I have a function to create a local user in the web server that my .NET site is running on. I am using System.DirectoryServices.AccountManagement. I get the following error every time I call Save on the new UserPrinciple object:

General access denied error ---> System.UnauthorizedAccessException: General access denied error at System.DirectoryServices.Interop.UnsafeNativeMethods.IAds.SetInfo() at System.DirectoryServices.DirectoryEntry.CommitChanges() at System.DirectoryServices.AccountManagement.SDSUtils.ApplyChangesToDirectory(Principal p, StoreCtx storeCtx, GroupMembershipUpdater updateGroupMembership, NetCred credentials, AuthenticationTypes authTypes) at System.DirectoryServices.AccountManagement.SDSUtils.InsertPrincipal(Principal p, StoreCtx storeCtx, GroupMembershipUpdater updateGroupMembership, NetCred credentials, AuthenticationTypes authTypes, Boolean needToSetPassword) at System.DirectoryServices.AccountManagement.SAMStoreCtx.Insert(Principal p) at System.DirectoryServices.AccountManagement.Principal.Save()

I am developing on WinXP/IIS5. I have tried putting my ASPNET account in the Administrators group. I have tried specifying an administrator u/n & pwd in the PrincipalContext. Both cases produce this error. I can't use Impersonation in the web.config for various reasons.

Here is my function.

        public void CreateUserAccount(string username, string password)
        {
            PrincipalContext context = new PrincipalContext(ContextType.Machine, PrimaryWindowsServer, "HostUser", "HostPassword");

            UserPrincipal up = UserPrincipal.FindByIdentity(context, IdentityType.SamAccountName, username);
            if (up != null)
            {
                LogEntry("CreateUser", username + " already exists");
            }
            else
            {
                up = new UserPrincipal(context);
                up.Name = username;
                up.SetPassword(password);
                up.Enabled = true;
                up.UserCannotChangePassword = true;
                up.Save();
            }
        }

Refer below discussion, discussion is bit long though:

http://www.keyongtech.com/5024690-access-denied-when-userprincipal-save

I read the article but it doesn't help. It talks about specifying the right container, but that applies only to creating accounts in Active Directory. In my case I am creating an account on the local machine and the MS documentation says that in that case Container should be Null. Just in case I tried setting the Container parameter to Null in the PrincipalContext creation but it made no difference.

PrincipalContext context = new PrincipalContext(ContextType.Machine, PrimaryWindowsServer, null, "HostUser", "HostPassword");

I also tried creating a Console app running the same function. I got the same error when running the app as a regular user. However when running the app as an administrator the function worked. This tells me that the u/n & pwd specified in the PrincipalContext creation are not used as the security context for my function. So what are they for??

I really want to be able to specify a u/n & pwd in code and not have to configure the accounts the web app runs under.

Any more ideas?

Have you unchecked anonymous access in IIS, only windows integrated should be checked.

I can't uncheck anonymous access in IIS. The site needs to be available to anonymous users.

You need to add Anonymous Logon to Windows Authorization Access group of the Active Directory to work with anonymous acess.

Thanks for the replies but noone seems to have understood the problem. I am trying to create accounts on the LOCAL server. There is no Active Directory involved, so there is no Windows Authorization Access group.

Also, it is my understanding that the ASP.NET code runs in the context of the local ASPNET account (on XP) or NETWORK SERVICE (on Win 2003), so that is the account that needs to be given permission to create accounts (not Anonymous Login or anything like that).

It seems like a u/n & pwd can be specified in the PrincipalContext for interacting with the security accounts system, but as I said in 1st post I can't get this to work.

Does anyone know how the System.DirectoryServices.AccountManagement objects can be used to create a LOCAL account through ASP.NET?

Refer below urls, it might help you:

http://www.thejackol.com/2004/08/03/create-a-local-windows-user-account-cnet/

http://msdn.microsoft.com/en-us/library/bb299773.aspx

http://www.codeproject.com/KB/system/everythingInAD.aspx?fid=399045&df=90&mpp=25&noise=3&sort=Position&view=Quick&select=2946181

Refer below discussion:

http://objectmix.com/csharp/356216-create-windows-account-programmatically-c.html

After weeks of frustration I finally found out that there was nothing wrong with my original code. It seems there is something "wrong" with my Windows XP dev machine. At least when I ran the same code on another XP machine and on a Win 2003 server it worked fine. What exactly is wrong with my machine I don't know. The problem in a nutshell is that, even though a username & pwd are specified in the PrincipalContext to connect to the local machine's security store with, and that user is an administrator, they are not used and the ASP.NET security context (ASPNET user on Win XP) is used instead.

Minor point of interest - in my original post I said that even when I made the ASPNET user an administrator it still couldn't create users. Actually this does work, it just doesn't come into effect immediately you promote the ASPNET user. Not sure what got it to work, maybe restarting the machine, maybe restarting IIS or the worker process.

