How to get object of "ntSecurityDescriptor" of a active directory user

Question

0.00/5 (No votes)

See more:

Hi,
I am working on a website. I have to find the value of user can't change password property of a user. I get this link
http://msdn.microsoft.com/en-us/library/aa746448(v=vs.85).aspx[^]
according to which I have to find "ntSecurityDescriptor" value of that user. They are using DirectoryEntry class to find that but in my case I am using LdapConnection class.
If I use entry class I was not able to make connectivity with server So that I change it to LdapConnection class. Now I don't know how to find value.

Posted 4-Nov-12 4:10am

mayankkarki

Add a Solution

2 solutions

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

DevilsJester · Answer 1 · 2012-11-04T13:24:00

Dont know if im answering your question or not, but if your working on a website, Use the VB at the End of your Link posted above, VB can query the information you need and can be encased within an ASP webpage. The VB code can also Manipulate the returned data to what ever format you need.

VB

Const CHANGE_PASSWORD_GUID = "{AB721A53-1E2F-11D0-9819-00AA0040529B}"
Const ADS_ACETYPE_ACCESS_DENIED_OBJECT = &H6

Function UserCannotChangePassword(strUserDN As String, strUsername As String, strPassword As String) As Boolean
    UserCannotChangePassword = False

    Dim oUser As IADs
    Dim oSecDesc As IADsSecurityDescriptor
    Dim oACL As IADsAccessControlList
    Dim oACE As IADsAccessControlEntry
    Dim fEveryone As Boolean
    Dim fSelf As Boolean

    fEveryone = False
    fSelf = False

    If "" <> strUsername Then
        Dim dso As IADsOpenDSObject

        ' Bind to the group with the specified user name and password.
        Set dso = GetObject("LDAP:")
        Set oUser = dso.OpenDSObject(strUserDN, strUsername, strPassword, 1)
    Else
        ' Bind to the group with the current credentials.
        Set oUser = GetObject(strUserDN)
    End If

    Set oSecDesc = oUser.Get("ntSecurityDescriptor")
    Set oACL = oSecDesc.DiscretionaryAcl

    For Each oACE In oACL
        If UCase(oACE.ObjectType) = UCase(CHANGE_PASSWORD_GUID) Then
            If oACE.Trustee = "Everyone" And oACE.AceType = ADS_ACETYPE_ACCESS_DENIED_OBJECT Then
                fEveryone = True
            End If

            If oACE.Trustee = "NT AUTHORITY\SELF" And oACE.AceType = ADS_ACETYPE_ACCESS_DENIED_OBJECT Then
                fSelf = True
            End If
        End If
    Next

    If fSelf And fEveryone Then
        UserCannotChangePassword = True
    Else
        UserCannotChangePassword = False
    End If
End Function

mayankkarki · Answer 2 · 2012-11-23T19:52:00

This is the solution that I find.

SearchResponse response = (SearchResponse)connection.SendRequest(request);
               DirectoryAttribute attribute = response.Entries[0].Attributes["ntSecurityDescriptor"];

               if (attribute != null)
               {
                   const string PASSWORD_GUID = "{ab721a53-1e2f-11d0-9819-00aa0040529b}";
                   const int ADS_ACETYPE_ACCESS_DENIED_OBJECT = 6;
                   bool fEveryone = false;
                   bool fSelf = false;

                   ActiveDs.ADsSecurityUtility secUtility = new ActiveDs.ADsSecurityUtility();
                   ActiveDs.IADsSecurityDescriptor sd = (IADsSecurityDescriptor)secUtility.ConvertSecurityDescriptor((byte[])attribute[0], (int)ADS_SD_FORMAT_ENUM.ADS_SD_FORMAT_RAW, (int)ADS_SD_FORMAT_ENUM.ADS_SD_FORMAT_IID);
                   ActiveDs.IADsAccessControlList acl = (ActiveDs.IADsAccessControlList)sd.DiscretionaryAcl;

                   foreach (ActiveDs.IADsAccessControlEntry ace in acl)
                   {
                       if ((ace.ObjectType != null) && (ace.ObjectType.ToUpper() == PASSWORD_GUID.ToUpper()))
                       {
                           if ((ace.Trustee == "Everyone") && (ace.AceType == ADS_ACETYPE_ACCESS_DENIED_OBJECT))
                           {
                               fEveryone = true;
                           }
                           if ((ace.Trustee == @"NT AUTHORITY\SELF") && (ace.AceType == ADS_ACETYPE_ACCESS_DENIED_OBJECT))
                           {
                               fSelf = true;
                           }

                           break;
                       }
                   }

                   if (fEveryone || fSelf)
                   {
                       return Global.RequestContants.CANT_CHANGE_PASSWORD;
                   }
                   else
                   {
                       return string.Empty;
                   }
               }

How to get object of "ntSecurityDescriptor" of a active directory user

2 solutions

Solution 1

Solution 2

Add your solution here

Preview 0