0

I am trying to update a field pertaining to my own user object in Active Directory using ADSI and C++ app. The operating system is Windows Server 2012 Standard.

I am able to read, I am able to call Put without problems, but when I call SetInfo, it returns with "General access denied". I have confirmed that it's my own user object I'm trying to access.

I obtain my own FQDN like this:

GetUserNameEx(EXTENDED_NAME_FORMAT::NameFullyQualifiedDN, pszFullyQualifiedDN, &dwFullyQualifiedDN);

Then I use it like this:

LPTSTR pszObj = (LPTSTR)LocalAlloc(LPTR, dwMemToAlloc);
wcscpy_s(pszObj, dwMemToAlloc / sizeof(TCHAR), L"LDAP://");
wcscat_s(pszObj, dwMemToAlloc / sizeof(TCHAR), pszFullyQualifiedDN);

I bind to an object like this:

ADsGetObject(pszObj, IID_IADs, (LPVOID*)&pObject);

This call succeeds:

pObject->Get(CComBSTR("Description"), &var);

This call also succeeds:

VariantClear(&var);

V_BSTR(&var) = SysAllocString(L"Some new value");
V_VT(&var) = VT_BSTR;
hr = pObject->Put(CComBSTR("Description"), var);

Trying to commit the above change using the following:

pObject->SetInfo();

This is where it fails.
It returns E_ACCESSDENIED General access denied error.

As you can see, that is my own user object I am trying to update. To my understanding that is supposed to work provided I am a member of Domain Users group. Which I am.

What could possibly be the problem?

Dejan Janjušević
  • 3,181
  • 4
  • 41
  • 67

1 Answers1

0

I usually find an answer to my own question before anyone else gets time to answer.

The problem is that in Windows Server 2012 Domain Controller, permission to write to public (and personal, for that matter) properties is not granted to "SELF". The field I am trying to write to belongs to public properties. The only property set a user is able to change for himself in Windows Server 2012, by default, seems to be "Private-Information", which consists of ms-PKI-Credential-Roaming-Tokens, ms-PKI-RoamingTimeStamp, ms-PKI-DPAPIMasterKeys, ms-PKI-AccountCredentials

Why on earth a user doesn't have permission to write to his own personal fields in Windows Server 2012 AD, Microsoft??!?!?!

EDITED

The answer to the other question lies here. I wasn't able to write there because I was logged in using an administrative account.

If the user in question is or was a member of an administrative group such as Domain Admins, Account Operators, Backup Operators, Print Operators, etc, the AdminSDHolder object protects members of these groups by resetting their permission to the default every 5 minutes and also breaking permission inheritance on them.

Community
  • 1
  • 1
Dejan Janjušević
  • 3,181
  • 4
  • 41
  • 67