Working with Permission Attribute

Question

I'm probably just getting the concept wrong, but still i thought I should ask:

I'm trying to find the specific permissions needed to create a new local user group in Win2008. I went over the System.DirectoryServices.AccountManagement namespace and declared the permissions needed:

[SecurityPermissionAttribute(SecurityAction.Assert, Flags = SecurityPermissionFlag.UnmanagedCode)]
[DirectoryServicesPermissionAttribute(SecurityAction.InheritanceDemand, Unrestricted = true)]
[DirectoryServicesPermissionAttribute(SecurityAction.LinkDemand, Unrestricted = true)]

I expected to get an exception when one of these permissions will be denied (i.e. when entering the method). Instead I still get UnauthorizedAccessException when calling the principal Save method.

What am I missing here? I'm looking for an answer more in regards to using the permissions attributes, than a solution to this specific issue.

Thanks.

Answer 1

You are referring to security attributes here which are part of the Code access security in .Net. This will not address your issue.

You are receiving an Unauthorized access exception because the identity of your application (the user account who is running the process and/or currently impersonated) does not have access rights to call the .Save method which is trying to affect the domain.

You need a user account who has been given privileges to modify the active directory in the given domain/forest you are attempting to access in order to make your application work.

I'm sure you can understand that the ability to modify the active directory is considered a privileged operation.