Access Denied when changing password in AD programmatically

Question

We have setup a small library (DLL) that we use to update passwords in AD. When testing this application in our test application, it works totally fine. But as soon as we start using the library in another application we get an Access Denied error when trying to change a password.

When we call any another function, like the one that does a simple lookup to see whether a user exists, everything works just fine.

    PrincipalContext ctx = new PrincipalContext(ContextType.Domain, TargetDomainServer, TargetDomainContainer, TargetDomainUser, TargetDomainPassword);
    UserPrincipalExt user = UserPrincipalExt.FindByIdentity(ctx, userLogonName);
    user.SetPassword(userPassword);

Any ideas on what i'm doing wrong?

Answer 1

Your test application might be running as an administrator. Either because it's running from your IDE or because it has a manifest with requestedExecutionLevel.

On Windows Vista and 7, running the application while logged in as a normal user doesn't mean the process isn't running as administrator. There are automatic elevations for executables marked with requestedExecutionLevel. Try running your test application as administrator by right clicking it and choosing that.

There are also automatic elevations without any deliberate executable marking. Windows has an internal list for known installers. It actually recognizes some of them by version information and binary signatures and tries to run them as administrator so the installation will actually succeed. IIRC, another identification method is the filename. Executables named setup.exe are also elevated (as long as requestedExecutionLevel doesn't override it).