Does active directory prevent modification by clients not on the domain?

Question

I have a method AddUserToGroup to add a user to an active directory group.

I am invoking the method on a machine not attached to the domain controller containing the user and group.

When group.Save() is invoked an PrincipalOperationException is thrown:

"Information about the domain could not be retrieved (1355)."

Does AD prevent modification from clients not registered with the domain? I can query the domain happily (for example, return the users in a group) from the same client.

The method to add a user to a group:

public static void AddUserToGroup(string userId, 
                                  string groupName)
{
    try
    {
        using (var pc = GetPrincipalContextFromConfig())
        {
            var group = GroupPrincipal.FindByIdentity(pc, groupName);
            try
            {
                group.Members.Add(pc, IdentityType.Guid, userId);
                group.Save();
            }
            catch (PrincipalExistsException e)
            {
              //...
            }                                                                
        }
    }
    catch (DirectoryServicesCOMException e)
    {                
        //...
    }
}

Answer 1

Whatever ID your application is running under, needs to have "write" access to AD. Pretty much any ID can query AD but only ID's explicitly granted the privilege can write to it.