#210568 - 2015-08-21 05:34 AM
Re: user cannot change password flag issues
[Re: Lonkero]
|
Allen
KiX Supporter
Registered: 2003-04-19
Posts: 4549
Loc: USA
|
Is this what you are referring to... I see some similarities I guess
Const ADS_ACETYPE_ACCESS_DENIED_OBJECT = &H6
Const ADS_ACEFLAG_OBJECT_TYPE_PRESENT = &H1
Const CHANGE_PASSWORD_GUID = "{ab721a53-1e2f-11d0-9819-00aa0040529b}"
Const ADS_RIGHT_DS_CONTROL_ACCESS = &H100
Set objUser = GetObject _
("LDAP://cn=myerken,ou=management,dc=fabrikam,dc=com")
Set objSD = objUser.Get("ntSecurityDescriptor")
Set objDACL = objSD.DiscretionaryAcl
arrTrustees = array("nt authority\self", "EVERYONE")
For Each strTrustee in arrTrustees
Set objACE = CreateObject("AccessControlEntry")
objACE.Trustee = strTrustee
objACE.AceFlags = 0
objACE.AceType = ADS_ACETYPE_ACCESS_DENIED_OBJECT
objACE.Flags = ADS_ACEFLAG_OBJECT_TYPE_PRESENT
objACE.ObjectType = CHANGE_PASSWORD_GUID
objACE.AccessMask = ADS_RIGHT_DS_CONTROL_ACCESS
objDACL.AddAce objACE
Next
objSD.DiscretionaryAcl = objDACL
objUser.Put "nTSecurityDescriptor", objSD
objUser. SetInfo
|
Top
|
|
|
|
#210582 - 2015-08-22 02:08 AM
Re: user cannot change password flag issues
[Re: Lonkero]
|
Allen
KiX Supporter
Registered: 2003-04-19
Posts: 4549
Loc: USA
|
Second link after your function... come on man get with the program
|
Top
|
|
|
|
#210587 - 2015-08-22 04:19 AM
Re: user cannot change password flag issues
[Re: Lonkero]
|
Allen
KiX Supporter
Registered: 2003-04-19
Posts: 4549
Loc: USA
|
|
Top
|
|
|
|
#210603 - 2015-08-25 08:57 PM
Re: user cannot change password flag issues
[Re: Lonkero]
|
NTDOC
Administrator
Registered: 2000-07-28
Posts: 11624
Loc: CA
|
From the links from Allen this is in the VB code.
Based on Microsoft KB articles 301287 and 269159. ' Requires that ADsSecurity.dll be registered on client.
How to set the "User Cannot Change Password" option by using a program
How to use Visual Basic and ADsSecurity.dll to properly order ACEs in an ACL
For reference if page is later unavailable on the Web.
' CannotChgPW.vbs
' VBScript program to configure a user so they cannot change their
' password.
'
' ----------------------------------------------------------------------
' Copyright (c) 2002-2010 Richard L. Mueller
' Hilltop Lab web site - http://www.rlmueller.net
' Version 1.0 - November 10, 2002
' Version 1.1 - February 19, 2003 - Standardize Hungarian notation.
' Version 1.2 - March 29, 2003 - Reorder ACE's in DACL.
' Version 1.3 - April 7, 2003 - Use function to reorder ACE's.
' Version 1.4 - January 25, 2004 - Modify error trapping.
' Version 1.5 - November 6, 2010 - No need to set objects to Nothing.
' The Distinguished Name of the user object is passed to the program as
' a parameter.
' Based on Microsoft KB articles 301287 and 269159.
' Requires that ADsSecurity.dll be registered on client.
'
' You have a royalty-free right to use, modify, reproduce, and
' distribute this script file in any way you find useful, provided that
' you agree that the copyright owner above has no warranty, obligations,
' or liability for such use.
Option Explicit
Const CHANGE_PASSWORD_GUID = "{AB721A53-1E2F-11D0-9819-00AA0040529B}"
Const ADS_RIGHT_DS_CONTROL_ACCESS = &H100
Const ADS_ACETYPE_ACCESS_ALLOWED = &H0
Const ADS_ACETYPE_ACCESS_DENIED = &H1
Const ADS_ACETYPE_ACCESS_ALLOWED_OBJECT = &H5
Const ADS_ACETYPE_ACCESS_DENIED_OBJECT = &H6
Const ADS_ACEFLAG_INHERITED_ACE = &H10
Const ADS_ACEFLAG_OBJECT_TYPE_PRESENT = &H1
Dim objACESelf, objACEEveryone, objSecDescriptor, objDACL, objUser
Dim strDN, objACE, blnSelf, blnEveryone, blnModified
' Check for required argument.
If (Wscript.Arguments.Count < 1) Then
Wscript.Echo "Required argument <Distinguished Name> missing. " _
& "For example:" & vbCrLf _
& "cscript CannotChgPW.vbs cn=TestUser,ou=Sales,dc=MyDomain,dc=com"
Wscript.Quit(0)
End If
' Bind to the user object with the LDAP provider.
strDN = Wscript.Arguments(0)
On Error Resume Next
Set objUser = GetObject("LDAP://" & strDN)
If (Err.Number <> 0) Then
On Error GoTo 0
Wscript.Echo "User not found" & vbCrLf & strDN
Wscript.Quit(1)
End If
On Error GoTo 0
' Bind to the user security objects.
Set objSecDescriptor = objUser.Get("ntSecurityDescriptor")
Set objDACL = objSecDescriptor.discretionaryAcl
' Search for ACE's for Change Password and modify.
blnSelf = False
blnEveryone = False
blnModified = False
For Each objACE In objDACL
If (UCase(objACE.objectType) = UCase(CHANGE_PASSWORD_GUID)) Then
If (UCase(objACE.Trustee) = "NT AUTHORITY\SELF") Then
If (objACE.AceType = ADS_ACETYPE_ACCESS_ALLOWED_OBJECT) Then
objACE.AceType = ADS_ACETYPE_ACCESS_DENIED_OBJECT
blnModified = True
End If
blnSelf = True
End If
If (UCase(objACE.Trustee) = "EVERYONE") Then
If (objACE.AceType = ADS_ACETYPE_ACCESS_ALLOWED_OBJECT) Then
objACE.AceType = ADS_ACETYPE_ACCESS_DENIED_OBJECT
blnModified = True
End If
blnEveryone = True
End If
End If
Next
' If ACE's found and modified, save changes and exit.
If (blnSelf = True) And (blnEveryone = True) Then
If (blnModified = False) Then
Wscript.Echo "User already cannot change their password"
Wscript.Quit
Else
objSecDescriptor.discretionaryACL = Reorder(objDACL)
objUser.Put "ntSecurityDescriptor", objSecDescriptor
objUser.SetInfo
Wscript.Echo "User modified so they cannot change their password"
Wscript.Quit
End If
End If
' If ACE's not found, add to DACL.
If (blnSelf = False) Then
' Create the ACE for Self.
Set objACESelf = CreateObject("AccessControlEntry")
objACESelf.Trustee = "NT AUTHORITY\SELF"
objACESelf.AceFlags = 0
objACESelf.AceType = ADS_ACETYPE_ACCESS_DENIED_OBJECT
objACESelf.Flags = ADS_ACEFLAG_OBJECT_TYPE_PRESENT
objACESelf.objectType = CHANGE_PASSWORD_GUID
objACESelf.AccessMask = ADS_RIGHT_DS_CONTROL_ACCESS
objDACL.AddAce objACESelf
End If
If (blnEveryone = False) Then
' Create the ACE for Everyone.
