Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 3389
  • Last Modified:

ADSI - General access denied error

Trying to add a new user using ADSI on a webpage and I get this error:

Active Directory error '80070005'

General access denied error

on the User.SetInfo line

Here is my code:

Dim Container, ContainerName, User, NewUser
ContainerName = "Domain_Name"
NewUser = "TestUser"

Set Container = GetObject("WinNT://" & ContainerName)
Set User = Container.Create("User", NewUser)
User.SetInfo

Any ideas as to why I get denied?
0
fredmastro
Asked:
fredmastro
  • 15
  • 5
  • 3
  • +4
1 Solution
 
MCMCommented:
i don't know much about ADSI, but you probably need permissions to add a user. when a user is accessing ASP anonymously, ASP is impersonating the IUSR_<COMPUTERNAME> account, and has the permisssions assigned that account. if you want an anonymous user to be able to create an account, you'll have to let IUSR do that.
0
 
fredmastroAuthor Commented:
I'm using Windows Authentication and I set NTFS rights on the folders, so I'm logging in as the Domain Admin.
0
 
MCMCommented:
well, im stumped. try running the script under WSH. if it works as windows script, then you can be pretty sure it's a permissions problem. have you made sure to _disable_ anonymous access as well as specifying NT authentication?
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
raizonCommented:
ContainerName = your Domain correct?

Windows Authentication = Integrated Windows Authentication correct?

your code is correct so somehow you are not passing your authentication to the domain controller properly.
0
 
fredmastroAuthor Commented:
How do I verify my authentication? I'm now doing any authentication in my code, am I supposed to be?

I'm logging in as the domain administrator,
I use the same domain name for viewing the users and that works.

I have a book on ADSI but it doesn't say anything about rights.
0
 
MCMCommented:
in the IIS properties panel for your site, you should have anonymous access denied, and require integrated windows authentication. otherwise, IIS is operating as IUSR_[computername], an NT account that probably does not have rights to create a user. authentication in code sounds to me like you are checking a user name and pwd against NT user accounts, but that doesn't mean that the process you are running in has the rights of the person signed in.
0
 
raizonCommented:
do a Response.Write Request.ServerVariables("AUTH_USER")

You need to have in your Directory Security under IIS set to Integrated Windows Authenitication.  You cant just login into the domain as domain administrator.
0
 
fredmastroAuthor Commented:
ok I had anonymouse access denied and I'm logging in with Administrator full control is there some special user right I need to give the account to run the setinfo line?  If I'm not running the process as the person I logged in as, then what do I do?  I'll check user rights, such as log in as service and stuff.
0
 
fredmastroAuthor Commented:
I'm on an NT network right now, make a difference? Not 2000.
0
 
fredmastroAuthor Commented:
sorry raizon didn't see your message until now, let me check.
0
 
fredmastroAuthor Commented:
I have IIS set to use Windows NT/Challenge Response only.

When I Response.Write Request.ServerVariables("AUTH_USER")
I get the domain and user account:
Tampa\Administrator
0
 
raizonCommented:
okay so you are passing the correct Authentication through.


I don't think that your OS makes a difference.

Lets try this.  See if you can generate a list of users.

<%

Dim Container
Dim member

Set Container = GetObject("WinNT://" & ContainerName)

Container.Filter = Array("user")
For Each member In myComputer
    Response.Write member.Name & "<br>"
Next

%>
0
 
fredmastroAuthor Commented:
Ok this works fine:
<%
Dim Container
Dim member

Set Container = GetObject("WinNT://TAMPA")

Container.Filter = Array("user")
For Each member In Container
   Response.Write member.Name & "<br>"
Next
%>
0
 
raizonCommented:
our problem exists with passing the authentication through to the Active Directory then.

I'm going to do some more research and see what I can find.
0
 
fredmastroAuthor Commented:
ok I'll raise the points up for the answer.
0
 
thunderchickenCommented:
This is definately a permissions issue.  To add a user you must be an Admin, I don't think Domain Admin works.  The code is fine.

You might try using just Basic Authentication for that page and log on as Administrator of the Domain, not the computer itself.

Is Tampa the name of the network you are on, or the Web Server?

