Link to home
Start Free TrialLog in
Avatar of fruitloopy
fruitloopy

asked on

VB.NET - Moving OU results in Access Denied

This should be a simple operation and the code below works when I run it from my own PC logged on with rights to edit AD.
I need to be able to run it from a user account that does not have rights using an account that does.

When I run this from another account using my credentials it fails with an access denied message
User generated image
Try

            Dim ADUser As String = "DOMAIN.com\" & txtADUsername.Text
            Dim ADPass As String = txtADPassword.Text
            Dim PCName = txtPCName.Text
            Dim Username As String = "CFD" & PCName
            Dim NewPCOU As String = ("LDAP://OU=Department,OU=Computers,DC=DOMAIN,DC=com")
            Dim NewUserOU As String = ("LDAP://OU=Department,OU=Users,DC=DOMAIN,DC=com")
            Dim PCsearch As New DirectorySearcher()
            Dim PCentry As SearchResult
            Dim Usersearch As New DirectorySearcher()
            Dim Userentry As SearchResult
            PCsearch.Filter = "(&(ObjectClass=computer)(CN=" & PCName & "))"
            PCentry = PCsearch.FindOne
            If Not PCentry Is Nothing Then
                MsgBox(PCentry.Path.ToString())
                Dim MovePC As New DirectoryEntry(PCentry.Path, ADUser, ADPass, AuthenticationTypes.Secure)
                MovePC.MoveTo(New DirectoryEntry(NewPCOU))
                MovePC.CommitChanges()
            Else
                MsgBox("Not found")
            End If
            Usersearch.Filter = "(&(objectCategory=User)(SAMAccountName= " & Username & "))"
            Userentry = Usersearch.FindOne
            If Not Userentry Is Nothing Then
                MsgBox(Userentry.Path.ToString())
                Dim moveUser As New DirectoryEntry(Userentry.Path, ADUser, ADPass, AuthenticationTypes.Secure)
                moveUser.MoveTo(New DirectoryEntry(NewUserOU))
                moveUser.CommitChanges()
            Else
                MsgBox("User not found")
            End If
        Catch ex As Exception
            MsgBox(ex.ToString())
        End Try

Open in new window


Any ideas?
Avatar of JHMH IT Staff
JHMH IT Staff
Flag of United States of America image
Even though you supply your credentials, the logged on user account does not have sufficient rights to the interop service you're calling to perform the operations. The fact it displays as "unsafe native methods" tells me it's an operation only a domain admin should be running.

What's the intended purpose of the application?
Avatar of fruitloopy
fruitloopy

ASKER

I'm updating some old VBScript that does this to VB.NET.
It's used to automate the installation of software and to perform repetitive tasks such as registry settings, moving the computer and user accounts into another OU, adding the user account into 10 different groups, etc.

Using the same process in VBScript works with no issues:
' Uses the above account info to create a secure connection to AD
adoConnection.Properties("User ID") = strADUser
adoConnection.Properties("Password") = strADPass
adoConnection.Properties("Encrypt Password") = True
adoConnection.Properties("ADSI Flag") = 3
objConnection.Open "Active Directory Provider"
Set objCommand.ActiveConnection = objConnection
objCommand.Properties("Page Size") = 1000
objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE 

' 1. Find and move the current COMPUTER account in Active Directory to the OU
objCommand.CommandText = _
    "SELECT ADsPath FROM 'LDAP://DC=DOMAIN,DC=com' WHERE objectCategory='computer' " & _
        "AND name='" & strComputer & "'"
Set objRecordSet = objCommand.Execute
'Now it's found it it's going to move it!
objRecordSet.MoveFirst
Do Until objRecordSet.EOF
    strADsPath = objRecordSet.Fields("ADsPath").Value
'	Wscript.Echo strADsPath
    Set objOU = DSO.OpenDSObject("LDAP://OU=Computers,DC=DOMAIN,DC=com", strADUser, strADPass, ADS_SECURE_AUTHENTICATION)
    intReturn = objOU.MoveHere(strADsPath, vbNullString)
    objRecordSet.MoveNext
Loop

