I wanted to implement adding an AD user to a local machine group via User and GroupPrincipals, and I thought it would work nice and easy. Unfortunately, I continue to get a General Access Denied error. It's possible I just don't understand the proper authentication happening, but I assumed I had the proper access set up. Here is a code snippet of what is being called:
var ctx = new PrincipalContext(ContextType.Machine,
Environment.MachineName,
ConfigurationManager.AppSettings["MyUser"],
ConfigurationManager.AppSettings["MyPW"]);
var grp = GroupPrincipal.FindByIdentity(ctx, IdentityType.Name, "LocalGrp");
var adUser = ADService.GetUserByDomainUserName(vModel.ContactId);
var adCtx = new PrincipalContext(ContextType.Domain,
"myDomain.com",
ConfigurationManager.AppSettings["MyUser"],
ConfigurationManager.AppSettings["MyPW"])
;
var user = UserPrincipal.FindByIdentity(adCtx,
IdentityType.Guid,
adUser.UserGuid.ToString());
if (grp != null &&
user != null)
{
if(!user.IsMemberOf(grp))
{
grp.Members.Add(user);
grp.Save();
}
}
The user is found, the group is found, but when I add and reach the grp.Save() step, I am treated with a General Access Denied exception. with the ctx being opened via the "MyUser" and "MyPW", I thought that would allow group manipulation on the machine since that account is part of the machine local administrators group. Can I not mix machine/domain contexts in this manner, or is there an authentication problem I am just missing?
Did you run Visual Studio in Admin mode. Even though your login has admin rights, your program needs to elevate itself to use those rights if you didn't start it elevated.
See: