Hi, We are developing a intranet web application through which our users can modify their profile information(in Active Directory). I am getting an error which says like this System.UnauthorizedAccessException: General access denied error at System.DirectoryServices.Interop.IAds.SetInfo()
at System.DirectoryServices.DirectoryEntry.CommitChanges() Here is my vb code block
---------------------------------------------------------------
Public sPath As String = "LDAP://domainname/OU=OITS,OU=ODI,DC=aa,DC=bb,DC=cc,DC=dd"
Dim dsUser As DirectoryEntry = New DirectoryEntry(sPath, "domain/AdminID", "AdminPassword", AuthenticationTypes.Secure)
dsUser = dsUser.Children.Find("CN=John")
With dsUser.Properties
.Item("displayname").Value = "John Doe"
End With
dsUser.CommitChanges()
--------------------------------------------------------------
I am getting the above error while calling CommitChanges. Am I missing anything on ASPNET user account? Any thoughts?
It is probably not transferring credentials to the user DirectoryEntry. Instead of reusing the DirectoryEntry 'dsUser', try creating a new one, the credentials might transfer in this case, if not then bind to it again using password and username:
Dim entry As DirectoryEntry = New DirectoryEntry(sPath, "domain/AdminID", "AdminPassword", AuthenticationTypes.Secure)
Dim dsUser as DirectoryEntry = entry.Children.Find("CN=John")
'Optionally Define username and password in case they are not xferring
'dsUser.Username = "domain\adminid"
'dsUser.Password = "AdminPassword"
With dsUser.Properties
.Item("displayname").Value = "John Doe"
End With
dsUser.CommitChanges()
Ryan, Nope it gives out the same error. I tried the same code in Console application to figure out whether it is due to Web application but it does not work there either. looks like for some reason, it could not copy the changes from cache to Active Directory
store. I tried debugging after I assign the value to the properties collection and it was there but the moment I call commitchanges function, it throws me an exception. Ram
I am not sure on this one - the code should be working fine. It could be that your Admin account you are binding as does not have proper permissions. It could also be that your user "CN=John", is an admin and a lower permission account is trying to update it
(which would fail). Can you confirm this is not happening?
Finally it is working. The reason was whatever account I was trying to update were disabled or inactive for some reason and when I tried to update my own account, I found that it is working!! shame on me I should have tried more different cases. thanks anyway
for all your inputs.
This is a C# console App where I am getting the same error ( General access denied
error - @CommitChanges ) when i try to update by using UID who has only "Account Operator" permission but it works fine if UID has
“Enterprise Admin” permissions. But we dont want to use
“Enterprise Admin” for this purpose.
In our AD, there are some "service accounts" that have update account permissions. These do not need to have Enterprice Admin permissions. These accounts are further locked down by:
user cannot change the password
user cannot login to devices.
We programmers are given the credentials of the service account for AD manipulation.
Hi I have a question about the same, I was given the service account, this seemed to work quite well for most of the users except a few, could there be a clash in the user permissions to allow them to edit for those particular group of users??
Eg. Can a service account be used to edit information of a Domain Admin?
Hi I have a question about the same, I was given the service account, this seemed to work quite well for most of the users except a few, could there be a clash in the user permissions to allow them to edit for those particular group of users??
Eg. Can a service account be used to edit information of a Domain Admin?
It depends on how the permissions are applied to the AD structure. It's possible the account you are using has permission to update user accounts only in certain OUs. This is a very specific permission in AD.
Are all the accounts you can successfully change in a single OU / Sub-OU tree? Are the accounts you are having trouble with in OUs that are outside of that tree? If the answers to the above questions are both "yes", then you may need to apply the update
permissions for that service account to the other OUs or apply the permissions at a higher level in the OU structure.
I had the same error message working on a 64-bit Windows 2008 Domain Controller. I fixed it by turning UAC off (user access control). You may be running into similar problems if you're running your script on any station that user UAC (Vista, Windows 7,
Server 2008).