Try changing in IIS to the domain to the users you wish to edit.
0
 
fredmastroAuthor Commented:
Tried loging in as local admin already, the web server is in the same domain as Tampa, the PDC.

going to try basic authentication.
0
 
Michel SakrCommented:
Hmm.. If the windows 2000 is a member of the domain then all domain admins are privilieged as local admins too.. now if the windows 2000 server is a standalone server not part of the domain then you'll get such error.. you'll need to set trust relationship from both domains then..

also
check if you already have such a user..
try to set the password also..
Creating a user:

' Set up property values for the new user
sUsername =    "adsitester"
sFullName =    "ADSI Test Account"
sDescription = "A user account for testing ADSI"
sPassword =    "passworD2"

Set myComputer = GetObject("WinNT://servername")

' Create the new user account
Set newUser = myComputer.Create("user", sUsername)

' Set properties in the new user account
newUser.SetPassword sPassword
newUser.FullName = sFullName
newUser.Description = sDescription

newUser.SetInfo
0
 
fredmastroAuthor Commented:
Well I found something in a book about loggin into the ADSI, using some

OpenDSObject(bstrDN, nstrUserAccount, bstrPassword, bstrAccessType)

I'm still working on trying to get this to work though.

0
 
fredmastroAuthor Commented:
Ahh this is frustrating.

Ok if I use this code...

SET AuthUser = GetObject("WinNT:")
Set Domain = AuthUser.OpenDSObject("WinNT://TAMPA/TAMPA_NT2", "Administrator", "jarjar", 0)


and then try to list the computers.operatingsystem
I get this error:

A specified logon session does not exist. It may already have been terminated.

That seems closer.
0
 
webwomanCommented:
If you're trying to do this through a web page, wouldn't that come up as the IUSR account? Or are you getting around that somehow?
0
 
raizonCommented:
webwoman,

no.  Its using NT Challenge/Response or Basic Authentication which you have to use in ADSI.

fredmastro,

>>Set Domain = AuthUser.OpenDSObject("WinNT://TAMPA/TAMPA_NT2", "Administrator", "jarjar", 0)

is TAMPA_NT2 the PDC? if so then change it to WinNT://TAMPA_NT2
0
 
fredmastroAuthor Commented:
Here's the error I get still:

Computer Name Description OS & Ver. Owner
error '80070520'
A specified logon session does not exist. It may already have been terminated.

testcomp.asp, line 28
 

I know it's not adding a user but it's still rights related.  Line 28 is the SET Domain line.



Ok here's my code:
--------------------------

<%@ Language=VBScript %>
<% Option Explicit %>
<% Response.Buffer = TRUE %>
<HTML>
<HEAD>
<TITLE>Domains</TITLE>
<%
Dim Computer, Domain

DIM AuthUser

SET AuthUser = GetObject("WinNT:")

Set Domain = AuthUser.OpenDSObject("WinNT://TAMPA_NT2", "Administrator", "jarjar", 0)
Domain.Filter = Array("Computer")

%>
<table border="1" cellspacing="1" style="font-family: Tahoma; font-size: 8pt">
<tr>
<td>Computer Name</TD>
<td>Description</td>
<td>OS & Ver.</td>
<td>Owner</td>
</tr>

<%
For Each Computer in Domain
%>
<tr>
<td><%=Computer.Name%></td>
<td><%=Computer.Description%></td>
<td><%=Computer.OperatingSystem%> <%=Computer.OperatingSystemVersion%></td>
<td><%=Computer.Owner%></td>
</tr>
<%
Next

SET Domain = NOTHING
SET AuthUser = NOTHING
%>
</BODY>
</HTML>


---------------------
0
 
bruintjeCommented:
maybe this has something to do with it, looking at that error message you posted above?
http://www.wsd2d.com/wsD2D/Tips/ADSI/{1171D1DA-BC62-4ED7-B4C7-454C21E3FE2D}.eml
0
 
fredmastroAuthor Commented:
Well I looked but my domain is Tampa, that's only 5 letters.

Points have been raised.
0
 
bruintjeCommented:
sorry, could've seen that myself, this thread had some likewise topic

http://groups.yahoo.com/group/dev-adsi/message/8

can this be a link to your problem?, a file that's been used in the code(could be a simple function call) but doesn't have the correct permissions, it's been some time i did (D)COM but i remember the trouble of getting things running when you had to use components with insufficient rights on the other part of the bridge...

HTH:O)Bruintje
0
 
webwomanCommented:
Is there any reason why you can't use terminal services client? I know for sure if you log in as admin you'll be able to do just about anything remotely.
0
 
fredmastroAuthor Commented:
Ok this did work, I Was stupid and instead of useing Administrator as the user name I was had to use Tampa/Administrator

SET AuthUser = GetObject(TypeDomain & ":")
Set User = AuthUser.OpenDSObject(TypeDomain & "://" & SelectedDomain & "/" & UserName & ",user", Session("LogonName"), Session("Password"), 0)
0
 
fredmastroAuthor Commented:
Set Domain = AuthUser.OpenDSObject("WinNT://TAMPA", "Tampa\Administrator", "pass", 0)

I accept raizon because he tried to help me the most.  This is what worked.

Read the comment before this one.
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 15
  • 5
  • 3
  • +4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now