I have a website with a page that is an AD interface. We use it to
create/edit AD users.
This webpage code was working fine. Then we upgraded our 2003 SP1 PDC
hardware. In a nutshell... a new windows 2003 SP1 server box, promoted to
DC (it replicates AD from the existing PDC). Then allow the Global Catalog
to replicate to the new DC, and then have it seize the FSMO roles from the
existing PDC. The role xfer effectively demotes the 'old' PDC to a normal
DC, and the new DC to the PDC. Demote the old DC to a Workstation &
eventually removed it from the network, renamed the new PDC & change IP to
mimic the old one. Long story short, connecting clients don't realize
anything has changed. That was the plan anyway.
There's obviously a subtle difference somewhere, because here is the code
from my AD interface page that stopped working right after the server
upgrade/switch. It's when we create a new user and set the initial
password:
===============================
Private Function CreateADSAccount(ByVal strUserName As String, ByVal
strDisplayName As String, ByVal strEmailAddress As String) As String
Dim objADS As DirectoryServices.DirectoryEntry
Dim objNewUser As DirectoryServices.DirectoryEntry
Dim objGroup As DirectoryServices.DirectoryEntry
Dim objGetAccountDisabled As Object
Try
objADS = New
DirectoryServices.DirectoryEntry(ConfigurationSett ings.AppSettings.Item("ldapConnectionString"),
_
ConfigurationSettings.AppSettings.Item("theKeymake rUser"), _
ConfigurationSettings.AppSettings.Item("theKeymake rUserPassword"), _
DirectoryServices.AuthenticationTypes.ServerBind)
'Add a new user
objNewUser = objADS.Children.Add("cn=" & strUserName, "user")
'Commit
objNewUser.CommitChanges()
'Change properties
objNewUser.Properties("samAccountName").Value = strUserName
objNewUser.Properties("displayName").Value = strDisplayName
'See
http://msdn.microsoft.com/library/de...untcontrol.asp
'for descriptions of userAccountControlValues.
'Here, we're setting the account to Normal (i.e., not Disabled) and
forcing a password expiration.
objNewUser.Properties("userAccountControl").Value = &H200
objNewUser.Properties("pwdLastSet").Value = 0
'Commit
objNewUser.CommitChanges()
'Set the new password
'Make a new random password that the user will have to change when they
first logon
strPassword = Me.MiscTools.randomString()
objNewUser.Invoke("SetPassword", New Object() {strPassword})
....
===============================
That last line where I invoke SetPassword was working fine against the
previous server. Against the new server, it's now throwing this exception:
"One or more input parameters are invalid"
I've read about how you need a secure connection to AD in order to set
passwords. This is the code I used to set passwords against the old server,
but the old PDC was an enterprise CA. So, guessing, I installed cert
services on the new PDC (as enterprise CA). SetPassword throws the same
error. I tried using SSL and/or Secure flags when defining objADS (instead
of just ServerBind). Still errors, but a different error:
"Access is denied."
I know the user being referenced in appConfig is an Administrator and I know
it's creds are valid.
I can invoke *change* password on *existing* users... that code still works
fine. It's SetPassword for brand new users that fails. I have verified the
passwords being returned from randomString() are valid passwords for AD's
current password policy.
Anyone have any idea on this?
