• State Not Answered
  • Locked Locked
  • Replies 4 replies
  • Subscribers 62 subscribers
  • Views 14551 views
  • Users 0 members are here
Options
Related
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Access Denied exception is coming While adding user to the AD group through the .net code

girishprasadnayak
over 6 years ago

 Hi ,

I am getting above exception while adding user to AD group.We are suddenly getting this exception in the Server.

We are using System.DirectoryServices.AccountManagement library for adding user to the AD group.

group.Members.Add(pc, IdentityType.SamAccountName, userId);
group.Save(); -----> Access Denied Exception .

Details Exception :

at System.DirectoryServices.Interop.UnsafeNativeMethods.IAds.SetInfo()
at System.DirectoryServices.DirectoryEntry.CommitChanges()
at System.DirectoryServices.AccountManagement.ADStoreCtx.UpdateGroupMembership(Principal group, DirectoryEntry de,

 

More information:

-------------------

- Our AD Admin Team removed the Native Access Feature.

- Authenticate user ,Searching user and Ad group using below methods is working fine but above feature is not working

UserPrincipal user = UserPrincipal.FindByIdentity(Objprincepalcontext, userId);
GroupPrincipal group = GroupPrincipal.FindByIdentity(Objprincepalcontext, groupName);

- To add user to the group i am using Account which is secondary owner of the distribution List.Using this account we are able add user through Active Roles site.

I have tried below way to fix but no luck

- Impersonation in  the Web.config

- Giving Full Access to Drive and folder in IIS

- Tried by installing quest management tool for ARS SDK 7.0

 

 

 I am using .NET 4.5, Active Directory 2008, IIS7 

Please help me fixing this issue ASAP.

Parents
  • 0 over 6 years ago

    Is the C# code performing an LDAP bind to AD **through** the Active Roles server?

    i.e. using something like EDMS://ActiveRolesServerName/ObjectName

    This of course requires the ActiveRoles ADSI provider to be in place on the host executing the code.

    Most people use Powershell for this sort of stuff because they can use the Quest cmdlets with their native ability to access AD via ActiveRoles. It's less complicated. Just putting that out there.

    It sounds like something in your environment has changed that has affected the script's rights (or more precisely, the rights of the account executing the script).

Reply
  • 0 over 6 years ago

    Is the C# code performing an LDAP bind to AD **through** the Active Roles server?

    i.e. using something like EDMS://ActiveRolesServerName/ObjectName

    This of course requires the ActiveRoles ADSI provider to be in place on the host executing the code.

    Most people use Powershell for this sort of stuff because they can use the Quest cmdlets with their native ability to access AD via ActiveRoles. It's less complicated. Just putting that out there.

    It sounds like something in your environment has changed that has affected the script's rights (or more precisely, the rights of the account executing the script).

Children
No Data