I am using DirectoryServices and the WinNT:// provider to connect to a remote computer. I then check some group membership information and possibly add or remove a domain user from a specified local group.

I have been able to get all of this code working without a hitch using a vb.net console application and when communicating with my local box, or with any box where the account I am logged in under has administrative rights.

Code:

    string strUserPath = "WinNT://DomainName/someuser,user";
    DirectoryEntry deComputer = new DirectoryEntry("WinNT://" + Computername + ",computer");
    deComputer.RefreshCache();
    DirectoryEntry deGroup = deComputer.Children.Find("administrators", "group");

    IEnumerable members = deGroup.Invoke("members", null);
    List<DirectoryEntry> r = new List<DirectoryEntry>();

    foreach (object o in members)
    {
        DirectoryEntry deMember = new DirectoryEntry(o);

        r.Add(deMember);
    }

    deGroup.Invoke("Add", strUserPath);
    deGroup.CommitChanges();

    deGroup.Invoke("Remove", strUserPath);
    deGroup.CommitChanges();

So I moved the code to an ASP.Net web app, which is impersonating a service account through the Impersonate section of web.config. The account I am impersonating does not have admin rights on any of the workstations so I put in a username/password into the constructor for the computer entry like so:

DirectoryEntry deComputer = new DirectoryEntry("WinNT://" + Computername + ",computer", username, password);

The username is that of a domain account which has local admin rights on every workstation. If I look at the Username property of the resulting deComputer object I can see that the username matches what I entered. Also if I enter in an invalid password it throws an error, so it is authenticating in some fashion.

However if I now try and add or remove a user from a remote workstation I get a general access denied error. If I add the service account that ASP.Net is using as a local admin on that workstation it will add and remove no problem.

So next I tried using the LogonAPI (advapi32.dll ->LogonUser call) to login as the user account that is a local admin on all workstations, impersonated the resulting WindowsIdentitiy and tried running just the original deComputer instantiation. When I do this every property, excepty Path, returns an OLE exception…

I’m pretty lost here on what to try next. Any help would be greatly appreciated.

–Workaround–

To work around the issue we created a windows service that runs under the local admin account and thus doesn’t have any issues running the code. We push all of our updates to a table in a SQL database and the service picks them up and processes them. BUT, I still really would like to know why this doesn’t work, and it would be nice to push updates straight from the web site.