Re: Disable account in Active Directory from .NET using DirectoryE

From: Nathan Smith (NathanSmith_at_discussions.microsoft.com)
Date: 01/14/05 

Date: Fri, 14 Jan 2005 13:03:04 -0800

What if I'm able to supply the username and password to the DirectoryEntry by
retrieving those values for a web.config file? would that work?

"Joe Kaplan (MVP - ADSI)" wrote:

> And I assume you are not supplying credentials to your DirectoryEntry
> objects? In that case, it boils down to 2 things:
> - Leave anonymous checked, enable impersonation in web.config and change
> the anonymous account in IIS to an appropriately privileged domain account,
> or
> - Change the Application Pool identity for the AppPool for this application
> in IIS to an appropriately privileged domain account and ensure that
> impersonation is disabled in web.config
>
> Either will work.
>
> BTW, a helpful technique in for figuring out the identity of the current
> thread is to call
> System.Security.Principal.WindowsIdentity.GetCurrent().Name. That will tell
> you the account that S.DS will use to access AD (unless you supplied
> specific credentials to the DirectoryEntry as otherwise noted above).
>
> Cheers,
>
> Joe K.
> "Nathan Smith" <NathanSmith@discussions.microsoft.com> wrote in message
> news:96DA45DF-7904-4221-BE3A-CF94A0D42B69@microsoft.com...
> >I am using windows 2003. In IIS I am allowing anonymous access using the
> > IUSR_Test2 user.
> >
> > "Joe Kaplan (MVP - ADSI)" wrote:
> >
> >> There are two basic approaches:
> >>
> >> - You can put in the userid and password in the DirectoryEntry object
> >> itself, or
> >> - You can change the security context of the current thread to be the
> >> account you want. Note that this is the default behavior if you don't
> >> supply credentials, so this probably what you are getting now.
> >>
> >> The first is easiest, but may not be practical depending on your
> >> specifics.
> >> The second approach may be the way you want to go, but there are a lot of
> >> options and a lot of potentially icky details.
> >>
> >> I'd start by reading this:
> >> http://support.microsoft.com/default.aspx?scid=kb;en-us;329986
> >>
> >> Essentially, there are two possible accounts in question, the process
> >> account or the impersonated account on the thread which may be different
> >> than the process account. The way you go about changing them depends on
> >> which version of Windows server you are using and your security settings
> >> in
> >> IIS and ASP.NET. Can you give more details?
> >>
> >> Joe K.
> >>
> >> "Nathan Smith" <NathanSmith@discussions.microsoft.com> wrote in message
> >> news:BABB311B-E541-4DEC-B0D6-31B35D3F9EB7@microsoft.com...
> >> > How do I change the account I'm making the change with?
> >> >
> >> > "Joe Kaplan (MVP - ADSI)" wrote:
> >> >
> >> >> Disabling a user is basically just flipping the correct bit in the
> >> >> userAccountControl attribute in AD. However, I can't make any sense
> >> >> of
> >> >> what
> >> >> your actual problem is here except that you are not using an account
> >> >> with
> >> >> sufficient privileges to make this change.
> >> >>
> >> >> Can you provide some more details and show some code?
> >> >>
> >> >> Thanks,
> >> >>
> >> >> Joe K.
> >> >>
> >> >> "Nathan Smith" <Nathan Smith@discussions.microsoft.com> wrote in
> >> >> message
> >> >> news:52A47557-5584-457A-A110-92195237CE9E@microsoft.com...
> >> >> > When I try to disable a user account thru forms authentication, I am
> >> >> > getting
> >> >> > an System.UnauthorizedAccessException: General access denied error.
> >> >> > If
> >> >> > I
> >> >> > impersonate user it will prompt me to login and if I put in an
> >> >> > administrator
> >> >> > password it will work but obviously that won't work for the public.
> >> >> > I
> >> >> > would
> >> >> > like to keep impersonate user set to false and no windows login
> >> >> > screen
> >> >> > to
> >> >> > come up. Any ideas? Is there a way to change the user it's using to
> >> >> > disable
> >> >> > the account within .NET?
> >> >>
> >> >>
> >> >>
> >>
> >>
> >>
>
>
>

Quantcast