I had to create a new Dev environment for my asp.net project. It required an AD server, so I created it on the same host as my IIS server and IDE.
I transferred it over and set all the new environmental variables, but I came across an interesting problem.
When asking it to create a new AD user account I get the error:
System.Reflection.TargetInvocationException: Exception has been thrown by the target of an invocation. ---> System.UnauthorizedAccessException: Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))
--- End of inner exception stack trace ---
at System.DirectoryServices.DirectoryEntry.Invoke(String methodName, Object[] args)
at System.DirectoryServices.AccountManagement.SDSUtils.SetPassword(DirectoryEntry de, String newPassword)
at System.DirectoryServices.AccountManagement.ADStoreCtx.SetPassword(AuthenticablePrincipal p, String newPassword)
at System.DirectoryServices.AccountManagement.SDSUtils.InsertPrincipal(Principal p, StoreCtx storeCtx, GroupMembershipUpdater updateGroupMembership, NetCred credentials, AuthenticationTypes authTypes, Boolean needToSetPassword)
at System.DirectoryServices.AccountManagement.ADStoreCtx.Insert(Principal p)
at System.DirectoryServices.AccountManagement.Principal.Save()
Method (which worked until now) creates the user, however it appears as disabled in AD:
PrincipalContext ctx = new PrincipalContext(ContextType.Domain,
Environment.GetEnvironmentVariable("DOMAIN"),
Environment.GetEnvironmentVariable("USER_OU"),
Environment.GetEnvironmentVariable("SERVICE_USERNAME"),
Environment.GetEnvironmentVariable("SERVICE_PASSWORD"));
UserPrincipalEx usr = new UserPrincipalEx(ctx);
usr.Name = Account.FirstName + " " + ticket.Account.LastName;
usr.SamAccountName = Account.Username;
usr.GivenName = Account.FirstName;
usr.Surname = Account.LastName;
usr.DisplayName = Account.FirstName + " " + ticket.Account.LastName;
usr.UserPrincipalName = Account.Username + "@" + Environment.GetEnvironmentVariable("DOMAIN");
usr.Company = Account.Company;
usr.Department = Account.Department;
usr.Description = Account.Description;
usr.SetPassword(temppwd);
usr.ExpirePasswordNow();
usr.Enabled = enabled;
try
{
usr.Save();
}
catch (Exception e)
{
Console.WriteLine(e.ToString());
}
I use the same piece of code in production and it works just fine. I can't see why it would behave like this in my new dev environment - or what permissions would allow it to create the account, but not enable it.
I rebuilt Dev with IIS and AD on different servers. Its a pain as its slow, but I couldn't find another solution.
User contributions licensed under CC BY-SA 3.0