Hello,
In my small tool, I give the service desk user the ability to reset user passwords from "Active Directory Users and Computer Console".
The user can also change some AD attributes.
Now I have a problem
Admin-User1 = can do everything
Admin-User2 = is not allowed to write the attribute "UserCannotChangePassword".
Here is an example how I do it:
PrincipalContext AdPrincipalContextUsers = new PrincipalContext(ContextType.Domain, "DC01", @"MyDom.local\Admin-User2", "PWD123");
string strDistinguishedName = "CN=Test-User1,OU=Users,OU=MYC,DC=MyDom,DC=local";
UserPrincipal objAdUser = UserPrincipal.FindByIdentity(AdPrincipalContextUsers, strDistinguishedName);
objAdUser.UserCannotChangePassword = (bool)ChkUserCannotChangePassword.IsChecked;
objAdUser.Save();
What I have tried:
About "try, catch" I can intercept, but this is not a nice solution.
I would love to solve it like this: When the program starts I check if the Admin-UserX has permission on the attribute. The checkbox is then "checkbox.enable=false".
Now my question:
How can I check the permission on the Active Directoy attribute.
Thanks for your help.
Greeting Brauschi