System.DirectoryServices.AccountManagement functions fail to probe some machines (but not others)

Both the working and failing targets are machines in the same domain. Code is down below. When I use it against some machines in my domain, I get a System.DirectoryServices.AccountManagement.PrincipalOperationException with a message: "While trying to retrieve the authorization groups, an开发者_JAVA技巧 error (1332) occurred." The error is thrown by GetAuthorizationGroups().

Note: The username I use to connect is a local admin to the machine in both cases.

    PrincipalContext ctx = new PrincipalContext(ContextType.Machine, machineName, domainname + "\\" + adminusername, pass);
    List<Principal> retList = new List<Principal>();

    using (var user = UserPrincipal.FindByIdentity(ctx, probedusername))
    {
        if (user != null)
        {
            PrincipalSearchResult<Principal> groups = user.GetAuthorizationGroups();
            foreach (Principal group in groups)
            {
                retList.Add(group);
            }
        }
    }

I don't know if you are still having issues with this... I was having an almost identical issue and we couldn't figure it out either for the longest time. Finally we removed the username/password from the PrincipalContext instantiation and it worked on all machines... really weird but it made us happy.

Without a username/password it runs under the current account, and in general all authenticated users can read the group information off of a remote machine on the same domain (at least in our domain). With the username/password specified we would get REALLY weird results where sometimes only domain groups would come back, sometimes no groups at all, sometimes access denied messages... Anyways this worked for us.