Here's the code I am now using:

static PrincipalContext _PrimaryPrincipalContext;

UserPrincipal user = UserPrincipal.FindByIdentity(_PrimaryPrincipalContext, IdentityType.SamAccountName, username);
if (user != null)
{
      LogEntry("CreateUserAccount", "Windows user: " + username + " already exists on server: " + _PrimaryWindowsServerName);
}
else
{
     user = new UserPrincipal(_PrimaryPrincipalContext);
     user.Name = username;
     user.DisplayName = name;
     user.Description = description;
     user.SetPassword(password);
     user.Enabled = true;
     user.UserCannotChangePassword = true;
     user.PasswordNeverExpires = true;
     user.Save();
}

One other thing I found out, which might help someone:

If the machine name is set to an IP address in the PrincipalContext, some functions (like creating a user) work, but others don't (like finding out if a user is in a group).

For example, the following always returns false (even though the user1 and group1 objects are found):

UserPrincipal user1 = UserPrincipal.FindByIdentity(_PrimaryPrincipalContext, IdentityType.SamAccountName, username);

 GroupPrincipal group1 = GroupPrincipal.FindByIdentity(_PrimaryPrincipalContext, IdentityType.SamAccountName, groupname);

{

}

Actually I think I spoke to soon about fixing the issue :(
 
Something very wierd is going on .... I have now tested several different user & group management functions, and some work and others don't. Whether they work or not is affected by 2 things: (i) whether the SAM store on the same server as your ASP.NET app or on a remote server, and (ii) whether the machine/host name or machine IP address is specified in the PrincipalContext.

Here are my findings. If anyone can explain this and suggest a solution I would be verrrry grateful.

FYI, all functions were run through a PrincipalContext set up as follows:

static PrincipalContext _PrincipalContext;
_PrincipalContext = new PrincipalContext(ContextType.Machine, _WindowsServerName, null, "LocalAdminUsername", "LocalAdminPassword");

The ASP.NET process was running under the regular (non-admin) NETWORK SERVICE acccount.

* General access denied error ---> System.UnauthorizedAccessException: General access denied error at System.DirectoryServices.Interop.UnsafeNativeMethods.IAds.SetInfo() at System.DirectoryServices.DirectoryEntry.CommitChanges() at System.DirectoryServices.AccountManagement.SDSUtils.ApplyChangesToDirectory(Principal p, StoreCtx storeCtx, GroupMembershipUpdater updateGroupMembership, NetCred credentials, AuthenticationTypes authTypes) at System.DirectoryServices.AccountManagement.SDSUtils.InsertPrincipal(Principal p, StoreCtx storeCtx, GroupMembershipUpdater updateGroupMembership, NetCred credentials, AuthenticationTypes authTypes, Boolean needToSetPassword) at System.DirectoryServices.AccountManagement.SAMStoreCtx.Insert(Principal p) at System.DirectoryServices.AccountManagement.Principal.Save()

** General access denied error ---> at System.DirectoryServices.AccountManagement.UnsafeNativeMethods.IADsGroup.Remove(String bstrItemToBeRemoved) at System.DirectoryServices.AccountManagement.SAMStoreCtx.UpdateGroupMembership(Principal group, DirectoryEntry de, NetCred credentials, AuthenticationTypes authTypes) at System.DirectoryServices.AccountManagement.SDSUtils.ApplyChangesToDirectory(Principal p, St

*** General access denied error ---> at System.DirectoryServices.Interop.UnsafeNativeMethods.IAdsContainer.Delete(String className, String relativeName) at System.DirectoryServices.DirectoryEntries.Remove(DirectoryEntry entry) at System.DirectoryServices.AccountManagement.SDSUtils.DeleteDirectoryEntry(DirectoryEntry deToDelete) at System.DirectoryServices.AccountManagement.SAMStoreCtx.Delete(Principal p)

**** General access denied error ---> at System.DirectoryServices.Interop.UnsafeNativeMethods.IAds.SetInfo() at System.DirectoryServices.DirectoryEntry.CommitChanges() at System.DirectoryServices.AccountManagement.SDSUtils.ApplyChangesToDirectory(Principal p, StoreCtx storeCtx, GroupMembershipUpdater updateGroupMembership, NetCred credentials, AuthenticationTypes authTypes)

***** Exception has been thrown by the target of an invocation. ---> at System.DirectoryServices.DirectoryEntry.Invoke(String methodName, Object[] args) at System.DirectoryServices.AccountManagement.SDSUtils.SetPassword(DirectoryEntry de, String newPassword) at System.DirectoryServices.AccountManagement.SAMStoreCtx.SetPassword(AuthenticablePrincipal p, String newPassword)