使用ASP.NET C#在AD中创建用户时，无法使用DirectoryEntry.Invoke设置密码 [英] Cannot set password with DirectoryEntry.Invoke when user is created in AD using ASP.NET C#

问题描述

Web应用程序正在从人员管理"页面创建用户，该页面又将用户添加到Active Directory.这是执行此操作的代码:

A Web Application is creating a user from a Personnel Management Page which in turn adds the user to the Active Directory. Here is code to do this:

DirectoryEntry Folder = new DirectoryEntry("LDAP://XXXX.com/CN=ContainerName, DC=XXXX, DC=com", admin, adminPwd, AuthenticationTypes.None);

    if (Folder.SchemaEntry.Name == "container")
    {
        DirectoryEntry user = Folder.Children.Add("CN=" + txtFirstname.Text + " " + txtLastname.Text, "User");

        if (DirectoryEntry.Exists(user.Path))
        {
            // Error Msg Here
        }
        else
        {
            // Required attributes
            if (txtFirstname.Text != "" && txtLastname.Text != "") { user.Properties["sAMAccountName"].Value = txtFirstname.Text.ToLower() + "." + txtLastname.Text.ToLower(); }
            if (txtFirstname.Text + " " + txtLastname.Text != "") { user.Properties["cn"].Value = txtFirstname.Text + " " + txtLastname.Text; }
            // More controls to populate Optional AD attributes.  Not entered to conserve space.  The code works however.

            user.CommitChanges();

            int val = (int)user.Properties["userAccountControl"].Value;
            user.Properties["userAccountControl"].Value = val & ~0x2;
            user.Properties["pwdLastSet"].Value = 0;
            user.CommitChanges();
            user.Invoke("SetPassword", new object[] { "SuperSecretPassword" });
            user.CommitChanges();
        }

问题在于创建帐户后，invoke方法无法设置密码.每次尝试设置密码都会在catch语句中返回以下错误:

The issue is that after the account has been created, the invoke method fails to set the password. Every attempt to set the password returns this error in the catch statement:

System.Reflection.TargetInvocationException was caught
HResult=-2146232828
Message=Exception has been thrown by the target of an invocation.
Source=System.DirectoryServices
StackTrace:
   at System.DirectoryServices.DirectoryEntry.Invoke(String methodName, Object[] args)
   at Personnel_Govt.CreateUser() in c:\inetpub\wwwroot\TestingFolder\Personnel\Add\Govt.aspx.cs:line 148
   at Personnel_Govt.btnSubmit_Click(Object sender, EventArgs e) in c:\inetpub\wwwroot\TestingFolder\Personnel\Add\Govt.aspx.cs:line 95
InnerException: System.UnauthorizedAccessException
   HResult=-2147024891
   Message=One or more input parameters are invalid

   Source=Active Directory
   InnerException: 

如果在创建帐户后选中了需要重置"，则在AD中手动设置了密码，那么它将起作用.

If the password is set manually in AD with 'Reset Required' checked after the account is created, it will work.

为什么设置密码的方法失败?

Why is the method for setting the password failing???

推荐答案

问题已解决.显然，Internet信息服务(IIS_IUSRS)帐户没有权限为Active Directory设置密码.可以更改密码，但不能设置密码.

The problem is solved. Apparently the account for Internet Information Services (IIS_IUSRS) did not have permissions to SET Passwords for Active directory. It could CHANGE passwords but not SET them.

要允许ASP.NET页在创建帐户时设置AD密码，我必须运行"Active Directory用户和计算机"，右键单击域，选择代理控制".这将打开一个向导，该向导将允许您向帐户IIS_IUSRS授予对AD进行更改的权限.

To allow an ASP.NET page to SET an AD Password on account creation, I had to run "Active Directory Users and Computers", right-click the domain, select "Delegate Control". This opens a wizard which will allow you to grant the account IIS_IUSRS permissions to make changes to AD.

这篇关于使用ASP.NET C#在AD中创建用户时，无法使用DirectoryEntry.Invoke设置密码的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！