6

I'm trying to add a domain account to a remote computer's Administrators group. The problem I'm having is that when I try to actually connect to the remote machine PrincipleContext, it gives me an access denied message, but I'm connecting as the remote machine local admin. When I try to access it though I get "Access is denied". I know the login is correct, because if I change it I get a bad password/username error instead.

The Administrator account is the true admin account, and I can login to the local box with the account and I have full admin access, I can add users as needed without any issue to the Administrators group. Any ideas what would cause it to report Access is Denied when trying to do this remotely?

try
      {
        using (PrincipalContext pc = new PrincipalContext(ContextType.Machine, "SERVER_IP_HERE", null, ContextOptions.Negotiate, @"RemoteMachineNameHere\Administrator", "MyPassword"))
        {
          //Get an access denied error here trying to connect to the Context
          GroupPrincipal group = GroupPrincipal.FindByIdentity(pc, "Administrators");
          PrincipalContext dom1PC = new PrincipalContext(ContextType.Domain, "FQDNOFDomainHere");
          var me = UserPrincipal.FindByIdentity(dom1PC, IdentityType.SamAccountName, @"MyUserName");
          group.Members.Add(me);
          group.Save();
        }
      }
      catch (System.DirectoryServices.DirectoryServicesCOMException E)
      {
        Console.WriteLine(e);

      }
Zipper
  • 7,034
  • 8
  • 49
  • 66
  • I've got exactly the same problem and would love if someone had some kind of answer... – leinad13 Nov 22 '13 at 15:32
  • Try looking at this question here @ StackOverflow: http://stackoverflow.com/questions/12608971/net-4-5-bug-in-userprincipal-findbyidentity-system-directoryservices-accountma –  May 14 '14 at 01:39
  • Comment from Victor: I do have the same issue. Did you solve this problem? – Benjamin Trent Jul 17 '14 at 20:44
  • Are the source and target machines in the same domain? – Mike Feb 19 '15 at 22:11

2 Answers2

0

I faced the same issue and after two days of searching, finally, I found the solution on a similar topic. 

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f

Execute above cmd on your target server then reboot and you won't have access is denied anymore!

Circle Hsiao
  • 1,497
  • 4
  • 22
  • 37
-1

Well! I have a server with domain configured and AD installed. Let's name it A. I need to connect to it from other PC B which is part of network (however it is not joined to domain).

So for that case, the only change was done in line - 

using (PrincipalContext pc = new PrincipalContext(ContextType.Machine, "SERVER_IP_HERE", null, ContextOptions.Negotiate, @"DomainNameOfRemoteMachineHere\Administrator", "MyPassword")

So here is code -

static void Main()
    {
        try
        {
            using (PrincipalContext pcRoot = new PrincipalContext(ContextType.Machine, "IP_Address", null, ContextOptions.Negotiate, @"domainNameHere\Administrator", "SomePass"))
            {
                //Get an access denied error here trying to connect to the Context
                var group = GroupPrincipal.FindByIdentity(pcRoot, "Administrators");
                var pc = new PrincipalContext(ContextType.Domain, "FQDNOFDomainHere");
                var user = UserPrincipal.FindByIdentity(pc, IdentityType.SamAccountName, "vssaini");

                if (group == null)
                {
                    Console.WriteLine("Group not found.");
                    return;
                }

                if (user == null)
                    Console.WriteLine("User not found.");
                else
                    group.Members.Add(user);

                group.Save();
            }
        }
        catch (Exception exc)
        {
            Console.WriteLine(exc);
        } 

        // Wait for output
        Console.ReadKey();
    }

And while testing it worked smoothly.

Vikram Singh Saini
  • 1,749
  • 3
  • 22
  • 42