[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

ADSI - General access denied error

Posted on 2001-08-29
29
Medium Priority
?
3,359 Views
Last Modified: 2008-03-10
Trying to add a new user using ADSI on a webpage and I get this error:

Active Directory error '80070005'

General access denied error

on the User.SetInfo line

Here is my code:

Dim Container, ContainerName, User, NewUser
ContainerName = "Domain_Name"
NewUser = "TestUser"

Set Container = GetObject("WinNT://" & ContainerName)
Set User = Container.Create("User", NewUser)
User.SetInfo

Any ideas as to why I get denied?
0
Comment
Question by:fredmastro
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 15
  • 5
  • 3
  • +4
29 Comments
 
LVL 2

Expert Comment

by:MCM
ID: 6436700
i don't know much about ADSI, but you probably need permissions to add a user. when a user is accessing ASP anonymously, ASP is impersonating the IUSR_<COMPUTERNAME> account, and has the permisssions assigned that account. if you want an anonymous user to be able to create an account, you'll have to let IUSR do that.
0
 
LVL 2

Author Comment

by:fredmastro
ID: 6436710
I'm using Windows Authentication and I set NTFS rights on the folders, so I'm logging in as the Domain Admin.
0
 
LVL 2

Expert Comment

by:MCM
ID: 6436723
well, im stumped. try running the script under WSH. if it works as windows script, then you can be pretty sure it's a permissions problem. have you made sure to _disable_ anonymous access as well as specifying NT authentication?
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
LVL 5

Expert Comment

by:raizon
ID: 6436918
ContainerName = your Domain correct?

Windows Authentication = Integrated Windows Authentication correct?

your code is correct so somehow you are not passing your authentication to the domain controller properly.
0
 
LVL 2

Author Comment

by:fredmastro
ID: 6436945
How do I verify my authentication? I'm now doing any authentication in my code, am I supposed to be?

I'm logging in as the domain administrator,
I use the same domain name for viewing the users and that works.

I have a book on ADSI but it doesn't say anything about rights.
0
 
LVL 2

Expert Comment

by:MCM
ID: 6436975
in the IIS properties panel for your site, you should have anonymous access denied, and require integrated windows authentication. otherwise, IIS is operating as IUSR_[computername], an NT account that probably does not have rights to create a user. authentication in code sounds to me like you are checking a user name and pwd against NT user accounts, but that doesn't mean that the process you are running in has the rights of the person signed in.
0
 
LVL 5

Expert Comment

by:raizon
ID: 6436983
do a Response.Write Request.ServerVariables("AUTH_USER")

You need to have in your Directory Security under IIS set to Integrated Windows Authenitication.  You cant just login into the domain as domain administrator.
0
 
LVL 2

Author Comment

by:fredmastro
ID: 6436984
ok I had anonymouse access denied and I'm logging in with Administrator full control is there some special user right I need to give the account to run the setinfo line?  If I'm not running the process as the person I logged in as, then what do I do?  I'll check user rights, such as log in as service and stuff.
0
 
LVL 2

Author Comment

by:fredmastro
ID: 6437045
I'm on an NT network right now, make a difference? Not 2000.
0
 
LVL 2

Author Comment

by:fredmastro
ID: 6437092
sorry raizon didn't see your message until now, let me check.
0
 
LVL 2

Author Comment

by:fredmastro
ID: 6437103
I have IIS set to use Windows NT/Challenge Response only.

When I Response.Write Request.ServerVariables("AUTH_USER")
I get the domain and user account:
Tampa\Administrator
0
 
LVL 5

Expert Comment

by:raizon
ID: 6437168
okay so you are passing the correct Authentication through.


I don't think that your OS makes a difference.

Lets try this.  See if you can generate a list of users.

<%

Dim Container
Dim member

Set Container = GetObject("WinNT://" & ContainerName)

Container.Filter = Array("user")
For Each member In myComputer
    Response.Write member.Name & "<br>"
Next

%>
0
 
LVL 2

Author Comment

by:fredmastro
ID: 6437192
Ok this works fine:
<%
Dim Container
Dim member

Set Container = GetObject("WinNT://TAMPA")

Container.Filter = Array("user")
For Each member In Container
   Response.Write member.Name & "<br>"
Next
%>
0
 
LVL 5

Expert Comment

by:raizon
ID: 6437559
our problem exists with passing the authentication through to the Active Directory then.

I'm going to do some more research and see what I can find.
0
 
LVL 2

Author Comment

by:fredmastro
ID: 6437644
ok I'll raise the points up for the answer.
0
 
LVL 11

Expert Comment

by:thunderchicken
ID: 6437678
This is definately a permissions issue.  To add a user you must be an Admin, I don't think Domain Admin works.  The code is fine.

You might try using just Basic Authentication for that page and log on as Administrator of the Domain, not the computer itself.

Is Tampa the name of the network you are on, or the Web Server?

Try changing in IIS to the domain to the users you wish to edit.
0
 
LVL 2

Author Comment

by:fredmastro
ID: 6437871
Tried loging in as local admin already, the web server is in the same domain as Tampa, the PDC.

going to try basic authentication.
0
 
LVL 20

Expert Comment

by:Michel Sakr
ID: 6439266
Hmm.. If the windows 2000 is a member of the domain then all domain admins are privilieged as local admins too.. now if the windows 2000 server is a standalone server not part of the domain then you'll get such error.. you'll need to set trust relationship from both domains then..

also
check if you already have such a user..
try to set the password also..
Creating a user:

' Set up property values for the new user
sUsername =    "adsitester"
sFullName =    "ADSI Test Account"
sDescription = "A user account for testing ADSI"
sPassword =    "passworD2"

Set myComputer = GetObject("WinNT://servername")

' Create the new user account
Set newUser = myComputer.Create("user", sUsername)

' Set properties in the new user account
newUser.SetPassword sPassword
newUser.FullName = sFullName
newUser.Description = sDescription

newUser.SetInfo
0
 
LVL 2

Author Comment

by:fredmastro
ID: 6440858
Well I found something in a book about loggin into the ADSI, using some

OpenDSObject(bstrDN, nstrUserAccount, bstrPassword, bstrAccessType)

I'm still working on trying to get this to work though.

