使用ASP.NET C在AD中创建用户时,无法使用DirectoryEntry.Invoke设置密码

时间:2015-03-04 17:10:23

标签: c# asp.net active-directory passwords directoryentry

Web应用程序正在从人事管理页面创建用户,而后者又将用户添加到Active Directory。这是执行此操作的代码:

DirectoryEntry Folder = new DirectoryEntry("LDAP://XXXX.com/CN=ContainerName, DC=XXXX, DC=com", admin, adminPwd, AuthenticationTypes.None);

    if (Folder.SchemaEntry.Name == "container")
    {
        DirectoryEntry user = Folder.Children.Add("CN=" + txtFirstname.Text + " " + txtLastname.Text, "User");

        if (DirectoryEntry.Exists(user.Path))
        {
            // Error Msg Here
        }
        else
        {
            // Required attributes
            if (txtFirstname.Text != "" && txtLastname.Text != "") { user.Properties["sAMAccountName"].Value = txtFirstname.Text.ToLower() + "." + txtLastname.Text.ToLower(); }
            if (txtFirstname.Text + " " + txtLastname.Text != "") { user.Properties["cn"].Value = txtFirstname.Text + " " + txtLastname.Text; }
            // More controls to populate Optional AD attributes.  Not entered to conserve space.  The code works however.

            user.CommitChanges();

            int val = (int)user.Properties["userAccountControl"].Value;
            user.Properties["userAccountControl"].Value = val & ~0x2;
            user.Properties["pwdLastSet"].Value = 0;
            user.CommitChanges();
            user.Invoke("SetPassword", new object[] { "SuperSecretPassword" });
            user.CommitChanges();
        }

问题是在创建帐户后,调用方法无法设置密码。每次设置密码的尝试都会在catch语句中返回此错误:

System.Reflection.TargetInvocationException was caught
HResult=-2146232828
Message=Exception has been thrown by the target of an invocation.
Source=System.DirectoryServices
StackTrace:
   at System.DirectoryServices.DirectoryEntry.Invoke(String methodName, Object[] args)
   at Personnel_Govt.CreateUser() in c:\inetpub\wwwroot\TestingFolder\Personnel\Add\Govt.aspx.cs:line 148
   at Personnel_Govt.btnSubmit_Click(Object sender, EventArgs e) in c:\inetpub\wwwroot\TestingFolder\Personnel\Add\Govt.aspx.cs:line 95
InnerException: System.UnauthorizedAccessException
   HResult=-2147024891
   Message=One or more input parameters are invalid

   Source=Active Directory
   InnerException:

如果在AD中手动设置了密码,并且在创建帐户后选中了“需要重置”,则可以使用密码。

为什么设置密码的方法失败???

1 个答案:

答案 0 :(得分:0)

问题解决了。显然,Internet信息服务(IIS_IUSRS)的帐户没有权限为Active Directory设置密码。它可以更改密码但不能设置它们。

要允许ASP.NET页面在创建帐户时设置AD密码,我必须运行" Active Directory用户和计算机",右键单击域,选择"委派控制&# 34 ;.这将打开一个向导,允许您授予帐户IIS_IUSRS权限以对AD进行更改。

相关问题
最新问题