Results 1 to 6 of 6

Thread: Getting the properties of a DirectoryEntry (local user) in c# whenthe user is a domain account? Active Directory

  1. #1
    Michael Howes Guest

    Getting the properties of a DirectoryEntry (local user) in c# whenthe user is a domain account? Active Directory


    I'm writing a utility to manage a machines *local* accounts in c#

    I am getting all the users in a specific Group just fine but when I
    want to get some of the information on each user from their Properties
    collection I can't get the properties on some users.

    For example, I get all the users that are part of my machines
    Administrators Group. I get get the properties of the built in local
    Administrator account and some local IT account, and the Domain Admins
    account but some of the users, I think the users that are on the domain
    (I'm not sure) that are added to the local group throw an "Access is
    denied" error when trying to do something like this;

    if (user.Properties["Description"].Value != null)
    lbUsers.Items.Add(user.Properties["Description"].Value.ToString());

    I'm getting these users using this code;
    DirectoryEntry localMachine = new DirectoryEntry("WinNT://" +
    Environment.MachineName + ",Computer");

    DirectoryEntry admGroup = localMachine.Children.Find("Administrators",
    "group");

    object members = admGroup.Invoke("members", null);

    anybody have any ideas?
    thanks
    mike



    PS If you want to reply directly instead of on the group, remove the x
    from my email address. I get enough spam as it is and found when I post
    to these groups my spam nearly doubles.

  2. #2
    Joe Kaplan Guest

    Re: Getting the properties of a DirectoryEntry (local user) in c# when the user is a domain account? Active Directory

    Are you logged in with a local machine account or a domain account when you
    do this? Perhaps you don't have domain creds and therefore don't have
    permission to read values out of AD? AD typically doesn't allow
    unauthenticated users to query it. You get a different error with the LDAP
    provider (which is what I'm more familiar with), but the error you are
    getting with WinNT makes sense to me in this context.

    Joe K.

    --
    Joe Kaplan-MS MVP Directory Services Programming
    Co-author of "The .NET Developer's Guide to Directory Services Programming"
    http://www.directoryprogramming.net
    --
    "Michael Howes" <mhowes@xfortebio.com> wrote in message
    news:eWcetDJrHHA.4736@TK2MSFTNGP04.phx.gbl...
    >
    > I'm writing a utility to manage a machines *local* accounts in c#
    >
    > I am getting all the users in a specific Group just fine but when I want
    > to get some of the information on each user from their Properties
    > collection I can't get the properties on some users.
    >
    > For example, I get all the users that are part of my machines
    > Administrators Group. I get get the properties of the built in local
    > Administrator account and some local IT account, and the Domain Admins
    > account but some of the users, I think the users that are on the domain
    > (I'm not sure) that are added to the local group throw an "Access is
    > denied" error when trying to do something like this;
    >
    > if (user.Properties["Description"].Value != null)
    > lbUsers.Items.Add(user.Properties["Description"].Value.ToString());
    >
    > I'm getting these users using this code;
    > DirectoryEntry localMachine = new DirectoryEntry("WinNT://" +
    > Environment.MachineName + ",Computer");
    >
    > DirectoryEntry admGroup = localMachine.Children.Find("Administrators",
    > "group");
    >
    > object members = admGroup.Invoke("members", null);
    >
    > anybody have any ideas?
    > thanks
    > mike
    >
    >
    >
    > PS If you want to reply directly instead of on the group, remove the x
    > from my email address. I get enough spam as it is and found when I post to
    > these groups my spam nearly doubles.




  3. #3
    Michael Howes Guest

    Re: Getting the properties of a DirectoryEntry (local user) in c#when the user is a domain account? Active Directory

    > Are you logged in with a local machine account or a domain account when you
    > do this? Perhaps you don't have domain creds and therefore don't have
    > permission to read values out of AD? AD typically doesn't allow
    > unauthenticated users to query it. You get a different error with the LDAP
    > provider (which is what I'm more familiar with), but the error you are
    > getting with WinNT makes sense to me in this context.


    I'm logged in with a domain account that has admin privileges on this
    machine.
    I can check with our IT guy and see what domain creds (probably not
    many) I have. The easy test would be to have him log into my machine and
    run it as him.

    thanks
    mike


  4. #4
    Joe Kaplan Guest

    Re: Getting the properties of a DirectoryEntry (local user) in c# when the user is a domain account? Active Directory

    Generally speaking, if you are logged in as a domain user, I'd expect your
    account to be able to read these properties, so something else might be
    wrong. However, it is pretty hard to say what the issue is. I wonder if
    you would be able to read these attributes with the LDAP provider connecting
    back to the domain.

