Does DirectoryServices.AccountManagement.PrincipalContext work on a remote Win 2012 R2 Sever?

Question

This is my scenario and so far I have not found a way around it: The app runs on a Windows 2012 R2 server (svr1, a domain member), and needs to add a domain account to a local group on svr2, also a domain member.

Using ADSI hasn't worked for me so far (still trying). PSEXEC is not an option since clear text credential are sent over the network.

This is the line that works on remote Windows 2008 R2 servers, and does not on remote Windows 2012 R2 servers because the ConnectedServer property throws a 'System.UnauthorizedAccessException' but only when accessing a 2012 R2 server. Credentials are valid Domain Admin creds (works on 2008 R2 & I can log in to the dev server using them)

    using ( PrincipalContext adDestMachinePrincContext = new PrincipalContext( AccountManagement.ContextType.Machine,"svr2",null,ada.ContextOptions.Negotiate,
"DomainName\\TheDomainAdminAccount","LegitPassword" ) )  
{  ... etc etc etc ... }

What I've found so far is this:

1. Credentials are valid because the same line works on a remote 2008 R2 server.
2. Remote 2012 R2 is where my issue lies, and I have not tested against 2016 yet.

3. When I login to the development server using the same Domain Admin credentials, it works when the current user's credentials are used. This line works, every time, when the current user is the same Domain Admin

   PrincipalContext x = new ada.PrincipalContext(AccountManagement.ContextType.Machine,"svr2" );

The goal (and at this point, I don't care how I get it done) is simple: Add a domain user account into a local group on a remote server, using .Net. PowerShell is not an option, though even a working snippet could . The remote box is anything from 2008, 2008 x86, 20058 R2, 2012, 2012 R2 or 2016.

• It's not a credentials issue. Covered that above.
• It's not a permissions issue. Covered that above also.
• Running the executable "run as administrator" does not make a difference

Has anyone been able to add a domain account into a local group on a remote 2012 R2 server? I haven't found anything close anywhere with a working example yet. If so, what worked for you?

I'm not sure that ADSI calls will work because AD requires LDAP, local access requires WinNT and they don't seem to overlap with being able to do what's needed.

I think that's everything I have... so far.

My next step might be a WCF service that runs under a domain admin account, but that has to be overkill for this.

Answer 1

So far, Matt Johnson's post did the trick and this is working:

StackOverflow solution by Matt Johnson (he deserves his props!)

1. Add the Impersonation class
2. Change the code above to use the new class and this works, regardless of the Windows server OS:

The code snippet in my original post sort of looks like this now (simplified):

            using ( new Impersonation( "TheDomain", "TheDomainAdminAccount", "ItsValidPassword" ) )
{
    using ( PrincipalContext adDestMachinePrincContext = new PrincipalContext( AccountManagement.ContextType.Machine,"svr2") )  {  ... etc etc etc ... }    }

And it's working.