When I try to unlock an AD account using my own C# program, I get the following error:
System.DirectoryServices.DirectoryServicesCOMException (0x80072035): The server is unwilling to process the request.
This is the code I use to unlock the account:
// "ldap" is an instance of my own class for accessing an LDAP server
using (DirectoryEntry entry = ldap.GetEntry(objectGuid))
{
entry.InvokeSet("lockouttime", 0);
// I also tried:
entry.Properties["lockouttime"].Clear();
entry.CommitChanges();
}
I use this software in multiple domains and only get this error in one of them and I can't figure out what the difference is. When I use dsa.msc to unlock the account, everything works fine.
The error also happens with different user objects, but both versions (Clear and InvokeSet) work in other environments. Can anyone give me a hint?
P.S.: I use domain admin credentials to access the LDAP server.
I managed to fix this problem using the classes in System.DirectoryServices.AccountManagement:
using (var ctx = new PrincipalContext(
ContextType.Domain,
host,
rootDn,
ContextOptions.ServerBind | ContextOptions.Negotiate | ContextOptions.SecureSocketLayer,
username,
password))
using (var user = UserPrincipal.FindByIdentity(ctx, IdentityType.Guid, objectGuid.ToString()))
{
if (user != null)
{
user.UnlockAccount();
}
else
{
// user not found
}
}
But I still don't know what the UnlockAccount method does more than setting lockOutTime to zero (or clear it).