Click here to Skip to main content
15,071,205 members
Please Sign up or sign in to vote.
1.00/5 (1 vote)
See more:
I am trying to find out that in ad, user has allowed to change password or not. I have used SearchResponse to find out that user exists or not. I just want to find out that user cannot change password is true or false.

LdapConnection connection = new LdapConnection(new LdapDirectoryIdentifier(domainname,636));

connection.SessionOptions.VerifyServerCertificate =
                new VerifyServerCertificateCallback((con, cer) => true);

connection.SessionOptions.ProtocolVersion = 3;
connection.AuthType = AuthType.Basic;
connection.Credential = new NetworkCredential("CN=adminusername,DC=Domain,DC=COM", "password");

SearchRequest request = new SearchRequest("ou=users,DC=Domain,DC=COM", "CN=pmutest", System.DirectoryServices.Protocols.SearchScope.Subtree);

SearchResponse response = (SearchResponse)connection.SendRequest(request);

This is how I find that user exist or not.
Updated 23-Nov-12 20:15pm
Mohd. Mukhtar 16-Oct-12 2:39am
please update some code snipet how are you checking the user and where you have stored the information regarding the change password status.
mayankkarki 16-Oct-12 2:46am
Thanks, I updated the question.
Mohd. Mukhtar 16-Oct-12 3:49am
Coustmize response and return flag value and check flag value if user has access to change password or not.
mayankkarki 16-Oct-12 4:59am
I didn't understand it. Can you show me how to implement.
Mohd. Mukhtar 16-Oct-12 5:01am
In the below line what value you are getting in response object.

SearchResponse response = (SearchResponse)connection.SendRequest(request);
mayankkarki 16-Oct-12 5:18am
All attributes values are there. I used some attributes like this DirectoryAttribute userAccountControl = response.Entries[0].Attributes["useraccountcontrol"];
But don't know which attribute to used for user cannot change password.
Mohd. Mukhtar 16-Oct-12 5:31am
print the attributes and values of response object, Hope you will figureout the thing now.
mayankkarki 16-Oct-12 7:30am
I print the values of all attributes but didn't find any usefull one.
Mohd. Mukhtar 16-Oct-12 7:46am
Then you need to modify the SendRequest method and in return object you need to add required value.
mayankkarki 16-Oct-12 7:48am
Can you show me how to do this. Its urgent.
Mohd. Mukhtar 16-Oct-12 8:20am
Pls follow the below link.

and modify the request and attribute which you want in response object.
mayankkarki 16-Oct-12 8:22am
This is the problem that I don't know which attribute is used for users cannot change password.

1 solution

Solution of my problem.
SearchResponse response = (SearchResponse)connection.SendRequest(request);
               DirectoryAttribute attribute = response.Entries[0].Attributes["ntSecurityDescriptor"];

               if (attribute != null)
                   const string PASSWORD_GUID = "{ab721a53-1e2f-11d0-9819-00aa0040529b}";
                   const int ADS_ACETYPE_ACCESS_DENIED_OBJECT = 6;
                   bool fEveryone = false;
                   bool fSelf = false;

                   ActiveDs.ADsSecurityUtility secUtility = new ActiveDs.ADsSecurityUtility();
                   ActiveDs.IADsSecurityDescriptor sd = (IADsSecurityDescriptor)secUtility.ConvertSecurityDescriptor((byte[])attribute[0], (int)ADS_SD_FORMAT_ENUM.ADS_SD_FORMAT_RAW, (int)ADS_SD_FORMAT_ENUM.ADS_SD_FORMAT_IID);
                   ActiveDs.IADsAccessControlList acl = (ActiveDs.IADsAccessControlList)sd.DiscretionaryAcl;

                   foreach (ActiveDs.IADsAccessControlEntry ace in acl)
                       if ((ace.ObjectType != null) && (ace.ObjectType.ToUpper() == PASSWORD_GUID.ToUpper()))
                           if ((ace.Trustee == "Everyone") && (ace.AceType == ADS_ACETYPE_ACCESS_DENIED_OBJECT))
                               fEveryone = true;
                           if ((ace.Trustee == @"NT AUTHORITY\SELF") && (ace.AceType == ADS_ACETYPE_ACCESS_DENIED_OBJECT))
                               fSelf = true;


                   if (fEveryone || fSelf)
                       return Global.RequestContants.CANT_CHANGE_PASSWORD;
                       return string.Empty;

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900