*Please note - in my case my script would not make any edits, so this probably will not be the fix in cases where some modifications are working and others are not*
sonyram
Member
305 Points
28 Posts
CommitChanges - General access denied error
Aug 06, 2003 05:42 PM|LINK
--------------------------------------------------------------- Public sPath As String = "LDAP://domainname/OU=OITS,OU=ODI,DC=aa,DC=bb,DC=cc,DC=dd" Dim dsUser As DirectoryEntry = New DirectoryEntry(sPath, "domain/AdminID", "AdminPassword", AuthenticationTypes.Secure) dsUser = dsUser.Children.Find("CN=John") With dsUser.Properties .Item("displayname").Value = "John Doe" End With dsUser.CommitChanges() --------------------------------------------------------------I am getting the above error while calling CommitChanges. Am I missing anything on ASPNET user account? Any thoughts?dunnry
Star
9098 Points
1806 Posts
Re: CommitChanges - General access denied error
Aug 06, 2003 07:48 PM|LINK
Dim entry As DirectoryEntry = New DirectoryEntry(sPath, "domain/AdminID", "AdminPassword", AuthenticationTypes.Secure) Dim dsUser as DirectoryEntry = entry.Children.Find("CN=John") 'Optionally Define username and password in case they are not xferring 'dsUser.Username = "domain\adminid" 'dsUser.Password = "AdminPassword" With dsUser.Properties .Item("displayname").Value = "John Doe" End With dsUser.CommitChanges()Weblog
The Book
LDAP Programming Help
sonyram
Member
305 Points
28 Posts
Re: CommitChanges - General access denied error
Aug 06, 2003 08:19 PM|LINK
dunnry
Star
9098 Points
1806 Posts
Re: CommitChanges - General access denied error
Aug 07, 2003 03:41 PM|LINK
Weblog
The Book
LDAP Programming Help
sonyram
Member
305 Points
28 Posts
Re: CommitChanges - General access denied error
Aug 08, 2003 12:55 PM|LINK
harish_svh21
Member
2 Points
1 Post
Re: CommitChanges - General access denied error
May 29, 2009 10:06 AM|LINK
Can anybody help please?
This is a C# console App where I am getting the same error ( General access denied error - @CommitChanges ) when i try to update by using UID who has only "Account Operator" permission but it works fine if UID has “Enterprise Admin” permissions. But we dont want to use “Enterprise Admin” for this purpose.
Please suggest.
Thanks,
Harish
raghu1
Contributor
2004 Points
558 Posts
Re: CommitChanges - General access denied error
May 29, 2009 04:05 PM|LINK
In our AD, there are some "service accounts" that have update account permissions. These do not need to have Enterprice Admin permissions. These accounts are further locked down by:
user cannot change the password
user cannot login to devices.
We programmers are given the credentials of the service account for AD manipulation.
Hope this helps.
rishi23
Member
33 Points
76 Posts
Re: CommitChanges - General access denied error
Jan 08, 2010 04:46 PM|LINK
Hi I have a question about the same, I was given the service account, this seemed to work quite well for most of the users except a few, could there be a clash in the user permissions to allow them to edit for those particular group of users??
Eg. Can a service account be used to edit information of a Domain Admin?
PFinnegan
Member
2 Points
1 Post
Re: CommitChanges - General access denied error
Feb 12, 2010 06:25 PM|LINK
Are all the accounts you can successfully change in a single OU / Sub-OU tree? Are the accounts you are having trouble with in OUs that are outside of that tree? If the answers to the above questions are both "yes", then you may need to apply the update permissions for that service account to the other OUs or apply the permissions at a higher level in the OU structure.
dbutch1976
Member
2 Points
1 Post
Re: CommitChanges - General access denied error
Feb 18, 2010 02:56 PM|LINK
Hi everyone,
I had the same error message working on a 64-bit Windows 2008 Domain Controller. I fixed it by turning UAC off (user access control). You may be running into similar problems if you're running your script on any station that user UAC (Vista, Windows 7, Server 2008).
*Please note - in my case my script would not make any edits, so this probably will not be the fix in cases where some modifications are working and others are not*
Best of luck all!