locked
Cannot set password in AD in ASP.NET Web Application RRS feed

  • Question

  • User-1508648822 posted

    I am needing some help with a Web Application.  I am creating a user from a Personnel Management Page which in turn adds the user to the Active Directory.  Here is code to do this:

    DirectoryEntry Folder = new DirectoryEntry("LDAP://XXXX.com/CN=ContainerName, DC=XXXX, DC=com", admin, adminPwd, AuthenticationTypes.None);
    
            if (Folder.SchemaEntry.Name == "container")
            {
                DirectoryEntry user = Folder.Children.Add("CN=" + txtFirstname.Text + " " + txtLastname.Text, "User");
    
                if (DirectoryEntry.Exists(user.Path))
                {
                    // Error Msg Here
                }
                else
                {
                    // Use web controls to populate AD attributes.  Not entered to conserve space.  The code works however.
    
                    user.CommitChanges();
    
                    int val = (int)user.Properties["userAccountControl"].Value;
                    user.Properties["userAccountControl"].Value = val & ~0x2;
                    user.Properties["pwdLastSet"].Value = 0;
                    user.CommitChanges();
    // I have tried this first to set a password. user.Password = "SuperSecretPassword"; // Then I have tried this second after commenting out first attempt. user.Invoke("SetPassword", new object[] { "SuperSecretPassword" }); user.CommitChanges();

    The issue I am having is that after the account has been created, I am trying to set the default password which the user will use and then be required to change.  Every time I attempt to set the password I either get a error "Access Denied" or the process in Debug appears to work.  However, when I attempt to log in with a test account, the Default password does not work.  I go into AD and reset the password with 'Reset Required' checked. After this, it will work.

    Why is the methods for setting the password failing???

    Tuesday, March 3, 2015 2:32 PM

Answers

  • User-1508648822 posted

    The problem is solved. Apparently the account for Internet Information Services (IIS_IUSRS) did not have permissions to SET Passwords for Active directory. It could CHANGE passwords but not SET them.

    To allow an ASP.NET page to SET an AD Password on account creation, I had to run "Active Directory Users and Computers", right-click the domain, select "Delegate Control". This opens a wizard which will allow you to grant the account IIS_IUSRS permissions to make changes to AD.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Friday, March 6, 2015 8:23 AM

All replies

  • User1508394307 posted
    // Use web controls to populate AD attributes.  Not entered to conserve space.  The code works however.
    user.CommitChanges();

    No changes, why to commit?

    // I have tried this first to set a password.
     user.Password = "SuperSecretPassword";

    Delete it.

    Try again.

    Friday, March 6, 2015 7:08 AM
  • User-1508648822 posted

    The problem is solved. Apparently the account for Internet Information Services (IIS_IUSRS) did not have permissions to SET Passwords for Active directory. It could CHANGE passwords but not SET them.

    To allow an ASP.NET page to SET an AD Password on account creation, I had to run "Active Directory Users and Computers", right-click the domain, select "Delegate Control". This opens a wizard which will allow you to grant the account IIS_IUSRS permissions to make changes to AD.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Friday, March 6, 2015 8:23 AM