Solved

ADSI - General access denied error

Posted on 2001-08-29
29
3,233 Views
Last Modified: 2008-03-10
Trying to add a new user using ADSI on a webpage and I get this error:

Active Directory error '80070005'

General access denied error

on the User.SetInfo line

Here is my code:

Dim Container, ContainerName, User, NewUser
ContainerName = "Domain_Name"
NewUser = "TestUser"

Set Container = GetObject("WinNT://" & ContainerName)
Set User = Container.Create("User", NewUser)
User.SetInfo

Any ideas as to why I get denied?
0
Comment
Question by:fredmastro
  • 15
  • 5
  • 3
  • +4
29 Comments
 
LVL 2

Expert Comment

by:MCM
Comment Utility
i don't know much about ADSI, but you probably need permissions to add a user. when a user is accessing ASP anonymously, ASP is impersonating the IUSR_<COMPUTERNAME> account, and has the permisssions assigned that account. if you want an anonymous user to be able to create an account, you'll have to let IUSR do that.
0
 
LVL 2

Author Comment

by:fredmastro
Comment Utility
I'm using Windows Authentication and I set NTFS rights on the folders, so I'm logging in as the Domain Admin.
0
 
LVL 2

Expert Comment

by:MCM
Comment Utility
well, im stumped. try running the script under WSH. if it works as windows script, then you can be pretty sure it's a permissions problem. have you made sure to _disable_ anonymous access as well as specifying NT authentication?
0
 
LVL 5

Expert Comment

by:raizon
Comment Utility
ContainerName = your Domain correct?

Windows Authentication = Integrated Windows Authentication correct?

your code is correct so somehow you are not passing your authentication to the domain controller properly.
0
 
LVL 2

Author Comment

by:fredmastro
Comment Utility
How do I verify my authentication? I'm now doing any authentication in my code, am I supposed to be?

I'm logging in as the domain administrator,
I use the same domain name for viewing the users and that works.

I have a book on ADSI but it doesn't say anything about rights.
0
 
LVL 2

Expert Comment

by:MCM
Comment Utility
in the IIS properties panel for your site, you should have anonymous access denied, and require integrated windows authentication. otherwise, IIS is operating as IUSR_[computername], an NT account that probably does not have rights to create a user. authentication in code sounds to me like you are checking a user name and pwd against NT user accounts, but that doesn't mean that the process you are running in has the rights of the person signed in.
0
 
LVL 5

Expert Comment

by:raizon
Comment Utility
do a Response.Write Request.ServerVariables("AUTH_USER")

You need to have in your Directory Security under IIS set to Integrated Windows Authenitication.  You cant just login into the domain as domain administrator.
0
 
LVL 2

Author Comment

by:fredmastro
Comment Utility
ok I had anonymouse access denied and I'm logging in with Administrator full control is there some special user right I need to give the account to run the setinfo line?  If I'm not running the process as the person I logged in as, then what do I do?  I'll check user rights, such as log in as service and stuff.
0
 
LVL 2

Author Comment

by:fredmastro
Comment Utility
I'm on an NT network right now, make a difference? Not 2000.
0
 
LVL 2

Author Comment

by:fredmastro
Comment Utility
sorry raizon didn't see your message until now, let me check.
0
 
LVL 2

Author Comment

by:fredmastro
Comment Utility
I have IIS set to use Windows NT/Challenge Response only.

When I Response.Write Request.ServerVariables("AUTH_USER")
I get the domain and user account:
Tampa\Administrator
0
 
LVL 5

Expert Comment

by:raizon
Comment Utility
okay so you are passing the correct Authentication through.


I don't think that your OS makes a difference.

Lets try this.  See if you can generate a list of users.

<%

Dim Container
Dim member

Set Container = GetObject("WinNT://" & ContainerName)

Container.Filter = Array("user")
For Each member In myComputer
    Response.Write member.Name & "<br>"
Next

%>
0
 
LVL 2

Author Comment

by:fredmastro
Comment Utility
Ok this works fine:
<%
Dim Container
Dim member

Set Container = GetObject("WinNT://TAMPA")

Container.Filter = Array("user")
For Each member In Container
   Response.Write member.Name & "<br>"
Next
%>
0
 
LVL 5

Expert Comment

by:raizon
Comment Utility
our problem exists with passing the authentication through to the Active Directory then.

I'm going to do some more research and see what I can find.
0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 
LVL 2

Author Comment

by:fredmastro
Comment Utility
ok I'll raise the points up for the answer.
0
 
LVL 11

Expert Comment

by:thunderchicken
Comment Utility
This is definately a permissions issue.  To add a user you must be an Admin, I don't think Domain Admin works.  The code is fine.

You might try using just Basic Authentication for that page and log on as Administrator of the Domain, not the computer itself.

Is Tampa the name of the network you are on, or the Web Server?

