469,322 Members | 1,584 Online
Bytes | Developer Community
New Post

Home Posts Topics Members FAQ

Post your question to a community of 469,322 developers. It's quick & easy.

Setting "User Cannot Change Password" Flag from ASP.NET/C#

I downloaded the attached code from MS. It flips on the "User Cannot Change
Password" on a user in AD and works great from a console or
windows app, but when put into an ASP.NET app I get a "The security ID
structure is invalid." error when trying to assign the new security
descriptor. I am running in Windows Authentication mode with IIS set to
Integrated security on an XP box.

Does anyone have a work around for this?

Thanks in advance.
John

(http://msdn.microsoft.com/library/de...-us/sds/sds/ma
naging_user_passwords.asp)
using System;
using System.DirectoryServices;

public class securitydescriptorclass
{
public const string PASSWORD_GUID =
"{ab721a53-1e2f-11d0-9819-00aa0040529b}";
public const int ADS_UF_ACCOUNTDISABLE=2;
public const int ADS_UF_PASSWORD_EXPIRED=0x800000;
public const int
ADS_UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION=0x10 00000;

public static void Main(string[] args)
{
DirectoryEntry ent = new DirectoryEntry();
DirectoryEntry ou = ent.Children.Find("OU=Consulting");
DirectoryEntry usr = ou.Children.Add("CN=Alice Sullivan","user");

string[] trustees = new string[]{@"NT AUTHORITY\SELF","EVERYONE"};

ActiveDs.IADsSecurityDescriptor sd =

(ActiveDs.IADsSecurityDescriptor)usr.Properties["ntSecurityDescriptor"].Valu
e;
ActiveDs.IADsAccessControlList acl =
(ActiveDs.IADsAccessControlList)
sd.DiscretionaryAcl;
ActiveDs.IADsAccessControlEntry ace = new
ActiveDs.AccessControlEntry();
foreach(string trustee in trustees)
{
ace.Trustee = trustee;
ace.AceFlags = 0;
ace.AceType = (int)
ActiveDs.ADS_ACETYPE_ENUM.ADS_ACETYPE_ACCESS_DENIE D_OBJECT;
ace.Flags =
(int)ActiveDs.ADS_FLAGTYPE_ENUM.ADS_FLAG_OBJECT_TY PE_PRESENT;
ace.ObjectType = PASSWORD_GUID;
ace.AccessMask =
(int)ActiveDs.ADS_RIGHTS_ENUM.ADS_RIGHT_DS_CONTROL _ACCESS;
acl.AddAce(ace);
}
sd.DiscretionaryAcl = acl;
usr.Properties["ntSecurityDescriptor"].Value = sd;
usr.CommitChanges();
}
}

Nov 16 '05 #1
1 10087
Don't know why you are getting the error you are getting. There are quite a
few AD methods that have problems when called from ASP.NET.
See the following.
http://msdn.microsoft.com/library/de...rustedcode.asp

Perhaps your problem is related?

I hope this info is helpful.
--- Nick

"John Beard" <jo********@fsafood.com> wrote in message
news:%2****************@TK2MSFTNGP10.phx.gbl...
I downloaded the attached code from MS. It flips on the "User Cannot Change Password" on a user in AD and works great from a console or
windows app, but when put into an ASP.NET app I get a "The security ID
structure is invalid." error when trying to assign the new security
descriptor. I am running in Windows Authentication mode with IIS set to
Integrated security on an XP box.

Does anyone have a work around for this?

Thanks in advance.
John

(http://msdn.microsoft.com/library/de...-us/sds/sds/ma naging_user_passwords.asp)
using System;
using System.DirectoryServices;

public class securitydescriptorclass
{
public const string PASSWORD_GUID =
"{ab721a53-1e2f-11d0-9819-00aa0040529b}";
public const int ADS_UF_ACCOUNTDISABLE=2;
public const int ADS_UF_PASSWORD_EXPIRED=0x800000;
public const int
ADS_UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION=0x10 00000;

public static void Main(string[] args)
{
DirectoryEntry ent = new DirectoryEntry();
DirectoryEntry ou = ent.Children.Find("OU=Consulting");
DirectoryEntry usr = ou.Children.Add("CN=Alice Sullivan","user");

string[] trustees = new string[]{@"NT AUTHORITY\SELF","EVERYONE"};

ActiveDs.IADsSecurityDescriptor sd =

(ActiveDs.IADsSecurityDescriptor)usr.Properties["ntSecurityDescriptor"].Valu e;
ActiveDs.IADsAccessControlList acl =
(ActiveDs.IADsAccessControlList)
sd.DiscretionaryAcl;
ActiveDs.IADsAccessControlEntry ace = new
ActiveDs.AccessControlEntry();
foreach(string trustee in trustees)
{
ace.Trustee = trustee;
ace.AceFlags = 0;
ace.AceType = (int)
ActiveDs.ADS_ACETYPE_ENUM.ADS_ACETYPE_ACCESS_DENIE D_OBJECT;
ace.Flags =
(int)ActiveDs.ADS_FLAGTYPE_ENUM.ADS_FLAG_OBJECT_TY PE_PRESENT;
ace.ObjectType = PASSWORD_GUID;
ace.AccessMask =
(int)ActiveDs.ADS_RIGHTS_ENUM.ADS_RIGHT_DS_CONTROL _ACCESS;
acl.AddAce(ace);
}
sd.DiscretionaryAcl = acl;
usr.Properties["ntSecurityDescriptor"].Value = sd;
usr.CommitChanges();
}
}

Nov 16 '05 #2

This discussion thread is closed

Replies have been disabled for this discussion.

Similar topics

1 post views Thread by twhan twhan via .NET 247 | last post: by
reply views Thread by damontimm | last post: by
2 posts views Thread by =?Utf-8?B?Y2FzaGRlc2ttYWM=?= | last post: by
3 posts views Thread by =?Utf-8?B?QXhlbCBEYWhtZW4=?= | last post: by
1 post views Thread by CARIGAR | last post: by
reply views Thread by zhoujie | last post: by
reply views Thread by suresh191 | last post: by
reply views Thread by listenups61195 | last post: by
By using this site, you agree to our Privacy Policy and Terms of Use.