0
 
LVL 2

Author Comment

by:fredmastro
ID: 6446061
Ahh this is frustrating.

Ok if I use this code...

SET AuthUser = GetObject("WinNT:")
Set Domain = AuthUser.OpenDSObject("WinNT://TAMPA/TAMPA_NT2", "Administrator", "jarjar", 0)


and then try to list the computers.operatingsystem
I get this error:

A specified logon session does not exist. It may already have been terminated.

That seems closer.
0
 
LVL 19

Expert Comment

by:webwoman
ID: 6446171
If you're trying to do this through a web page, wouldn't that come up as the IUSR account? Or are you getting around that somehow?
0
 
LVL 5

Accepted Solution

by:
raizon earned 1000 total points
ID: 6446199
webwoman,

no.  Its using NT Challenge/Response or Basic Authentication which you have to use in ADSI.

fredmastro,

>>Set Domain = AuthUser.OpenDSObject("WinNT://TAMPA/TAMPA_NT2", "Administrator", "jarjar", 0)

is TAMPA_NT2 the PDC? if so then change it to WinNT://TAMPA_NT2
0
 
LVL 2

Author Comment

by:fredmastro
ID: 6446321
Here's the error I get still:

Computer Name Description OS & Ver. Owner
error '80070520'
A specified logon session does not exist. It may already have been terminated.

testcomp.asp, line 28
 

I know it's not adding a user but it's still rights related.  Line 28 is the SET Domain line.



Ok here's my code:
--------------------------

<%@ Language=VBScript %>
<% Option Explicit %>
<% Response.Buffer = TRUE %>
<HTML>
<HEAD>
<TITLE>Domains</TITLE>
<%
Dim Computer, Domain

DIM AuthUser

SET AuthUser = GetObject("WinNT:")

Set Domain = AuthUser.OpenDSObject("WinNT://TAMPA_NT2", "Administrator", "jarjar", 0)
Domain.Filter = Array("Computer")

%>
<table border="1" cellspacing="1" style="font-family: Tahoma; font-size: 8pt">
<tr>
<td>Computer Name</TD>
<td>Description</td>
<td>OS & Ver.</td>
<td>Owner</td>
</tr>

<%
For Each Computer in Domain
%>
<tr>
<td><%=Computer.Name%></td>
<td><%=Computer.Description%></td>
<td><%=Computer.OperatingSystem%> <%=Computer.OperatingSystemVersion%></td>
<td><%=Computer.Owner%></td>
</tr>
<%
Next

SET Domain = NOTHING
SET AuthUser = NOTHING
%>
</BODY>
</HTML>


---------------------
0
 
LVL 44

Expert Comment

by:bruintje
ID: 6447218
maybe this has something to do with it, looking at that error message you posted above?
http://www.wsd2d.com/wsD2D/Tips/ADSI/{1171D1DA-BC62-4ED7-B4C7-454C21E3FE2D}.eml
0
 
LVL 2

Author Comment

by:fredmastro
ID: 6447924
Well I looked but my domain is Tampa, that's only 5 letters.

Points have been raised.
0
 
LVL 44

Expert Comment

by:bruintje
ID: 6448261
sorry, could've seen that myself, this thread had some likewise topic

http://groups.yahoo.com/group/dev-adsi/message/8

can this be a link to your problem?, a file that's been used in the code(could be a simple function call) but doesn't have the correct permissions, it's been some time i did (D)COM but i remember the trouble of getting things running when you had to use components with insufficient rights on the other part of the bridge...

HTH:O)Bruintje
0
 
LVL 19

Expert Comment

by:webwoman
ID: 6448381
Is there any reason why you can't use terminal services client? I know for sure if you log in as admin you'll be able to do just about anything remotely.
0
 
LVL 2

Author Comment

by:fredmastro
ID: 6708111
Ok this did work, I Was stupid and instead of useing Administrator as the user name I was had to use Tampa/Administrator

SET AuthUser = GetObject(TypeDomain & ":")
Set User = AuthUser.OpenDSObject(TypeDomain & "://" & SelectedDomain & "/" & UserName & ",user", Session("LogonName"), Session("Password"), 0)
0
 
LVL 2

Author Comment

by:fredmastro
ID: 6708116
Set Domain = AuthUser.OpenDSObject("WinNT://TAMPA", "Tampa\Administrator", "pass", 0)

I accept raizon because he tried to help me the most.  This is what worked.

Read the comment before this one.
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I recently decide that I needed a way to make my pages scream on the net.   While searching around how I can accomplish this I stumbled across a great article that stated "minimize the server requests." I got to thinking, hey, I use more than one…
I would like to start this tip/trick by saying Thank You, to all who said that this could not be done, as it forced me to make sure that it could be accomplished. :) To start, I want to make sure everyone understands the importance of utilizing p…
Visualize your data even better in Access queries. Given a date and a value, this lesson shows how to compare that value with the previous value, calculate the difference, and display a circle if the value is the same, an up triangle if it increased…
Want to learn how to record your desktop screen without having to use an outside camera. Click on this video and learn how to use the cool google extension called "Screencastify"! Step 1: Open a new google tab Step 2: Go to the left hand upper corn…

649 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question