{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 ▲ chillily 的问题《C# accessing active directory with different user》','https://www.manongdao.com/q-350985.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
There is a new user creation application that we have just provided our users. However these users need the ability to creation users through the application even though they themselves do not have permission to create users.
In C# how do you impersonate another user in order to have this functionality. This application primary using System.DirectoryServices.
Code snippet:
DirectoryEntry dEntry = new DirectoryEntry("LDAP://OU=");
DirectorySearcher dSearcher = new DirectorySearcher(dEntry);
//filter just user objects
dSearcher.SearchScope = SearchScope.Subtree;
dSearcher.Filter = "(&(objectClass=user)(mail=" + excel_Holding_Table.Rows[i]["EmailAddress"].ToString() + "))";
dSearcher.PageSize = 1000;
sResults = dSearcher.FindAll();
Use the
DirectoryEntryconstructor that takes username, password and authenticationType parameters.As an aside, the
DirectoryEntryDirectorySearcherandSearchResultCollectiontypes areIDisposable- you need to dispose them, probably withusingstatements.You can use privileged credentials to connect to AD or to impersonate a privileged user as other answers have suggested.
But this has security implications, since it means your users would be able to use these privileged credentials for other, non-authorized, purposes.
A more secure solution would be to create a web service that runs under a service account with appropriate AD permissions. Users can authenticate to the web service using Windows authentication, and the web service would create users on their behalf. It could use authorization to restrict what users are allowed to do (e.g. only create users in their own department).
Use the DirectoryEntry Constructor (String, String, String, AuthenticationTypes) that takes a username and password instead of impersonation.
Reference
You can use the
DirectoryEntryclass directly and specify the username and password:And access Active Directory from the de object. Or you can use the
WindowsIdentityclass and and impersonate a User:A full code sample is available at:
Impersonation and DirectoryEntry