error when running the app as a regular user. However when running the app as an administrator the function worked. This tells me that the u/n & pwd specified in the PrincipalContext creation are not used as the security context for my function. So what are they for??

I really want to be able to specify a u/n & pwd in code and not have to configure the accounts the web app runs under.

Any more ideas?

Re: General access denied error creating user on local machine, but running as administrator

sumitd — Thu, 30 Apr 2009 16:36:01 GMT

Refer below discussion, discussion is bit long though:

http://www.keyongtech.com/5024690-access-denied-when-userprincipal-save

General access denied error creating user on local machine, but running as administrator

lneville — Thu, 30 Apr 2009 16:05:24 GMT

I have a function to create a local user in the web server that my .NET site is running on. I am using System.DirectoryServices.AccountManagement. I get the following error every time I call Save on the new UserPrinciple object:

General access denied error ---> System.UnauthorizedAccessException: General access denied error at System.DirectoryServices.Interop.UnsafeNativeMethods.IAds.SetInfo() at System.DirectoryServices.DirectoryEntry.CommitChanges() at System.DirectoryServices.AccountManagement.SDSUtils.ApplyChangesToDirectory(Principal p, StoreCtx storeCtx, GroupMembershipUpdater updateGroupMembership, NetCred credentials, AuthenticationTypes authTypes) at System.DirectoryServices.AccountManagement.SDSUtils.InsertPrincipal(Principal p, StoreCtx storeCtx, GroupMembershipUpdater updateGroupMembership, NetCred credentials, AuthenticationTypes authTypes, Boolean needToSetPassword) at System.DirectoryServices.AccountManagement.SAMStoreCtx.Insert(Principal p) at System.DirectoryServices.AccountManagement.Principal.Save()

I am developing on WinXP/IIS5. I have tried putting my ASPNET account in the Administrators group. I have tried specifying an administrator u/n & pwd in the PrincipalContext. Both cases produce this error. I can't use Impersonation in the web.config for various reasons.

Here is my function.

        public void CreateUserAccount(string username, string password)
        {
            PrincipalContext context = new PrincipalContext(ContextType.Machine, PrimaryWindowsServer, "HostUser", "HostPassword");

            UserPrincipal up = UserPrincipal.FindByIdentity(context, IdentityType.SamAccountName, username);
            if (up != null)
            {
                LogEntry("CreateUser", username + " already exists");
            }
            else
            {
                up = new UserPrincipal(context);
                up.Name = username;
                up.SetPassword(password);
                up.Enabled = true;
                up.UserCannotChangePassword = true;
                up.Save();
            }
        }

What am I doing wrong?