Frequently Asked Questions

Q. The component lists all users and groups just fine, but when I try to add a user or change membership information, I get an "Access Denied" message. Why?

A. The component runs in the security context of IUSR_xxx if Anonymous access is allowed for this directory, or that of the logged-in user otherwise. Adding users, changing membership info etc. requires administrative privileges. If the current user lacks these privileges, Windows NT will disallow the operation and the Access Denied exception will be thrown by the component.


Q. Whenever I try to user AU.LogonUser, I get the message "The required privilege is not held by the client."; What should I do to avoid it?


Windows NT/IIS4

Most probably, your virtual directory has the "Run in separate memory space" option checked. This causes Windows NT to disallow calling LogonUser unless the user has the privilege "Act as Part of Operating System". You have two options: disable "Run in separate memory space" for this virtual directory, or grant this privilege to all the users of your application (go to User Manager, select Policies/User Rights, check "Show Advanced User Rights", select "Act as Part of Operating System", add desired users).
Windows 2000/IIS5

Run Internet Services Manager. Right-click your virtual directory and select "Properties". On the "Virtual Directory" tab, set the "Application Protection" option to Low. If the option is disabled, click on the "Create" button first.

Q. Why is the line Set AU = Server.CreateObject("Persits.AspUser") generating the error

Server object error 'ASP 0177 : 8002801d'
Server.CreateObject Failed
Library not registered.

A. This error usually occurs because of tight security settings in the HKEY_CLASSES_ROOT section of the registry. To fix the error, run regedt32 and select the key


From the Security menu, select Permissions. Add Everyone to the permission list and assign Full Control to the Everyone account. Make sure the setting propagates to the sub-keys as well.

Q. I want to use Basic Authentication on a certain directory, but I don't want my users to see the pop-up logon dialog box. Can I use LogonUser to impersonate a user and avoid the dialog box?

A. No. If you use Basic Authentication, the logon dialog box will pop up whether you call AU.LogonUser or not. But you can use LogonUser to validate a username/password against a Windows NT account database, like this:

On Error Resume Next
AU.LogonUser Session("Domain"), _
   Session("UserID"), Session("PWD")

If Err <> 0 Then
     Response.Redirect "AccessDenied.html"
End If

In this example, Domain, Username and Password are collected from an "open" HTML form and validated against an NT account database.

Q. My NT server has several hundred user accounts. When I say

Set User = AU.Users("username")

it takes quite some time to retrieve a single account. Is there a way to speed up this process?

A. Yes. When you use collection objects such as Users or Groups, the component loads all users into memory, which may take some time for a large number of user accounts. To retrieve a single domain or local user account, you may instead choose to call AU.GetUser("username") and AU.GetUser("username", False),  respectively.

Q. I'd like to be able to manage dial-in permissions. Can AspUser help me do that?

A. The component's User object has properties and methods to get and set dial-in permissions. See the User object for more information.

Q. I'd like to be able to handle multiple domains with AspUser, but it always seems to retrieve user and group accounts from the local domain controller. Setting AU.Server to another domain controller does not seem to help.

A. You can specify a domain other than the one AspUser is installed on. Simply say

AU.Domain = "MyDomainName"

Q. What is the easiest way to check if a certain user belongs to a certain group?

A. The following code checks if the local user jsmith belongs to the local group "my group".

Set gr = AU.LocalGroups("my group")
If Not gr.LocalUsers("jsmith") Is Nothing Then
' do something
End If