CommitChanges - General access denied error

Hi, We are developing a intranet web application through which our users can modify their profile information(in Active Directory). I am getting an error which says like this System.UnauthorizedAccessException: General access denied error at System.DirectoryServices.Interop.IAds.SetInfo() at System.DirectoryServices.DirectoryEntry.CommitChanges() Here is my vb code block

---------------------------------------------------------------
Public sPath As String = "LDAP://domainname/OU=OITS,OU=ODI,DC=aa,DC=bb,DC=cc,DC=dd"


            Dim dsUser As DirectoryEntry = New DirectoryEntry(sPath, "domain/AdminID", "AdminPassword", AuthenticationTypes.Secure)
            dsUser = dsUser.Children.Find("CN=John")
            With dsUser.Properties
                .Item("displayname").Value = "John Doe"
            End With
            dsUser.CommitChanges()
--------------------------------------------------------------

I am getting the above error while calling CommitChanges. Am I missing anything on ASPNET user account? Any thoughts?

Re: CommitChanges - General access denied error

It is probably not transferring credentials to the user DirectoryEntry. Instead of reusing the DirectoryEntry 'dsUser', try creating a new one, the credentials might transfer in this case, if not then bind to it again using password and username:

Dim entry As DirectoryEntry = New DirectoryEntry(sPath, "domain/AdminID", "AdminPassword", AuthenticationTypes.Secure)
            Dim dsUser as DirectoryEntry = entry.Children.Find("CN=John")
            'Optionally Define username and password in case they are not xferring
            'dsUser.Username = "domain\adminid"
            'dsUser.Password = "AdminPassword"
            With dsUser.Properties
                .Item("displayname").Value = "John Doe"
            End With
            dsUser.CommitChanges()

Re: CommitChanges - General access denied error

Ryan, Nope it gives out the same error. I tried the same code in Console application to figure out whether it is due to Web application but it does not work there either. looks like for some reason, it could not copy the changes from cache to Active Directory store. I tried debugging after I assign the value to the properties collection and it was there but the moment I call commitchanges function, it throws me an exception. Ram

Re: CommitChanges - General access denied error

I am not sure on this one - the code should be working fine. It could be that your Admin account you are binding as does not have proper permissions. It could also be that your user "CN=John", is an admin and a lower permission account is trying to update it (which would fail). Can you confirm this is not happening?

Re: CommitChanges - General access denied error

Finally it is working. The reason was whatever account I was trying to update were disabled or inactive for some reason and when I tried to update my own account, I found that it is working!! shame on me I should have tried more different cases. thanks anyway for all your inputs.

Re: CommitChanges - General access denied error

Can anybody help please?

This is a C# console App where I am getting the same error ( General access denied error - @CommitChanges ) when i try to update by using UID who has only "Account Operator" permission but it works fine if UID has Enterprise Admin permissions. But we dont want to use Enterprise Admin for this purpose.

Please suggest.
Thanks,
Harish

Re: CommitChanges - General access denied error

In our AD, there are some "service accounts" that have update account permissions. These do not need to have Enterprice Admin permissions. These accounts are further locked down by:

user cannot change the password

user cannot login to devices.

We programmers are given the credentials of the service account for AD manipulation.

Hope this helps.

Re: CommitChanges - General access denied error

Hi I have a question about the same, I was given the service account, this seemed to work quite well for most of the users except a few, could there be a clash in the user permissions to allow them to edit for those particular group of users??

Eg. Can a service account be used to edit information of a Domain Admin?

Re: CommitChanges - General access denied error

rishi23

Hi I have a question about the same, I was given the service account, this seemed to work quite well for most of the users except a few, could there be a clash in the user permissions to allow them to edit for those particular group of users??

Eg. Can a service account be used to edit information of a Domain Admin?

It depends on how the permissions are applied to the AD structure. It's possible the account you are using has permission to update user accounts only in certain OUs. This is a very specific permission in AD.

Are all the accounts you can successfully change in a single OU / Sub-OU tree? Are the accounts you are having trouble with in OUs that are outside of that tree? If the answers to the above questions are both "yes", then you may need to apply the update permissions for that service account to the other OUs or apply the permissions at a higher level in the OU structure.

Re: CommitChanges - General access denied error

Hi everyone,

I had the same error message working on a 64-bit Windows 2008 Domain Controller. I fixed it by turning UAC off (user access control). You may be running into similar problems if you're running your script on any station that user UAC (Vista, Windows 7, Server 2008).

*Please note - in my case my script would not make any edits, so this probably will not be the fix in cases where some modifications are working and others are not*

Best of luck all!

Re: CommitChanges - General access denied error

Hi All,

Is there a better workaround to the above issue (General Access denied error on Windows 2008 domain controller) than turning off UAC?

I have a c#console application which updates a custom AD field.

When I add my username/password credentials to the DirectoryEntry connection it works fine.

If I don't, it comes up with the General Access Denied error (even though I'm logged in with the saem account).

Re: CommitChanges - General access denied error

Gitfinger

Hi All,

Is there a better workaround to the above issue (General Access denied error on Windows 2008 domain controller) than turning off UAC?

I have a c#console application which updates a custom AD field.

When I add my username/password credentials to the DirectoryEntry connection it works fine.

If I don't, it comes up with the General Access Denied error (even though I'm logged in with the saem account).

You have to impersonate your application as the service account. If it's a console app then Right click "Run As user" then run at it as the service accounts credential or If its a web app then in IIS from the application pool you would have to define its identity as the service account.

Hope this helps