I am trying to modify certain properties for users in our active directory. Some properties I can change and some I can’t. I am doing impersonation, but for some of the properties I still get the “General Access denied error” when I try to call CommitChanges().
For example this will work:
DirectoryEntry deUser = new DirectoryEntry(result.Path);
if (ImpersonateValidUser(adConnectionUsername, adConnectionDomain, adConnectionPassword))
{
deUser.Properties["ampPasswordQuestion"].Value = newPasswordQuestion;
deUser.Properties["ampPasswordAnswer"].Value = newPasswordAnswer;
deUser.CommitChanges();
deUser.Close();
UndoImpersonation();
}
This works presumably because we’ve manually added the properties into the AD schema with no access restrictions. (See ASP.NET 3.5 Security, Membership, and Role Management with C# and VB)
However if I try to modify something like the Comment property of a record as follows:
DirectoryEntry deUser = new DirectoryEntry(result.Path);
if (ImpersonateValidUser(adConnectionUsername, adConnectionDomain, adConnectionPassword))
{
deUser.Properties["comment"].Value = comment;
deUser.CommitChanges();
deUser.Close();
UndoImpersonation();
}
Then I will get “General access denied error”.
Anyone have any ideas?
The Impersionation code is from Microsoft found at: http://support.microsoft.com/kb/306158
I believe I have found the problem. Apparently you need to create the DirectoryEntry that will be modified after Impersonation is done. This seems to make sense because I believe the rights of the modifying user become effective at the creation of the entry to be modified. Can anyone verify this? I have not seen it explained this way in any documentation.
I did some more testing and found out that the first entry does not even require Impersonation because the those attributes are not secured.
In the 2nd case the following code works: