I downloaded the attached code from MS. It flips on the "User Cannot Change
Password" on a user in AD and works great from a console or
windows app, but when put into an ASP.NET app I get a "The security ID
structure is invalid." error when trying to assign the new security
descriptor. I am running in Windows Authentication mode with IIS set to
Integrated security on an XP box.
Does anyone have a work around for this?
Thanks in advance.
John
(http://msdn.microsoft.com/library/de...-us/sds/sds/ma
naging_user_pas swords.asp)
using System;
using System.Director yServices;
public class securitydescrip torclass
{
public const string PASSWORD_GUID =
"{ab721a53-1e2f-11d0-9819-00aa0040529b}";
public const int ADS_UF_ACCOUNTD ISABLE=2;
public const int ADS_UF_PASSWORD _EXPIRED=0x8000 00;
public const int
ADS_UF_TRUSTED_ TO_AUTHENTICATE _FOR_DELEGATION =0x1000000;
public static void Main(string[] args)
{
DirectoryEntry ent = new DirectoryEntry( );
DirectoryEntry ou = ent.Children.Fi nd("OU=Consulti ng");
DirectoryEntry usr = ou.Children.Add ("CN=Alice Sullivan","user ");
string[] trustees = new string[]{@"NT AUTHORITY\SELF" ,"EVERYONE"} ;
ActiveDs.IADsSe curityDescripto r sd =
(ActiveDs.IADsS ecurityDescript or)usr.Properti es["ntSecurityDesc riptor"].Valu
e;
ActiveDs.IADsAc cessControlList acl =
(ActiveDs.IADsA ccessControlLis t)
sd.Discretionar yAcl;
ActiveDs.IADsAc cessControlEntr y ace = new
ActiveDs.Access ControlEntry();
foreach(string trustee in trustees)
{
ace.Trustee = trustee;
ace.AceFlags = 0;
ace.AceType = (int)
ActiveDs.ADS_AC ETYPE_ENUM.ADS_ ACETYPE_ACCESS_ DENIED_OBJECT;
ace.Flags =
(int)ActiveDs.A DS_FLAGTYPE_ENU M.ADS_FLAG_OBJE CT_TYPE_PRESENT ;
ace.ObjectType = PASSWORD_GUID;
ace.AccessMask =
(int)ActiveDs.A DS_RIGHTS_ENUM. ADS_RIGHT_DS_CO NTROL_ACCESS;
acl.AddAce(ace) ;
}
sd.Discretionar yAcl = acl;
usr.Properties["ntSecurityDesc riptor"].Value = sd;
usr.CommitChang es();
}
}