AD Update email address using MembershipUser - Access denied

Question

I am trying to provision some users to update their email address in active directory (AD). I'm trying to achieve it using MembershipUser class. But getting 'general access denied error'. Here's my code:

        string userName = "sathish";

        System.Web.Security.MembershipUser userDetails = System.Web.Security.Membership.GetUser(userName);
        if (userDetails != null)
        {
            userDetails.Email = "sathish@xyzee.com";
            System.Web.Security.Membership.UpdateUser(userDetails);  // getting access denied error here
        }

My question is,

1. Do I need proper previleges to update email address to AD?

2. Do we have any attribute to verify my current access level?

3. Is it possible to impersonate privileges programmatically to update email address?

Answer 1

If you're on .NET 3.5 and up, you should check out the System.DirectoryServices.AccountManagement (S.DS.AM) namespace. Read all about it here:

Managing Directory Security Principals in the .NET Framework 3.5

Basically, you can define a domain context and easily find users and/or groups in AD:

// set up domain context for your current, default domain
PrincipalContext ctx = new PrincipalContext(ContextType.Domain);

// find user by name
string userName = "sathish";
UserPrincipal user = UserPrincipal.FindByIdentity(userName );

// if user is found - update it's e-mail address and save
if(user != null)
{
   user.EmailAddress = "sathish@xyzee.com";
   user.Save();
}

The new S.DS.AM makes it really easy to play around with users and groups in AD: