Query if user has “Cannot change password” checked in Active Directory
Question
I'm trying to check this information for an app i'm developing...
I'm trying to query userAccountControl, but I've figured out AD doesn't update this correctly if it's set.
This is how I currently search UserAccountControl
If (res.Properties.Contains("userAccountControl")) Then
userAccountControl = doespasswordexpire(res.Properties("userAccountControl").Item(0))
userAccountControlPNR = PasswordNotRequired(res.Properties("userAccountControl").Item(0))
userAccountControlSCR = SmartCardRequired(res.Properties("userAccountControl").Item(0))
Else
userAccountControl = ""
userAccountControlPNR = ""
userAccountControlSCR = ""
End If
How would I do this in ADSI or LDAP? I do not want to use PrincipalContext.
1 answers
solution1
2 ACCPTED 2016-07-08 21:28:16
You cannot use the userAccountControl attribute to modify, or even query, the "cannot change password" setting. It's listed in the Microsoft's documentation as a possible flag, but it doesn't work (not sure if it was ever intended to?).
To check if that is set you have to parse out the user's ACEs in their DACL. You can get that from the ntSecurityDescriptor attribute of the user and programmatically parse it. There's a good starting example of that in this thread .
Some additional MSDN info here: https://msdn.microsoft.com/en-us/library/aa746398.aspx
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.