Open in new window


Incidentally, adding the user into these different AD groups works with no issues:
Dim Username As String = "CFD" + txtPCName.Text
        Dim ADUser As String = "DOMAIN\" & txtADUsername.Text
        Dim ADPass As String = txtADPassword.Text
        Dim Usersearch As New DirectorySearcher()
        Dim Userentry As SearchResult
        Usersearch.Filter = "(&(objectCategory=User)(SAMAccountName= " & Username & "))"
        Userentry = Usersearch.FindOne
        Dim gsearch As String = Userentry.Properties.Item("member").ToString
        If Not Userentry Is Nothing Then

            Dim trim() As Char = "LDAP://"
            Dim member As String = Userentry.Path.ToString.Trim(trim)
            Dim AddMember1 As DirectoryEntry = New DirectoryEntry(group1, ADUser, ADPass, AuthenticationTypes.Secure)
            AddMember1.Properties("member").Add(member)
            AddMember1.CommitChanges()
            Dim AddMember2 As DirectoryEntry = New DirectoryEntry(group2, ADUser, ADPass, AuthenticationTypes.Secure)
            AddMember2.Properties("member").Add(member)
            AddMember2.CommitChanges()
            Dim AddMember3 As DirectoryEntry = New DirectoryEntry(group3, ADUser, ADPass, AuthenticationTypes.Secure)
            AddMember3.Properties("member").Add(member)
            AddMember3.CommitChanges()
            Dim AddMember4 As DirectoryEntry = New DirectoryEntry(group4, ADUser, ADPass, AuthenticationTypes.Secure)
            AddMember4.Properties("member").Add(member)
            AddMember4.CommitChanges()
            Dim AddMember5 As DirectoryEntry = New DirectoryEntry(group5, ADUser, ADPass, AuthenticationTypes.Secure)
            AddMember5.Properties("member").Add(member)
            AddMember5.CommitChanges()
            Dim AddMember6 As DirectoryEntry = New DirectoryEntry(group6, ADUser, ADPass, AuthenticationTypes.Secure)
            AddMember6.Properties("member").Add(member)
            AddMember6.CommitChanges()
            Dim AddMember7 As DirectoryEntry = New DirectoryEntry(group7, ADUser, ADPass, AuthenticationTypes.Secure)
            AddMember7.Properties("member").Add(member)
            AddMember7.CommitChanges()
            Dim AddMember8 As DirectoryEntry = New DirectoryEntry(group8, ADUser, ADPass, AuthenticationTypes.Secure)
            AddMember8.Properties("member").Add(member)
            AddMember8.CommitChanges()
            Dim AddMember9 As DirectoryEntry = New DirectoryEntry(group9, ADUser, ADPass, AuthenticationTypes.Secure)
            AddMember9.Properties("member").Add(member)
            AddMember9.CommitChanges()
            Dim AddMember10 As DirectoryEntry = New DirectoryEntry(group10, ADUser, ADPass, AuthenticationTypes.Secure)
            AddMember10.Properties("member").Add(member)
            AddMember10.CommitChanges()
        End If

Open in new window


As mentioned, running this logged in with my credentials works and I can also do it manually in AD
ASKER CERTIFIED SOLUTION
Avatar of JHMH IT Staff
JHMH IT Staff
Flag of United States of America image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of fruitloopy
fruitloopy

ASKER

Unfortunately I don't have that ability to change these permissions. Even if I did I'd be marched out of the door by security!
Avatar of JHMH IT Staff
JHMH IT Staff
Flag of United States of America image
That may be the only solution if you're intent on moving this from VBscript to .Net. The user has to be able to access and use the dll files - I have the same issue with applications I build using Visual Basic Power Packs.

Hopefully in this case someone will have a better idea than mine.
Avatar of zalazar
zalazar
I assume you are using "Run as different user" when you run it from another account using your credentials.
Did you already try to first start a command prompt (cmd.exe) with Administrative permissions (use "Run as administrator")
And then start the program with "runas /user:<username> program"