VB.NET - Moving OU results in Access Denied

This should be a simple operation and the code below works when I run it from my own PC logged on with rights to edit AD.
I need to be able to run it from a user account that does not have rights using an account that does.

When I run this from another account using my credentials it fails with an access denied message
Access denied error
Try

            Dim ADUser As String = "DOMAIN.com\" & txtADUsername.Text
            Dim ADPass As String = txtADPassword.Text
            Dim PCName = txtPCName.Text
            Dim Username As String = "CFD" & PCName
            Dim NewPCOU As String = ("LDAP://OU=Department,OU=Computers,DC=DOMAIN,DC=com")
            Dim NewUserOU As String = ("LDAP://OU=Department,OU=Users,DC=DOMAIN,DC=com")
            Dim PCsearch As New DirectorySearcher()
            Dim PCentry As SearchResult
            Dim Usersearch As New DirectorySearcher()
            Dim Userentry As SearchResult
            PCsearch.Filter = "(&(ObjectClass=computer)(CN=" & PCName & "))"
            PCentry = PCsearch.FindOne
            If Not PCentry Is Nothing Then
                MsgBox(PCentry.Path.ToString())
                Dim MovePC As New DirectoryEntry(PCentry.Path, ADUser, ADPass, AuthenticationTypes.Secure)
                MovePC.MoveTo(New DirectoryEntry(NewPCOU))
                MovePC.CommitChanges()
            Else
                MsgBox("Not found")
            End If
            Usersearch.Filter = "(&(objectCategory=User)(SAMAccountName= " & Username & "))"
            Userentry = Usersearch.FindOne
            If Not Userentry Is Nothing Then
                MsgBox(Userentry.Path.ToString())
                Dim moveUser As New DirectoryEntry(Userentry.Path, ADUser, ADPass, AuthenticationTypes.Secure)
                moveUser.MoveTo(New DirectoryEntry(NewUserOU))
                moveUser.CommitChanges()
            Else
                MsgBox("User not found")
            End If
        Catch ex As Exception
            MsgBox(ex.ToString())
        End Try

Open in new window


Any ideas?
LVL 2
fruitloopyAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

JHMH IT StaffCommented:
Even though you supply your credentials, the logged on user account does not have sufficient rights to the interop service you're calling to perform the operations. The fact it displays as "unsafe native methods" tells me it's an operation only a domain admin should be running.

What's the intended purpose of the application?
fruitloopyAuthor Commented:
I'm updating some old VBScript that does this to VB.NET.
It's used to automate the installation of software and to perform repetitive tasks such as registry settings, moving the computer and user accounts into another OU, adding the user account into 10 different groups, etc.

Using the same process in VBScript works with no issues:
' Uses the above account info to create a secure connection to AD
adoConnection.Properties("User ID") = strADUser
adoConnection.Properties("Password") = strADPass
adoConnection.Properties("Encrypt Password") = True
adoConnection.Properties("ADSI Flag") = 3
objConnection.Open "Active Directory Provider"
Set objCommand.ActiveConnection = objConnection
objCommand.Properties("Page Size") = 1000
objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE 

' 1. Find and move the current COMPUTER account in Active Directory to the OU
objCommand.CommandText = _
    "SELECT ADsPath FROM 'LDAP://DC=DOMAIN,DC=com' WHERE objectCategory='computer' " & _
        "AND name='" & strComputer & "'"
Set objRecordSet = objCommand.Execute
'Now it's found it it's going to move it!
objRecordSet.MoveFirst
Do Until objRecordSet.EOF
    strADsPath = objRecordSet.Fields("ADsPath").Value
'	Wscript.Echo strADsPath
    Set objOU = DSO.OpenDSObject("LDAP://OU=Computers,DC=DOMAIN,DC=com", strADUser, strADPass, ADS_SECURE_AUTHENTICATION)
    intReturn = objOU.MoveHere(strADsPath, vbNullString)
    objRecordSet.MoveNext
Loop

