J
John Beard
I downloaded the attached code from MS. It flips on the "User Cannot Change
Password" on a user in AD and works great from a console or
windows app, but when put into an ASP.NET app I get a "The security ID
structure is invalid." error when trying to assign the new security
descriptor. I am running in Windows Authentication mode with IIS set to
Integrated security on an XP box.
Does anyone have a work around for this?
Thanks in advance.
John
(http://msdn.microsoft.com/library/default.asp?url=/library/en-us/sds/sds/ma
naging_user_passwords.asp)
using System;
using System.DirectoryServices;
public class securitydescriptorclass
{
public const string PASSWORD_GUID =
"{ab721a53-1e2f-11d0-9819-00aa0040529b}";
public const int ADS_UF_ACCOUNTDISABLE=2;
public const int ADS_UF_PASSWORD_EXPIRED=0x800000;
public const int
ADS_UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION=0x1000000;
public static void Main(string[] args)
{
DirectoryEntry ent = new DirectoryEntry();
DirectoryEntry ou = ent.Children.Find("OU=Consulting");
DirectoryEntry usr = ou.Children.Add("CN=Alice Sullivan","user");
string[] trustees = new string[]{@"NT AUTHORITY\SELF","EVERYONE"};
ActiveDs.IADsSecurityDescriptor sd =
(ActiveDs.IADsSecurityDescriptor)usr.Properties["ntSecurityDescriptor"].Valu
e;
ActiveDs.IADsAccessControlList acl =
(ActiveDs.IADsAccessControlList)
sd.DiscretionaryAcl;
ActiveDs.IADsAccessControlEntry ace = new
ActiveDs.AccessControlEntry();
foreach(string trustee in trustees)
{
ace.Trustee = trustee;
ace.AceFlags = 0;
ace.AceType = (int)
ActiveDs.ADS_ACETYPE_ENUM.ADS_ACETYPE_ACCESS_DENIED_OBJECT;
ace.Flags =
(int)ActiveDs.ADS_FLAGTYPE_ENUM.ADS_FLAG_OBJECT_TYPE_PRESENT;
ace.ObjectType = PASSWORD_GUID;
ace.AccessMask =
(int)ActiveDs.ADS_RIGHTS_ENUM.ADS_RIGHT_DS_CONTROL_ACCESS;
acl.AddAce(ace);
}
sd.DiscretionaryAcl = acl;
usr.Properties["ntSecurityDescriptor"].Value = sd;
usr.CommitChanges();
}
}
Password" on a user in AD and works great from a console or
windows app, but when put into an ASP.NET app I get a "The security ID
structure is invalid." error when trying to assign the new security
descriptor. I am running in Windows Authentication mode with IIS set to
Integrated security on an XP box.
Does anyone have a work around for this?
Thanks in advance.
John
(http://msdn.microsoft.com/library/default.asp?url=/library/en-us/sds/sds/ma
naging_user_passwords.asp)
using System;
using System.DirectoryServices;
public class securitydescriptorclass
{
public const string PASSWORD_GUID =
"{ab721a53-1e2f-11d0-9819-00aa0040529b}";
public const int ADS_UF_ACCOUNTDISABLE=2;
public const int ADS_UF_PASSWORD_EXPIRED=0x800000;
public const int
ADS_UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION=0x1000000;
public static void Main(string[] args)
{
DirectoryEntry ent = new DirectoryEntry();
DirectoryEntry ou = ent.Children.Find("OU=Consulting");
DirectoryEntry usr = ou.Children.Add("CN=Alice Sullivan","user");
string[] trustees = new string[]{@"NT AUTHORITY\SELF","EVERYONE"};
ActiveDs.IADsSecurityDescriptor sd =
(ActiveDs.IADsSecurityDescriptor)usr.Properties["ntSecurityDescriptor"].Valu
e;
ActiveDs.IADsAccessControlList acl =
(ActiveDs.IADsAccessControlList)
sd.DiscretionaryAcl;
ActiveDs.IADsAccessControlEntry ace = new
ActiveDs.AccessControlEntry();
foreach(string trustee in trustees)
{
ace.Trustee = trustee;
ace.AceFlags = 0;
ace.AceType = (int)
ActiveDs.ADS_ACETYPE_ENUM.ADS_ACETYPE_ACCESS_DENIED_OBJECT;
ace.Flags =
(int)ActiveDs.ADS_FLAGTYPE_ENUM.ADS_FLAG_OBJECT_TYPE_PRESENT;
ace.ObjectType = PASSWORD_GUID;
ace.AccessMask =
(int)ActiveDs.ADS_RIGHTS_ENUM.ADS_RIGHT_DS_CONTROL_ACCESS;
acl.AddAce(ace);
}
sd.DiscretionaryAcl = acl;
usr.Properties["ntSecurityDescriptor"].Value = sd;
usr.CommitChanges();
}
}