System.UnauthorizedAccessException: Access is denied ---> System.ComponentModel.Win32Exception: Access is denied #218
Description
Hi team,
I’m running a .NET application under a dedicated service account, and the account has been granted the following Active Directory replication permissions at the domain root:
- Replicating Directory Changes
- Replicating Directory Changes All
- Replicating Directory Changes In Filtered Set
However, when the application initializes the replication client, it fails immediately at the constructor level with the following exception:
System.UnauthorizedAccessException: Access is denied
---> System.ComponentModel.Win32Exception: Access is denied
--- End of inner exception stack trace ---
at DSInternals.Common.Validator.AssertSuccess(Win32ErrorCode code)
at DSInternals.Replication.Interop.DrsConnection.Bind(IntPtr rpcHandle)
at DSInternals.Replication.Interop.DrsConnection..ctor(IntPtr rpcHandle, Guid clientDsa)
at DSInternals.Replication.DirectoryReplicationClient..ctor(String server, RpcProtocol protocol, NetworkCredential credential)
This happens during:
var credential = new NetworkCredential(username, password);
using (var client = new DirectoryReplicationClient(server, RpcProtocol.TCP, credential))
{
// Fails here
}
Observations from our environment:
LDAP bind using the same credentials succeeds.
RPC connectivity to the domain controller is reachable.
The service account is not a member of privileged groups like Domain Admins.
Required replication permissions are present and verified via ACLs.
The failure occurs during DRS bind (constructor), not during a replication call.
Could you please advise what additional checks or configuration might cause the DRS bind to be rejected at this stage despite the replication permissions being granted?
Any guidance would be greatly appreciated.
Thank you.
Regards,
Lakshman M
Steps to Reproduce
Unable to reproduce at my end but in customer case always happens
Expected Behavior
Application should work and return the NTLM hash for a user passed or requested.
Actual Behavior
Getting exception at the construtor level
Stack Trace
2026-02-10 10:49:39.895 -05:00 [ERR] ***EXCEPTION***
System.UnauthorizedAccessException: Access is denied ---> System.ComponentModel.Win32Exception: Access is denied
--- End of inner exception stack trace ---
at DSInternals.Common.Validator.AssertSuccess(Win32ErrorCode code)
at DSInternals.Replication.Interop.DrsConnection.Bind(IntPtr rpcHandle)
at DSInternals.Replication.Interop.DrsConnection..ctor(IntPtr rpcHandle, Guid clientDsa)
at DSInternals.Replication.DirectoryReplicationClient..ctor(String server, RpcProtocol protocol, NetworkCredential credential)
at SureMDMAdService.Services.AdService.<FullSync>d__111.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at SureMDMAdService.Services.AdService.<HandleSyncUsers>d__110.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
DSInternals Module Version
6.3
PowerShell Version
5.1.17763.2931
Operating System
Microsoft Windows Server 2019 Standard
Target Domain Controller Version
No response
Processor Architecture
x64
Checklist
- I have searched the existing issues to make sure this bug has not already been reported.
- I have tested with the latest version of the DSInternals PowerShell module.