I have a Web API that runs in an IIS application pool with elevated service account. This service account has privileges to set or change user passwords within specific OUs in Active Directory.
The API service account is able to set user passwords in OU1 but is not able to set user passwords in OU2. Change password works ok in both OUs.
Screenshot for service account permissions on OU2
Same piece of code is used to set the password regardless of OU.
UserPrincipal userPrincipal = UserPrincipal.FindByIdentity(adContext, username);
userPrincipal.SetPassword("somepassword");
userPrincipal.Save();
The exception thrown is
System.UnauthorizedAccessException: Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))
User contributions licensed under CC BY-SA 3.0