fruitloopy
asked on
VB.NET - Moving OU results in Access Denied
This should be a simple operation and the code below works when I run it from my own PC logged on with rights to edit AD.
I need to be able to run it from a user account that does not have rights using an account that does.
When I run this from another account using my credentials it fails with an access denied message
Any ideas?
I need to be able to run it from a user account that does not have rights using an account that does.
When I run this from another account using my credentials it fails with an access denied message
Try
Dim ADUser As String = "DOMAIN.com\" & txtADUsername.Text
Dim ADPass As String = txtADPassword.Text
Dim PCName = txtPCName.Text
Dim Username As String = "CFD" & PCName
Dim NewPCOU As String = ("LDAP://OU=Department,OU=Computers,DC=DOMAIN,DC=com")
Dim NewUserOU As String = ("LDAP://OU=Department,OU=Users,DC=DOMAIN,DC=com")
Dim PCsearch As New DirectorySearcher()
Dim PCentry As SearchResult
Dim Usersearch As New DirectorySearcher()
Dim Userentry As SearchResult
PCsearch.Filter = "(&(ObjectClass=computer)(CN=" & PCName & "))"
PCentry = PCsearch.FindOne
If Not PCentry Is Nothing Then
MsgBox(PCentry.Path.ToString())
Dim MovePC As New DirectoryEntry(PCentry.Path, ADUser, ADPass, AuthenticationTypes.Secure)
MovePC.MoveTo(New DirectoryEntry(NewPCOU))
MovePC.CommitChanges()
Else
MsgBox("Not found")
End If
Usersearch.Filter = "(&(objectCategory=User)(SAMAccountName= " & Username & "))"
Userentry = Usersearch.FindOne
If Not Userentry Is Nothing Then
MsgBox(Userentry.Path.ToString())
Dim moveUser As New DirectoryEntry(Userentry.Path, ADUser, ADPass, AuthenticationTypes.Secure)
moveUser.MoveTo(New DirectoryEntry(NewUserOU))
moveUser.CommitChanges()
Else
MsgBox("User not found")
End If
Catch ex As Exception
MsgBox(ex.ToString())
End Try
Any ideas?
ASKER
I'm updating some old VBScript that does this to VB.NET.
It's used to automate the installation of software and to perform repetitive tasks such as registry settings, moving the computer and user accounts into another OU, adding the user account into 10 different groups, etc.
Using the same process in VBScript works with no issues:
Incidentally, adding the user into these different AD groups works with no issues:
As mentioned, running this logged in with my credentials works and I can also do it manually in AD
It's used to automate the installation of software and to perform repetitive tasks such as registry settings, moving the computer and user accounts into another OU, adding the user account into 10 different groups, etc.
Using the same process in VBScript works with no issues:
' Uses the above account info to create a secure connection to AD
adoConnection.Properties("User ID") = strADUser
adoConnection.Properties("Password") = strADPass
adoConnection.Properties("Encrypt Password") = True
adoConnection.Properties("ADSI Flag") = 3
objConnection.Open "Active Directory Provider"
Set objCommand.ActiveConnection = objConnection
objCommand.Properties("Page Size") = 1000
objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE
' 1. Find and move the current COMPUTER account in Active Directory to the OU
objCommand.CommandText = _
"SELECT ADsPath FROM 'LDAP://DC=DOMAIN,DC=com' WHERE objectCategory='computer' " & _
"AND name='" & strComputer & "'"
Set objRecordSet = objCommand.Execute
'Now it's found it it's going to move it!
