Changing AD passwords via ASP.NET. Getting access denied when Application pool is running under privileged user

Question

I am trying to build a self-service password reset tool for a test domain. I am using ASP.NET 4 and IIS 7.

My code:

string userDirectoryEntry = "WinNT://domain/" + usermapping[user[1]]
System.DirectoryServices.DirectoryEntry ADEntryToReset = new System.DirectoryServices.DirectoryEntry(userDirectoryEntry);

ADEntryToReset.Invoke("SetPassword", new object[] { newPassword });
ADEntryToReset.Properties["passwordExpired"][0] = 1;
ADEntryToReset.CommitChanges();

However I am getting access denied when committing the password change. I have changed the Default App Pool to run under an admin account that can change passwords. Works fine in the Visual Studio debugger.

I have also tried explicitly supplying credentials to the DirectoryEntry object (msdn). This also does not work.

Any ideas?

What happens when you use LDAP: instead of WinNT:? Also, can you perform another activity such as modifying an attribute? — Greg Askew, Jan 17 '13 at 01:41

score 1 · Answer 1 · answered Jan 17 '13 at 01:38

You might want to use the LDAP provider instead of the pre-2000 WinNT provider, which has some capability limitations compared to LDAP. The userDirectoryEntry string should begin with LDAP:// instead of WinNT://

If the msdn example with credentials doesn't work, try initializing the DirectoryEntry object with the credentials:

new DirectoryEntry(userDN,callerUsername,callerPwd);

http://msdn.microsoft.com/en-us/library/wh2h7eed.aspx

Changing AD passwords via ASP.NET. Getting access denied when Application pool is running under privileged user

1 Answers1