Click here to Skip to main content
15,071,205 members
Please Sign up or sign in to vote.
1.00/5 (1 vote)
See more:
Hi,
I am trying to find out that in ad, user has allowed to change password or not. I have used SearchResponse to find out that user exists or not. I just want to find out that user cannot change password is true or false.

C#
LdapConnection connection = new LdapConnection(new LdapDirectoryIdentifier(domainname,636));

connection.SessionOptions.VerifyServerCertificate =
                new VerifyServerCertificateCallback((con, cer) => true);

connection.SessionOptions.ProtocolVersion = 3;
 
connection.AuthType = AuthType.Basic;
 
connection.Credential = new NetworkCredential("CN=adminusername,DC=Domain,DC=COM", "password");
 
connection.SessionOptions.SecureSocketLayer=true;
 
using(connection)
{

SearchRequest request = new SearchRequest("ou=users,DC=Domain,DC=COM", "CN=pmutest", System.DirectoryServices.Protocols.SearchScope.Subtree);

SearchResponse response = (SearchResponse)connection.SendRequest(request);
}

This is how I find that user exist or not.
Posted
Updated 23-Nov-12 20:15pm
v3
Comments
Mohd. Mukhtar 16-Oct-12 2:39am
   
please update some code snipet how are you checking the user and where you have stored the information regarding the change password status.
mayankkarki 16-Oct-12 2:46am
   
Thanks, I updated the question.
Mohd. Mukhtar 16-Oct-12 3:49am
   
Coustmize response and return flag value and check flag value if user has access to change password or not.
mayankkarki 16-Oct-12 4:59am
   
I didn't understand it. Can you show me how to implement.
Mohd. Mukhtar 16-Oct-12 5:01am
   
In the below line what value you are getting in response object.

SearchResponse response = (SearchResponse)connection.SendRequest(request);
mayankkarki 16-Oct-12 5:18am
   
All attributes values are there. I used some attributes like this DirectoryAttribute userAccountControl = response.Entries[0].Attributes["useraccountcontrol"];
But don't know which attribute to used for user cannot change password.
Mohd. Mukhtar 16-Oct-12 5:31am
   
print the attributes and values of response object, Hope you will figureout the thing now.
mayankkarki 16-Oct-12 7:30am
   
I print the values of all attributes but didn't find any usefull one.
Mohd. Mukhtar 16-Oct-12 7:46am
   
Then you need to modify the SendRequest method and in return object you need to add required value.
mayankkarki 16-Oct-12 7:48am
   
Can you show me how to do this. Its urgent.
Mohd. Mukhtar 16-Oct-12 8:20am
   
Pls follow the below link.

http://msdn.microsoft.com/en-us/library/ms141885.aspx

and modify the request and attribute which you want in response object.
mayankkarki 16-Oct-12 8:22am
   
This is the problem that I don't know which attribute is used for users cannot change password.

1 solution

Solution of my problem.
SearchResponse response = (SearchResponse)connection.SendRequest(request);
               DirectoryAttribute attribute = response.Entries[0].Attributes["ntSecurityDescriptor"];

               if (attribute != null)
               {
                   const string PASSWORD_GUID = "{ab721a53-1e2f-11d0-9819-00aa0040529b}";
                   const int ADS_ACETYPE_ACCESS_DENIED_OBJECT = 6;
                   bool fEveryone = false;
                   bool fSelf = false;

                   ActiveDs.ADsSecurityUtility secUtility = new ActiveDs.ADsSecurityUtility();
                   ActiveDs.IADsSecurityDescriptor sd = (IADsSecurityDescriptor)secUtility.ConvertSecurityDescriptor((byte[])attribute[0], (int)ADS_SD_FORMAT_ENUM.ADS_SD_FORMAT_RAW, (int)ADS_SD_FORMAT_ENUM.ADS_SD_FORMAT_IID);
                   ActiveDs.IADsAccessControlList acl = (ActiveDs.IADsAccessControlList)sd.DiscretionaryAcl;

                   foreach (ActiveDs.IADsAccessControlEntry ace in acl)
                   {
                       if ((ace.ObjectType != null) && (ace.ObjectType.ToUpper() == PASSWORD_GUID.ToUpper()))
                       {
                           if ((ace.Trustee == "Everyone") && (ace.AceType == ADS_ACETYPE_ACCESS_DENIED_OBJECT))
                           {
                               fEveryone = true;
                           }
                           if ((ace.Trustee == @"NT AUTHORITY\SELF") && (ace.AceType == ADS_ACETYPE_ACCESS_DENIED_OBJECT))
                           {
                               fSelf = true;
                           }

                           break;
                       }
                   }

                   if (fEveryone || fSelf)
                   {
                       return Global.RequestContants.CANT_CHANGE_PASSWORD;
                   }
                   else
                   {
                       return string.Empty;
                   }
               }
   

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)




CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900