Access denied while trying to change password in Active Directory

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

Hi. I have some code that updates a user's account properties in Active
Directory. The code also has a call that resets the account password (see
code below). I put the code in a .dll and have a test vb.net app that calls
it. It works fine from there. When I try to call the .dll from an asp.net
app, the update works but I get the error 'Access is Denied' when I try to
reset the password. Anyone have any ideas?

Maybe you need to be a domain member to reset passwords but not to update
accounts and the asp.net app which calls the .dll runs under the aspnet
account which might not be a memeber of the AD domain I'm working in. Just a
guess.

myNewDirectoryEntry = mySearchResult.GetDirectoryEntry()
With myNewDirectoryEntry
.Invoke("SetPassword", myPassword)
.CommitChanges()
End With
 
¤ Hi. I have some code that updates a user's account properties in Active
¤ Directory. The code also has a call that resets the account password (see
¤ code below). I put the code in a .dll and have a test vb.net app that calls
¤ it. It works fine from there. When I try to call the .dll from an asp.net
¤ app, the update works but I get the error 'Access is Denied' when I try to
¤ reset the password. Anyone have any ideas?
¤
¤ Maybe you need to be a domain member to reset passwords but not to update
¤ accounts and the asp.net app which calls the .dll runs under the aspnet
¤ account which might not be a memeber of the AD domain I'm working in. Just a
¤ guess.
¤
¤ myNewDirectoryEntry = mySearchResult.GetDirectoryEntry()
¤ With myNewDirectoryEntry
¤ .Invoke("SetPassword", myPassword)
¤ .CommitChanges()
¤ End With

What type of authentication are you using for your web application and are you using impersonation?

I'm assuming that the account you are trying to use has sufficient privileges to set a password.


Paul ~~~ (e-mail address removed)
Microsoft MVP (Visual Basic)
 
I'm using annonymous authentication on the website and I am not using
impersonation. Should I be? I specify an account while creating the
Directory Entry object. The account is a member of the Account Operator
group. As I said, the .dll works fine when being called from a vb.net app.
 
¤ I'm using annonymous authentication on the website and I am not using
¤ impersonation. Should I be? I specify an account while creating the
¤ Directory Entry object. The account is a member of the Account Operator
¤ group. As I said, the .dll works fine when being called from a vb.net app.
¤

If you're using anonymous authentication w/o impersonation then the identify under which your web
application is running is ASPNET. This account, by default, would not have sufficient permissions to
set a user password.

If you're logged on to the network from your desktop with an account that has sufficient permissions
to perform this operation, then use Integrated Windows authentication for your ASP.NET application
with impersonation enabled.


Paul ~~~ (e-mail address removed)
Microsoft MVP (Visual Basic)
 
Back
Top