Set objACEEveryone = CreateObject("AccessControlEntry")
objACEEveryone.Trustee = "Everyone"
objACEEveryone.AceFlags = 0
objACEEveryone.AceType = ADS_ACETYPE_ACCESS_DENIED_OBJECT
objACEEveryone.Flags = ADS_ACEFLAG_OBJECT_TYPE_PRESENT
objACEEveryone.objectType = CHANGE_PASSWORD_GUID
objACEEveryone.AccessMask = ADS_RIGHT_DS_CONTROL_ACCESS
objDACL.AddAce objACEEveryone
End If
objSecDescriptor.discretionaryACL = Reorder(objDACL)
' Update the user object.
objUser.Put "ntSecurityDescriptor", objSecDescriptor
objUser.SetInfo
Wscript.Echo "User denied permission to change their password"
Function Reorder(ByVal objDACL)
' Reorder ACE's in DACL.
Dim objNewDACL, objInheritedDACL, objAllowDACL, objDenyDACL
Dim objAllowObjectDACL, objDenyObjectDACL, objACE
Set objNewDACL = CreateObject("AccessControlList")
Set objInheritedDACL = CreateObject("AccessControlList")
Set objAllowDACL = CreateObject("AccessControlList")
Set objDenyDACL = CreateObject("AccessControlList")
Set objAllowObjectDACL = CreateObject("AccessControlList")
Set objDenyObjectDACL = CreateObject("AccessControlList")
For Each objACE In objDACL
If ((objACE.AceFlags And ADS_ACEFLAG_INHERITED_ACE) = _
ADS_ACEFLAG_INHERITED_ACE) Then
objInheritedDACL.AddAce objACE
Else
Select Case objACE.AceType
Case ADS_ACETYPE_ACCESS_ALLOWED
objAllowDACL.AddAce objACE
Case ADS_ACETYPE_ACCESS_DENIED
objDenyDACL.AddAce objACE
Case ADS_ACETYPE_ACCESS_ALLOWED_OBJECT
objAllowObjectDACL.AddAce objACE
Case ADS_ACETYPE_ACCESS_DENIED_OBJECT
objDenyObjectDACL.AddAce objACE
Case Else
blnACL = False
End Select
End If
Next
For Each objACE In objDenyDACL
objNewDACL.AddAce objACE
Next
For Each objACE In objDenyObjectDACL
objNewDACL.AddAce objACE
Next
For Each objACE In objAllowDACL
objNewDACL.AddAce objACE
Next
For Each objACE In objAllowObjectDACL
objNewDACL.AddAce objACE
Next
For Each objACE In objInheritedDACL
objNewDACL.AddAce objACE
Next
objNewDACL.ACLRevision = objDACL.ACLRevision
Set Reorder = objNewDACL
End Function
Integer8 Attributes
Many attributes in Active Directory have a data type (syntax) called Integer8. These 64-bit numbers (8 bytes) often represent time in 100-nanosecond intervals. If the Integer8 attribute is a date, the value represents the number of 100-nanosecond intervals since 12:00 AM January 1, 1601. Any leap seconds are ignored.
In .NET Framework (and PowerShell) these 100-nanosecond intervals are called ticks, equal to one ten-millionth of a second. There are 10,000 ticks per millisecond. In addition, .NET Framework and PowerShell DateTime values represent dates as the number of ticks since 12:00 AM January 1, 0001.
ADSI automatically employs the IADsLargeInteger interface to deal with these 64-bit numbers. This interface has two property methods, HighPart and LowPart, which break the number up into two 32-bit numbers. The HighPart and LowPart property methods return values between -2^31 and 2^31 - 1. The standard method of handling these attributes is demonstrated by this VBScript program to retrieve the domain lockoutDuration value in minutes.
|
Top
|
|
|
|
Moderator: Shawn, ShaneEP, Ruud van Velsen, Arend_, Jochen, Radimus, Glenn Barnas, Allen, Mart
|
0 registered
and 370 anonymous users online.
|
|
|