Deathmic
Deathmic

Reputation: 23

Trying to impersonate another user to update Active Directory

I have an application in C# where I'm trying to update the AD by impersonating another user.

I'm reading the AD in order to let users update noncritical fields like phone numbers of any AD account. In order to do that, we created a new user with permissions to update any AD entry. I verified the user's permissions by logging into my machine as him and starting the program as him, and I could update any user's entry.

I'm using Uwe Keim's Impersonator class and impersonation seems to occur successfully, i.e. no exceptions.

However, tests have shown that I'm actually still using my own logged in user to update the AD, despite the impersonation. I can update my own AD entry just fine, but neither the impersonated user's nor any other AD entry. So it seems that there's no impersonation happening at all?

I tried to verify the Impersonator actually trying to do anything by using wrong credentials, and received appropriate error messages in return. So the user credentials are correct and actually checked against the AD.

Here's my relevant code, nonrelevant or sensitive parts blacked out by [...]:

private void SaveToAD()
{
    try
    {
        [...]
        using (new Impersonator(@"<user>", @"<domain>", @"<password>"))
        {
            foreach ([...])
            {
                DirectoryEntry entry = [...];

                entry.Properties[...].Value = [...];
                entry.CommitChanges();
            }
        }
        [...]
    }
    catch (UnauthorizedAccessException ex)
    {
        // Handling
    }
    catch (Win32Exception ex)
    {
        // Handling
    }
    finally
    {
        Cursor = Cursors.Arrow;
    }
}

Can anyone tell me what's going wrong or point me in a direction?

Upvotes: 0

Views: 2020

Answers (1)

CaptDialup
CaptDialup

Reputation: 46

Why not just use DirectoryEntry constructor to establish your ADSI connection as the user you want to impersonate (assuming you have their credentials).

e.g.

        using (var dirRoot = new DirectoryEntry("LDAP://cn=user object, dc=domain, dc=com", @"<domain>\<user>", "<password>"))
        {
            dirRoot.Properties["l"].Value = "yada";
            dirRoot.CommitChanges();
        }

Upvotes: 2

Related Questions