Re: Programming the User-Account_Property using C#

Thanks Willy

Thanks - this was exactly what I needed. It works fine and its a great deal
less code than my previous version from 5/6 years ago.
When I've finished this I am unlikely to have to stray into into this area
again for a good few years. It will probably be something like VS 2010 with
Framework 10 and yet another new technology! Unless you work regularly with
a particular technology it is difficult to know what approach to take to
solve a particular problem and to find examples on the MS site. SDDL is a
new one for me. I will have to look it up.

I now have to work out how to 'mail enable' a user and create a mailbox for
them. I used CDOEXM before. I hope there is a Framework class now to handle
all this.

Thanks again for your help

Regards

Chris

"Willy Denoyette [MVP]" <willy.denoyette@xxxxxxxxxx> wrote in message
news:uNIqnGpYHHA.408@xxxxxxxxxxxxxxxxxxxxxxx
"Chris Noble" <chris.noble@xxxxxxxxxxxxxxxx> wrote in message
news:eWCiognYHHA.2268@xxxxxxxxxxxxxxxxxxxxxxx
Thanks Willy

But I'm still confused.
In my earlier version the algorithm to do this went roughly like this:
Get Security Descriptor for the object.
Using the security descriptor get the DACL for the object.
Create an ACE and add:
access mask ADS_RIGHT_DS_CONTROL_ACCESS
trustee (NT Authority\\Self)
access type ADS_ACE_TYPE_ACCESS_DENIED_OBJECT
set accessflags to to CHANGE_PASSWORD_GUID (no inheritance)
add ACE to DACL
Set Security Descriptor for the object.

Do I still need to do all this.
I am finding it difficult to translate the old terms into the new ones.
I can't see how to get to the ACEs from the DirectoryEntry

This is excatly what you need to do, except that now in v2 you have a
class which makes it a lot easier.
Take a look at the ActiveDirectorySecurity class (and not
DirectorySecurity as per my previous answer) in
System.Security.AccessControl.
And here is a C# sample (scroll down the page):
http://msdn2.microsoft.com/en-gb/library/ms180915.aspx
but there are easier ways to do this using the SDDL format.

Willy.




.

Relevant Pages

  • Re: Programming the User-Account_Property using C#
    ... It looks like I've found what I need for creating the mailboxes to save you ... Using the security descriptor get the DACL for the object. ... Create an ACE and add: ... I can't see how to get to the ACEs from the DirectoryEntry ...
    (microsoft.public.dotnet.languages.csharp)
  • Re: Programming the User-Account_Property using C#
    ... Using the security descriptor get the DACL for the object. ... Create an ACE and add: ... I can't see how to get to the ACEs from the DirectoryEntry ... Take a look at the ActiveDirectorySecurity class in System.Security.AccessControl. ...
    (microsoft.public.dotnet.languages.csharp)
  • Re: WMI Config Error Installing SQL2K5 Standard Edition
    ... for the trustee. ... operations to fail! ... security descriptor and adding the ACE. ...
    (microsoft.public.windowsxp.wmi)
  • Re: Programming the User-Account_Property using C#
    ... Using the security descriptor get the DACL for the object. ... Create an ACE and add: ... I am trying not to use ADSI in my new program, ... I don't want to have to write a wrapper for my existing unmanaged code ...
    (microsoft.public.dotnet.languages.csharp)
  • Re: API to change "Allow inheritable permissions...
    ... GetAce to retrieve each ACE until you find the one you are trying to modify. ... You could also pass the security descriptor returned from ... GetNamedSecurityInfo into ConvertSecurityDescriptorToSecurityDescriptor, ...
    (microsoft.public.win2000.security)