When I publish my application to my web server. In IIS Manager, I give the application pool that I'm using an Identity of Network Service.
In my application, I am giving functionality to remove/add users from a specific Active Directory group. Here is the code:
public static void RemoveUserFromGroup(string userId, string groupName)
{
try
{
using (PrincipalContext pc = new PrincipalContext(ContextType.Domain, "myDomain"))
{
GroupPrincipal group = GroupPrincipal.FindByIdentity(pc, groupName);
group.Members.Remove(pc, IdentityType.UserPrincipalName, userId);
group.Save();
}
}
catch (Exception E)
{
throw E;
}
}
This works when I test local because my account has admin privileges when dealing with AD. So just to check, on page load I am logging the Windows User Name by doing this:
var thread = '@System.Security.Principal.WindowsIdentity.GetCurrent().Name';
console.log(thread);
That leads to NT AUTHORITYNETWORK SERVICE. But when I try to remove a user from the AD group.. I get:
Access is denied
How do I give Network Service access to do this? Or is there an alternate way to do this?
"NT AUTHORITY\Network Service" is a built-in machine level Windows account which is used by a wide variety of processes, not just IIS (load the Services control panel (Start > Run > "services.msc") and take a look at the "Log On As" column. You'll see several Windows components running under this identity. Because of this, you shouldn't change the permissions and rights of the account - you may not be able to do so!
What you can do is create a domain user with the appropriate rights and configure the application pool to run with that identity. Alternatively, it looks like one of the constructors for PrincipalContext allows for a username and password to be specified, although this would mean you'd need to store the username and password somewhere yourself.