objRecordSet.MoveFirst
Do Until objRecordSet.EOF
strADsPath = objRecordSet.Fields("ADsPath").Value
' Wscript.Echo strADsPath
Set objOU = DSO.OpenDSObject("LDAP://OU=Computers,DC=DOMAIN,DC=com", strADUser, strADPass, ADS_SECURE_AUTHENTICATION)
intReturn = objOU.MoveHere(strADsPath, vbNullString)
objRecordSet.MoveNext
Loop
Incidentally, adding the user into these different AD groups works with no issues:
Dim Username As String = "CFD" + txtPCName.Text
Dim ADUser As String = "DOMAIN\" & txtADUsername.Text
Dim ADPass As String = txtADPassword.Text
Dim Usersearch As New DirectorySearcher()
Dim Userentry As SearchResult
Usersearch.Filter = "(&(objectCategory=User)(SAMAccountName= " & Username & "))"
Userentry = Usersearch.FindOne
Dim gsearch As String = Userentry.Properties.Item("member").ToString
If Not Userentry Is Nothing Then
Dim trim() As Char = "LDAP://"
Dim member As String = Userentry.Path.ToString.Trim(trim)
Dim AddMember1 As DirectoryEntry = New DirectoryEntry(group1, ADUser, ADPass, AuthenticationTypes.Secure)
AddMember1.Properties("member").Add(member)
AddMember1.CommitChanges()
Dim AddMember2 As DirectoryEntry = New DirectoryEntry(group2, ADUser, ADPass, AuthenticationTypes.Secure)
AddMember2.Properties("member").Add(member)
AddMember2.CommitChanges()
Dim AddMember3 As DirectoryEntry = New DirectoryEntry(group3, ADUser, ADPass, AuthenticationTypes.Secure)
AddMember3.Properties("member").Add(member)
AddMember3.CommitChanges()
Dim AddMember4 As DirectoryEntry = New DirectoryEntry(group4, ADUser, ADPass, AuthenticationTypes.Secure)
AddMember4.Properties("member").Add(member)
AddMember4.CommitChanges()
Dim AddMember5 As DirectoryEntry = New DirectoryEntry(group5, ADUser, ADPass, AuthenticationTypes.Secure)
AddMember5.Properties("member").Add(member)
AddMember5.CommitChanges()
Dim AddMember6 As DirectoryEntry = New DirectoryEntry(group6, ADUser, ADPass, AuthenticationTypes.Secure)
AddMember6.Properties("member").Add(member)
AddMember6.CommitChanges()
Dim AddMember7 As DirectoryEntry = New DirectoryEntry(group7, ADUser, ADPass, AuthenticationTypes.Secure)
AddMember7.Properties("member").Add(member)
AddMember7.CommitChanges()
Dim AddMember8 As DirectoryEntry = New DirectoryEntry(group8, ADUser, ADPass, AuthenticationTypes.Secure)
AddMember8.Properties("member").Add(member)
AddMember8.CommitChanges()
Dim AddMember9 As DirectoryEntry = New DirectoryEntry(group9, ADUser, ADPass, AuthenticationTypes.Secure)
AddMember9.Properties("member").Add(member)
AddMember9.CommitChanges()
Dim AddMember10 As DirectoryEntry = New DirectoryEntry(group10, ADUser, ADPass, AuthenticationTypes.Secure)
AddMember10.Properties("member").Add(member)
AddMember10.CommitChanges()
End If
As mentioned, running this logged in with my credentials works and I can also do it manually in AD
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Unfortunately I don't have that ability to change these permissions. Even if I did I'd be marched out of the door by security!
That may be the only solution if you're intent on moving this from VBscript to .Net. The user has to be able to access and use the dll files - I have the same issue with applications I build using Visual Basic Power Packs.
Hopefully in this case someone will have a better idea than mine.
Hopefully in this case someone will have a better idea than mine.
I assume you are using "Run as different user" when you run it from another account using your credentials.
Did you already try to first start a command prompt (cmd.exe) with Administrative permissions (use "Run as administrator")
And then start the program with "runas /user:<username> program"
Did you already try to first start a command prompt (cmd.exe) with Administrative permissions (use "Run as administrator")
And then start the program with "runas /user:<username> program"
What's the intended purpose of the application?