由网友(好名都让狗取了)分享简介：我有两个窗口服务（如网络服务的一个运行，另一个作为本地系统运行）。以及这些服务正在运行的系统是域的一部分。这些服务使用Active Directory作为中央存储和想法是能够从这个商店添加/删除/读取条目。I have two windows services (one runs as network service...

我有两个窗口服务（如网络服务的一个运行，另一个作为本地系统运行）。以及这些服务正在运行的系统是域的一部分。这些服务使用Active Directory作为中央存储和想法是能够从这个商店添加/删除/读取条目。

I have two windows services (one runs as network service and the other runs as local system). And the system in which these services are running are part of domain. These services uses active directory as central store and the idea is to be able to add/remove/read entries from this store.

我们都仅仅使用System.DirectoryServices.Protocols.LdapConnection.BeginSendRequest（DirectoryRequest要求.... http://msdn.microsoft.com/en-us/library/system.directoryservices.protocols.ldapconnection.beginsendrequest(v=vs.110).aspx ）和通过AddReuest输入到条目添加到Active Directory。

We are simply using System.DirectoryServices.Protocols.LdapConnection.BeginSendRequest(DirectoryRequest request .... http://msdn.microsoft.com/en-us/library/system.directoryservices.protocols.ldapconnection.beginsendrequest(v=vs.110).aspx ) and passing AddReuest as input to add entries to the Active Directory.

但是，操作失败与System.DirectoryServices.Protocols。 DirectoryOperationException 与消息的用户拥有的访问权限不足。为网络服务（同样的错误，以及电脑/本地系统帐户）。但我确实将计算机帐户添加到存储在Active Directory和授予商店完全权限。我不知道我缺少的是什么？

However, the operation is failing with System.DirectoryServices.Protocols.DirectoryOperationException with message The user has insufficient access rights (same error for both network service as well as computer/local system account). But I did add the computer account to the store in Active Directory and granted full permissions on the store. I am not sure what I am missing?

是没可能为添加/删除条目在活动目录，即使计算机帐户授予完全权限？ （我还以为本地系统/网络服务只是传过来的网络计算机凭据 - 我已经采取了快速浏览一下，以供参考The 本地系统帐户和网络服务帐户？或的 http://technet.microsoft.com/en-us/library/bb680595.aspx ）

Is it not possible to add/remove entries on active directory even though computer account has granted full permissions? (I thought local system/network service simply pass the computer credentials over network - i have taken quick peek at the following links for reference The difference between the 'Local System' account and the 'Network Service' account? or http://technet.microsoft.com/en-us/library/bb680595.aspx)

顺便说一句，请注意，只要我有一个运行该服务的域用户帐户的操作逝去。和搜索（读取操作）传入的所有帐户。

Btw, please note that as long as I run the service with one of the domain user accounts the operations are passing. And search (read operations) are passing for all the accounts.

任何建议都是AP preciated：）

Any suggestions are appreciated :)

商祺！

推荐答案

您可能会与授权问题误认身份验证问题。当然，如果实在不行，它很难告诉他们分开。

You might be mistaking an authentication problem with an authorization problem. Granted, when nothing works, its hard to tell them apart.

您在广告设置的权限可能是好的，但你永远不会到达那里。在承载Active Directory的计算机的安全事件日志，有可能是被拒绝的 SERVER_A 网​​络登录一个访问。在Active Directory服务器上，给计算机帐户（SERVER_A）的特权访问此计算机从网络。

The rights you set in AD are probably ok, but you never get there. In the security event log of the computer that hosts the Active Directory, there is probably a access denied for a network logon of server_a. On the Active Directory server, give the computer account (SERVER_A) the privilege "Access this computer from the network".

有将解决的认证部，让过程获取将由活动目录被用于执行授权访问令牌

It will solve the authentication part, letting the process acquire an access token that will be used by Active Directory to perform authorization.

如果你是在一个低容量的实验室，你也可以尝试启用活动目录诊断日志，与安全事件注册表项。

If you are in a low volume lab, you can also try to enable Active Directory Diagnostic Logging, with the Security Events registry entry.