user creation and adding user to a group using WMI

[johnpremi]

Hi there,
I have a web app that adds user into w2k3 server and adds it to the
administrator group. The code snippet is something like this:
try
{
DirectoryEntry AD = new DirectoryEntry("WinNT://" +
in0.IPAddress + ",computer", in1.userName, decryptData(in1.password),
AuthenticationTypes.Secure);

// Create super user
DirectoryEntry NewUser = AD.Children.Add(in2.userName, "user");
NewUser.Invoke("SetPassword", new object[] {
decryptData(in2.password) });
NewUser.Invoke("Put", new object[] { "Description", "Maya
account creation" });
NewUser.CommitChanges();
DirectoryEntry grp;
grp = AD.Children.Find("Administrators", "group");
// if (grp.Name != null) {grp.Invoke("Add", new Object[]
{NewUser.Path.ToString()});}
if (grp.Name != null)
grp.Invoke("Add", new Object[] { NewUser.Path.ToString() });
}
catch (Exception e)
{
throw onException("SFatalInternalException",
"http://mrdp.m.hp.com", "Super user account creation failed !!!");
}

here the user creation is done but when it tries to add the user to
administrative group it fails. This happens only in web app. If I try the
same as console application it is successful. I am not sure if I am missing
anything if I run this as a web service.
Any help in this regard will be helpful.
Thanks
John

 

[Nicholas Paldino [.NET/C# MVP]]

John,

If it works in a console application and not in a web app, it means that
you are running with rights that the ASPNET (the default local user account
that ASP.NET runs under) does not have.

You should impersonate a user that has the appropriate rights for the
web app. I suggest for something like this, that you only do it for the
pages which will actually add the user, as having the whole site run with
elevated permissions is a bad idea.

 

[Willy Denoyette [MVP]]

Hi there,
I have a web app that adds user into w2k3 server and adds it to the
administrator group. The code snippet is something like this:
try
{
DirectoryEntry AD = new DirectoryEntry("WinNT://" +
in0.IPAddress + ",computer", in1.userName, decryptData(in1.password),
AuthenticationTypes.Secure);

// Create super user
DirectoryEntry NewUser = AD.Children.Add(in2.userName, "user");
NewUser.Invoke("SetPassword", new object[] {
decryptData(in2.password) });
NewUser.Invoke("Put", new object[] { "Description", "Maya
account creation" });
NewUser.CommitChanges();
DirectoryEntry grp;
grp = AD.Children.Find("Administrators", "group");
// if (grp.Name != null) {grp.Invoke("Add", new Object[]
{NewUser.Path.ToString()});}
if (grp.Name != null)
grp.Invoke("Add", new Object[] {
NewUser.Path.ToString() });
}
catch (Exception e)
{
throw onException("SFatalInternalException",
"http://mrdp.m.hp.com", "Super user account creation failed !!!");
}

here the user creation is done but when it tries to add the user to
administrative group it fails. This happens only in web app. If I try the
same as console application it is successful. I am not sure if I am
missing
anything if I run this as a web service.
Any help in this regard will be helpful.
Thanks
John

If it succeeds from a console program it should work from a web application
too. What's the exact exception being thrown?
Are you sure that both userName and password are the same in both scenarios,
*and* that this user is member of the administrators group?
...
DirectoryEntry AD = new DirectoryEntry("WinNT://" +
in0.IPAddress + ",computer", in1.userName, decryptData(in1.password),
AuthenticationTypes.Secure);
...

Please note also that this is not using WMI, System.DirectoryServices are
wrapping ADSI.

Willy.