3 เมษายน 2551 15:55
I am trying to write a custom workflow assembly that Validates/Creates/Disables/Enables a domain user in Active Directory.
I had success with the read operations I did on AD, but the write operations like disabling/creating a domain user always throw "General access denied error". This is what I tried
1. Added the NETWORK SERVICE\NT AUTHORITY to Administrators group / no luck.
2. Changed the CrmAsyncService Logon user to Administrator / It worked.
But that is not desirable, I can't run the CrmAsyncService with Administrator user. What I need here is a secure way to allow my custom workflow activity to perform limited read/write operations on the AD. What options do I have here?
3 เมษายน 2551 16:11ผู้ดูแลRather than adding NT AUTHORITY\Network Service user account to a group, try adding the computer account of the machine running the CrmAsyncService instead. I think you'll need to restart the server for the change to take effect
4 เมษายน 2551 5:16
Do you mean the SYSTEM account of the machine running the CrmAsyncService? or a user account. I can't user a user account. Do I need to add it to the Domain Admins group?.
4 เมษายน 2551 8:40ผู้ดูแลNo, I mean the computer account. In AD there are user accounts and computer accounts (among others), both of which can be added to groups. The computer account name should be the same as the machine name
4 เมษายน 2551 15:45
It worked !
I added the machine user IUSR_MyMachineName in the domain Admins group and executed my workflow and it works like a charm. I hope this is a secure way to perform privileged operation from work flow activities.
Thanks for helping me out with this.