Open in new window


Incidentally, adding the user into these different AD groups works with no issues:
Dim Username As String = "CFD" + txtPCName.Text
        Dim ADUser As String = "DOMAIN\" & txtADUsername.Text
        Dim ADPass As String = txtADPassword.Text
        Dim Usersearch As New DirectorySearcher()
        Dim Userentry As SearchResult
        Usersearch.Filter = "(&(objectCategory=User)(SAMAccountName= " & Username & "))"
        Userentry = Usersearch.FindOne
        Dim gsearch As String = Userentry.Properties.Item("member").ToString
        If Not Userentry Is Nothing Then

            Dim trim() As Char = "LDAP://"
            Dim member As String = Userentry.Path.ToString.Trim(trim)
            Dim AddMember1 As DirectoryEntry = New DirectoryEntry(group1, ADUser, ADPass, AuthenticationTypes.Secure)
            AddMember1.Properties("member").Add(member)
            AddMember1.CommitChanges()
            Dim AddMember2 As DirectoryEntry = New DirectoryEntry(group2, ADUser, ADPass, AuthenticationTypes.Secure)
            AddMember2.Properties("member").Add(member)
            AddMember2.CommitChanges()
            Dim AddMember3 As DirectoryEntry = New DirectoryEntry(group3, ADUser, ADPass, AuthenticationTypes.Secure)
            AddMember3.Properties("member").Add(member)
            AddMember3.CommitChanges()
            Dim AddMember4 As DirectoryEntry = New DirectoryEntry(group4, ADUser, ADPass, AuthenticationTypes.Secure)
            AddMember4.Properties("member").Add(member)
            AddMember4.CommitChanges()
            Dim AddMember5 As DirectoryEntry = New DirectoryEntry(group5, ADUser, ADPass, AuthenticationTypes.Secure)
            AddMember5.Properties("member").Add(member)
            AddMember5.CommitChanges()
            Dim AddMember6 As DirectoryEntry = New DirectoryEntry(group6, ADUser, ADPass, AuthenticationTypes.Secure)
            AddMember6.Properties("member").Add(member)
            AddMember6.CommitChanges()
            Dim AddMember7 As DirectoryEntry = New DirectoryEntry(group7, ADUser, ADPass, AuthenticationTypes.Secure)
            AddMember7.Properties("member").Add(member)
            AddMember7.CommitChanges()
            Dim AddMember8 As DirectoryEntry = New DirectoryEntry(group8, ADUser, ADPass, AuthenticationTypes.Secure)
            AddMember8.Properties("member").Add(member)
            AddMember8.CommitChanges()
            Dim AddMember9 As DirectoryEntry = New DirectoryEntry(group9, ADUser, ADPass, AuthenticationTypes.Secure)
            AddMember9.Properties("member").Add(member)
            AddMember9.CommitChanges()
            Dim AddMember10 As DirectoryEntry = New DirectoryEntry(group10, ADUser, ADPass, AuthenticationTypes.Secure)
            AddMember10.Properties("member").Add(member)
            AddMember10.CommitChanges()
        End If

Open in new window


As mentioned, running this logged in with my credentials works and I can also do it manually in AD
JHMH IT StaffCommented:
Try giving the other user modify/write permission to the Microsoft.Net folder and apply to all child objects. I've had to do that through our entire domain thanks to Microsoft's permissions lockdowns. I personally consider Domain Users to be safe for such things since they're already authenticated to your network and the users fall under the policies of your organization.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

fruitloopyAuthor Commented:
Unfortunately I don't have that ability to change these permissions. Even if I did I'd be marched out of the door by security!
JHMH IT StaffCommented:
That may be the only solution if you're intent on moving this from VBscript to .Net. The user has to be able to access and use the dll files - I have the same issue with applications I build using Visual Basic Power Packs.

Hopefully in this case someone will have a better idea than mine.
zalazarCommented:
I assume you are using "Run as different user" when you run it from another account using your credentials.
Did you already try to first start a command prompt (cmd.exe) with Administrative permissions (use "Run as administrator")
And then start the program with "runas /user:<username> program"
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Visual Basic.NET

From novice to tech pro — start learning today.