CODEWITHSUNDEEP
c#active-directorywindows-servicesdirectoryservicesdomaincontroller
Josh
Josh

Reputation: 309

C# Remove AD Computer Account Running on Windows Service

I want to write a function in a windows service application to remove a given computer name from Active Directory.

The Windows service is running on a machine which is domain-joined to the DC. Currently I have logged in to this machine with domain admin account.

The Windows service is running under the security context of "NT AUTHORITY/SYSTEM" and this should not be changed, as there shouldn't be any user interaction after installing the application, meaning that admin shouldn't enter their credentials in services.

When I run the application with my newly added code to delete the computer account, it doesn't work. However, when I change the logon info on the Windows Service and update that with domain admin credentials, it's able to successfully remove the computer account from AD.

Below is [a shortened version of] the function used to delete computer accounts.

Is there any way I can modify the code to be able to remove Computer Accounts using the same security context (NT AUTHORITY/SYSTEM)?

private void DeleteComputerAccount(string CompName, DirectoryEntry DirEntry)
{
    try
    {
        //Delete computer account
        DirectorySearcher search = new DirectorySearcher(DirEntry, "(name=" + CompName + ")");
        SearchResult res = search.FindOne();
        res.GetDirectoryEntry().DeleteTree();
    }
    catch (Exception)
    {
        Throw();
    }
}

Where DeleteComputerAccount is called:

DirectoryEntry dirEntry = new DirectoryEntry("LDAP://domain.contoso.com");

string compName = "MyWorkstation01";
DeleteComputerAccount(compName, dirEntry);

Upvotes: 0

Views: 661

Answers (1)

Brian Desmond
Brian Desmond

Reputation: 4503

When a service runs as local system, it will access the network (and thus AD) in the security context of the host's computer account. You can delegate the computer account (or better, a group which the computer is a member of) the ability to delete objects from AD. This link has accurate advice on how to complete that task - http://sigkillit.com/2013/06/12/delegate-adddelete-computer-objects-in-ad/

While not what you asked, a couple other things stand out to me:

  1. You're not filtering your search very well. You might get something other than what you want back. I'd suggest a filter like this instead: (&(objectClass=computer)(sAMAccountName=<PCName>$))

  2. Local system is a lot of access. Could you run this as network service instead?

Upvotes: 1

Related Questions