System.DirectoryServices.DirectorySynchronization returns access denied with non-admin users

Hi all,

You may get an Access Denied error (COMException 0x80070005) when using System.DirectoryServices.DirectorySynchronization in your .NET application with a non-admin user, but everything works fine with a domain administrator.

This issue will happen if we use DirectorySynchronization this way:

 DirectorySearcher directorySearcher = new DirectorySearcher(rootPath);
directorySearcher.DirectorySynchronization = new DirectorySynchronization();

If we want to run this code as it is, we need to pass administrative credentials. If we are using standard user credentials we need to pass the right Flag saying that this is a normal user who do not have all the rights over Active Directory.

To understand this in detail please see this article which talks about the flags we can pass to DirectorySynchronization constructor:

DirectorySynchronizationOptions Enumeration

"
- ObjectSecurity: If this flag is not present, the caller must have the right to replicate changes. If this flag is present, the caller requires no rights, but is allowed to see only objects and attributes that are accessible to the caller.
"

So modify your code to use DirectorySynchronization in this way:

 directorySearcher.DirectorySynchronization = new DirectorySynchronization(DirectorySynchronization.ObjectSecurity);

Code should not fail with Access Denied error anymore. Now a standard user will have access to all the objects that she usually has access to.

 

I hope this helps.

Regards,

 

Alex (Alejandro Campos Magencio)