    Joe K.

    --
    Joe Kaplan-MS MVP Directory Services Programming
    Co-author of "The .NET Developer's Guide to Directory Services Programming"
    http://www.directoryprogramming.net
    --
    >
    > I'm logged in with a domain account that has admin privileges on this
    > machine.
    > I can check with our IT guy and see what domain creds (probably not many)
    > I have. The easy test would be to have him log into my machine and run it
    > as him.
    >
    > thanks
    > mike
    >




  5. #5
    Michael Howes Guest

    Re: Getting the properties of a DirectoryEntry (local user) in c#when the user is a domain account? Active Directory


    > Generally speaking, if you are logged in as a domain user, I'd expect your
    > account to be able to read these properties, so something else might be
    > wrong. However, it is pretty hard to say what the issue is. I wonder if
    > you would be able to read these attributes with the LDAP provider connecting
    > back to the domain.


    I noticed that the DirectoryEntry constructor takes name, password,
    and authentication type.
    I assume I can use those and prompt for an domain admin name/pswd?

    I just tried it, asked our IT guy to login as domain admin and it
    wouldn't login and gave a COM exception.

    But this is a bit odd, I'm trying to connect to the local machine with
    a domain admin login?
    I'm really out of my element here and really am guessing at this point.

    Even looking at the user's DirectoryEntry object I can see that some
    properties like Guid, say "UnauthorizedAccessException"

    So how does one use the name/password/authentication type of the
    DirectoryEntry constructor to pass in a name/password of of someone who
    has domain admin privileges? and is his the correct way to be thinking
    about this?

    thanks
    mike



  6. #6
    Joe Kaplan Guest

    Re: Getting the properties of a DirectoryEntry (local user) in c# when the user is a domain account? Active Directory

    That should work in general. The WinNT provider can be a little less
    reliable than the LDAP provider when providing credentials, but it should
    work in most cases.

    Typically, you should be able to supply a username via "domain\user", a
    password and AuthenticationTypes.Secure. If that doesn't work, let us know
    what the actual COMException details were.

    Joe K.

    --
    Joe Kaplan-MS MVP Directory Services Programming
    Co-author of "The .NET Developer's Guide to Directory Services Programming"
    http://www.directoryprogramming.net
    --
    "Michael Howes" <mhowes@xfortebio.com> wrote in message
    news:%23agEl$TrHHA.3484@TK2MSFTNGP05.phx.gbl...
    >
    >> Generally speaking, if you are logged in as a domain user, I'd expect
    >> your account to be able to read these properties, so something else might
    >> be wrong. However, it is pretty hard to say what the issue is. I wonder
    >> if you would be able to read these attributes with the LDAP provider
    >> connecting back to the domain.

    >
    > I noticed that the DirectoryEntry constructor takes name, password, and
    > authentication type.
    > I assume I can use those and prompt for an domain admin name/pswd?
    >
    > I just tried it, asked our IT guy to login as domain admin and it
    > wouldn't login and gave a COM exception.
    >
    > But this is a bit odd, I'm trying to connect to the local machine with a
    > domain admin login?
    > I'm really out of my element here and really am guessing at this point.
    >
    > Even looking at the user's DirectoryEntry object I can see that some
    > properties like Guid, say "UnauthorizedAccessException"
    >
    > So how does one use the name/password/authentication type of the
    > DirectoryEntry constructor to pass in a name/password of of someone who
    > has domain admin privileges? and is his the correct way to be thinking
    > about this?
    >
    > thanks
    > mike
    >
    >




Similar Threads

  1. Replies: 4
    Last Post: 30-09-2011, 04:32 PM
  2. how to active directory Domain user applied to policy
    By kawish in forum Networking & Security
    Replies: 1
    Last Post: 20-07-2009, 02:51 PM
  3. Replies: 3
    Last Post: 01-07-2009, 03:46 PM
  4. active directory user properties new tab
    By hatred in forum Active Directory
    Replies: 1
    Last Post: 26-03-2008, 11:15 PM
  5. How can I find out who created a user account in Active Directory
    By bubblecrumb in forum Windows Server Help
    Replies: 0
    Last Post: 13-02-2008, 02:00 PM

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
Page generated in 1,711,637,621.56429 seconds with 17 queries