General access denied error adding user to group when impersonating

E

Elad Volpin

Hi,

I'm successfully impersonating an administrative user (using
KB306158). I know it is successful because after the impersonation,
the WindowsIdentity.GetCurrent().Name returns the admin credentials
(before the impersonation it returns the logged-in user's
credentials).

I'm also testing the user's role (using IsInRole()) and receive True
for Administrator.

However, when attempting to add a user to the group, I receive a
'UnauthorizedAccessException: General access denied error'.

Assuming that I copy-pasted the code from KB306158, so that I have the
impersonateValidUser() function:

this.Response.Write("<BR>before: " +
WindowsIdentity.GetCurrent().Name); // returns the current
non-priviliged user

if( impersonateValidUser(admin, domain, password) )
{
this.Response.Write("<BR>after: " +
WindowsIdentity.GetCurrent().Name); // returns the actual admin
account

WindowsPrincipal principal = new WindowsPrincipal(
WindowsIdentity.GetCurrent() );

this.Response.Write("<BR>in role: " + Convert.ToString(
principal.IsInRole( WindowsBuiltInRole.Administrator ) ) ); // returns
True

// ... (code which retrieves existing group and existing user ldap
path)

// fails 'UnauthorizedAccessException: General access denied error'
grp.Properties["member"].Add(userPath);
grp.CommitChanges();
}

Thanks in advance,
Elad.
 
E

Elad Volpin

The problem was solved by addressing the AD with the administrator
credentials instead of using the (default) account's credentials. A
very simple solution.

However, I'd still like to know what was the problem with the
impersonation in the first place - if anyone has any idea, please post
it here.

Thanks,
Elad.
 
E

Elad Volpin

Microsoft says that it doesn't work because AD is not thread safe,
thus the impersonation may apply to a specific thread while the AD
runs using other threads.

Since the AD is not thread safe, they highly recommended putting
modifications and deletions in critical sections (lock in dotnet).

Hope this information helps others,
Elad.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

"Access Denied" when trying to update attribute on Domain Admin user. 1
Access denied error when trying to create additional domain with user "ADMINISTRATOR" 1

Top