Re: Programming the User-Account_Property using C#

Thanks Willy

But I'm still confused.
In my earlier version the algorithm to do this went roughly like this:
Get Security Descriptor for the object.
Using the security descriptor get the DACL for the object.
Create an ACE and add:
access mask ADS_RIGHT_DS_CONTROL_ACCESS
trustee (NT Authority\\Self)
access type ADS_ACE_TYPE_ACCESS_DENIED_OBJECT
set accessflags to to CHANGE_PASSWORD_GUID (no inheritance)
add ACE to DACL
Set Security Descriptor for the object.

Do I still need to do all this.
I am finding it difficult to translate the old terms into the new ones.
I can't see how to get to the ACEs from the DirectoryEntry


"Willy Denoyette [MVP]" <willy.denoyette@xxxxxxxxxx> wrote in message
news:eAbQdtmYHHA.5044@xxxxxxxxxxxxxxxxxxxxxxx
"Chris Noble" <chris.noble@xxxxxxxxxxxxxxxx> wrote in message
news:ulIV3QmYHHA.3268@xxxxxxxxxxxxxxxxxxxxxxx
I am not sure that I have picked the right newsgroup for this post.

I am writing a program in C# VS 2005 to create user accounts for our
students in Active Directory.
This is to replace a program I wrote some years ago in VS6 using C++ and
ADSI.

I am trying not to use ADSI in my new program, focussing on
DirectoryServices instead.

In C# the syntax to set an Active Directory property is something like:
entry.Properties["givenName"].value="Jim"; (where entry is a
DirectoryEntry)

However for the userAccountControl property it is necessary to use a
combination of enumerated identifiers.
see http://msdn2.microsoft.com/en-us/library/aa772300.aspx
I do not want the students to be able to change a password so I need to
use ADS_UF_PASSWD_CANT_CHANGE.
This flag can be read, but not set directly as it involves setting
trustee rights etc. There is a link to an example program to set this
flag but it is in C++ and uses ADSI which I want to avoid.

Surely there must be a nice new clean way of doing this in Framework 2.0.

Is there any example C# code using DirectoryServices to set
ADS_UF_PASSWD_CANT_CHANGE?

I don't want to have to write a wrapper for my existing unmanaged code
which involved ACEs, ACLs, security descriptors etc


The only way to set this "user cannot change password" property is by
turning the ACE's on the user object into an ACCESS_DENIED_ACE type ACE.
This can be done by using the DirectorySecurity class of the
System.Security.AccessControl namespace.

Willy.






.