ASP.NET Core IIS Express AD Services Permissions Error


I had to create a new Dev environment for my project. It required an AD server, so I created it on the same host as my IIS server and IDE.

I transferred it over and set all the new environmental variables, but I came across an interesting problem.

When asking it to create a new AD user account I get the error:

System.Reflection.TargetInvocationException: Exception has been thrown by the target of an invocation. ---> System.UnauthorizedAccessException: Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))
   --- End of inner exception stack trace ---
   at System.DirectoryServices.DirectoryEntry.Invoke(String methodName, Object[] args)
   at System.DirectoryServices.AccountManagement.SDSUtils.SetPassword(DirectoryEntry de, String newPassword)
   at System.DirectoryServices.AccountManagement.ADStoreCtx.SetPassword(AuthenticablePrincipal p, String newPassword)
   at System.DirectoryServices.AccountManagement.SDSUtils.InsertPrincipal(Principal p, StoreCtx storeCtx, GroupMembershipUpdater updateGroupMembership, NetCred credentials, AuthenticationTypes authTypes, Boolean needToSetPassword)
   at System.DirectoryServices.AccountManagement.ADStoreCtx.Insert(Principal p)
   at System.DirectoryServices.AccountManagement.Principal.Save()

Method (which worked until now) creates the user, however it appears as disabled in AD:

        PrincipalContext ctx = new PrincipalContext(ContextType.Domain,

        UserPrincipalEx usr = new UserPrincipalEx(ctx);

        usr.Name = Account.FirstName + " " + ticket.Account.LastName;
        usr.SamAccountName = Account.Username;
        usr.GivenName = Account.FirstName;
        usr.Surname = Account.LastName;
        usr.DisplayName = Account.FirstName + " " + ticket.Account.LastName;
        usr.UserPrincipalName = Account.Username + "@" + Environment.GetEnvironmentVariable("DOMAIN");
        usr.Company = Account.Company;
        usr.Department = Account.Department;
        usr.Description = Account.Description;
        usr.Enabled = enabled;


        catch (Exception e)

I use the same piece of code in production and it works just fine. I can't see why it would behave like this in my new dev environment - or what permissions would allow it to create the account, but not enable it.

asked on Stack Overflow Aug 30, 2019 by Hawke • edited Sep 1, 2019 by Hawke

1 Answer


I rebuilt Dev with IIS and AD on different servers. Its a pain as its slow, but I couldn't find another solution.

answered on Stack Overflow Nov 23, 2019 by Hawke

User contributions licensed under CC BY-SA 3.0