IADs::SetInfo fails with "Access Denied" under Credential Provider RRS feed

  • Question

  • Hi,

    We are having a credential provider for Biometric devices and SmartCard logon.
    We are storing the credentials of domain users in Active Directory whose schema we extend with 2 proprietery attributes to the User object.
    When a password change is done through our credential provider we update the data in AD. Here is the problem (Win7 x32 client, Win2003 x32 server):

    Although the user objects in the AD schema have the right SYSTEM with Full Control the IADs::SetInfo fails with 0x80050007 "Access Denied". It is interesting that the "Get" functions work in the same sequence of calls.
    The same piece of code Works under our GINA on XP. I know that Winlogon.exe has all the privileges whereas LogonUI.exe is more restrictive (does not have SE_RESTORE_NAME etc.) but the privileges should not have anything to do with the rights. Right?
    When I give the TestUser object in ADSIEdit.msc/Domain/Users/TestUser the Everyone Full Control then it works. But LogonUI.exe runs under SYSTEM account and the TestUser having SYSTEM Full Control should/must be enough.Right?
    So what could be the reason for this error?


    Tuesday, October 19, 2010 3:40 PM

All replies

  • I don't have all the details square, but I think your problem is that the local machine SYSTEM account is not a valid domain account and therefore you don't get the privileges you think you have.

    Answering policy: see profile.
    Friday, October 22, 2010 8:27 PM