Try changing in IIS to the domain to the users you wish to edit.
0
 
LVL 2

Author Comment

by:fredmastro
Comment Utility
Tried loging in as local admin already, the web server is in the same domain as Tampa, the PDC.

going to try basic authentication.
0
 
LVL 20

Expert Comment

by:Silvers5
Comment Utility
Hmm.. If the windows 2000 is a member of the domain then all domain admins are privilieged as local admins too.. now if the windows 2000 server is a standalone server not part of the domain then you'll get such error.. you'll need to set trust relationship from both domains then..

also
check if you already have such a user..
try to set the password also..
Creating a user:

' Set up property values for the new user
sUsername =    "adsitester"
sFullName =    "ADSI Test Account"
sDescription = "A user account for testing ADSI"
sPassword =    "passworD2"

Set myComputer = GetObject("WinNT://servername")

' Create the new user account
Set newUser = myComputer.Create("user", sUsername)

' Set properties in the new user account
newUser.SetPassword sPassword
newUser.FullName = sFullName
newUser.Description = sDescription

newUser.SetInfo
0
 
LVL 2

Author Comment

by:fredmastro
Comment Utility
Well I found something in a book about loggin into the ADSI, using some

OpenDSObject(bstrDN, nstrUserAccount, bstrPassword, bstrAccessType)

I'm still working on trying to get this to work though.

0
 
LVL 2

Author Comment

by:fredmastro
Comment Utility
Ahh this is frustrating.

Ok if I use this code...

SET AuthUser = GetObject("WinNT:")
Set Domain = AuthUser.OpenDSObject("WinNT://TAMPA/TAMPA_NT2", "Administrator", "jarjar", 0)


and then try to list the computers.operatingsystem
I get this error:

A specified logon session does not exist. It may already have been terminated.

That seems closer.
0
 
LVL 19

Expert Comment

by:webwoman
Comment Utility
If you're trying to do this through a web page, wouldn't that come up as the IUSR account? Or are you getting around that somehow?
0
 
LVL 5

Accepted Solution

by:
raizon earned 250 total points
Comment Utility
webwoman,

no.  Its using NT Challenge/Response or Basic Authentication which you have to use in ADSI.

fredmastro,

>>Set Domain = AuthUser.OpenDSObject("WinNT://TAMPA/TAMPA_NT2", "Administrator", "jarjar", 0)

is TAMPA_NT2 the PDC? if so then change it to WinNT://TAMPA_NT2
0
 
LVL 2

Author Comment

by:fredmastro
Comment Utility
Here's the error I get still:

Computer Name Description OS & Ver. Owner
error '80070520'
A specified logon session does not exist. It may already have been terminated.

testcomp.asp, line 28
 

I know it's not adding a user but it's still rights related.  Line 28 is the SET Domain line.



Ok here's my code:
--------------------------

<%@ Language=VBScript %>
<% Option Explicit %>
<% Response.Buffer = TRUE %>
<HTML>
<HEAD>
<TITLE>Domains</TITLE>
<%
Dim Computer, Domain

DIM AuthUser

SET AuthUser = GetObject("WinNT:")

Set Domain = AuthUser.OpenDSObject("WinNT://TAMPA_NT2", "Administrator", "jarjar", 0)
Domain.Filter = Array("Computer")

%>
<table border="1" cellspacing="1" style="font-family: Tahoma; font-size: 8pt">
<tr>
<td>Computer Name</TD>
<td>Description</td>
<td>OS & Ver.</td>
<td>Owner</td>
</tr>

<%
For Each Computer in Domain
%>
<tr>
<td><%=Computer.Name%></td>
<td><%=Computer.Description%></td>
<td><%=Computer.OperatingSystem%> <%=Computer.OperatingSystemVersion%></td>
<td><%=Computer.Owner%></td>
</tr>
<%
Next

SET Domain = NOTHING
SET AuthUser = NOTHING
%>
</BODY>
</HTML>


---------------------
0
 
LVL 44

Expert Comment

by:bruintje
Comment Utility
maybe this has something to do with it, looking at that error message you posted above?
http://www.wsd2d.com/wsD2D/Tips/ADSI/{1171D1DA-BC62-4ED7-B4C7-454C21E3FE2D}.eml
0
 
LVL 2

Author Comment

by:fredmastro
Comment Utility
Well I looked but my domain is Tampa, that's only 5 letters.

Points have been raised.
0
 
LVL 44

Expert Comment

by:bruintje
Comment Utility
sorry, could've seen that myself, this thread had some likewise topic

http://groups.yahoo.com/group/dev-adsi/message/8

can this be a link to your problem?, a file that's been used in the code(could be a simple function call) but doesn't have the correct permissions, it's been some time i did (D)COM but i remember the trouble of getting things running when you had to use components with insufficient rights on the other part of the bridge...

HTH:O)Bruintje
0
 
LVL 19

Expert Comment

by:webwoman
Comment Utility
Is there any reason why you can't use terminal services client? I know for sure if you log in as admin you'll be able to do just about anything remotely.
0
 
LVL 2

Author Comment

by:fredmastro
Comment Utility
Ok this did work, I Was stupid and instead of useing Administrator as the user name I was had to use Tampa/Administrator

SET AuthUser = GetObject(TypeDomain & ":")
Set User = AuthUser.OpenDSObject(TypeDomain & "://" & SelectedDomain & "/" & UserName & ",user", Session("LogonName"), Session("Password"), 0)
0
 
LVL 2

Author Comment

by:fredmastro
Comment Utility
Set Domain = AuthUser.OpenDSObject("WinNT://TAMPA", "Tampa\Administrator", "pass", 0)

I accept raizon because he tried to help me the most.  This is what worked.

Read the comment before this one.
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

Suggested Solutions

I have helped a lot of people on EE with their coding sources and have enjoyed near about every minute of it. Sometimes it can get a little tedious but it is always a challenge and the one thing that I always say is:  The Exchange of information …
I would like to start this tip/trick by saying Thank You, to all who said that this could not be done, as it forced me to make sure that it could be accomplished. :) To start, I want to make sure everyone understands the importance of utilizing p…
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now