活动目录属性

Question

在 stackoverflow 上的两个人的帮助下，我想出了如何使用下面的代码设置“用户无法更改密码”。我现在正试图弄清楚如何删除该属性。我认为将拒绝标志设置为“允许”会起作用，但它似乎什么也没做。如果可能的话，我希望代码使用 DirectoryEntry 而不是 PrincipalContext，因为我不确定我的应用程序是否会在所有服务器上使用 .NET 3.5。对此的任何帮助将不胜感激。

            string PASSWORD_GUID = "{ab721a53-1e2f-11d0-9819-00aa0040529b}";
            string [] trustees = {"NT AUTHORITY\\SELF", "EVERYONE"};

            ActiveDs.IADsSecurityDescriptor sd = (ActiveDs.IADsSecurityDescriptor)User.Properties["ntSecurityDescriptor"].Value;
            ActiveDs.IADsAccessControlList acl = (ActiveDs.IADsAccessControlList) sd.DiscretionaryAcl;
            ActiveDs.AccessControlEntry ace = new ActiveDs.AccessControlEntry();        


            double denied = (double)ActiveDs.ADS_ACETYPE_ENUM.ADS_ACETYPE_ACCESS_DENIED_OBJECT;
            double objectType = (double)ActiveDs.ADS_FLAGTYPE_ENUM.ADS_FLAG_OBJECT_TYPE_PRESENT;
            double dsControl = (double)ActiveDs.ADS_RIGHTS_ENUM.ADS_RIGHT_DS_CONTROL_ACCESS;

            foreach (string trustee in trustees) {
                ace.Trustee = trustee;
                ace.AceFlags = 0;                
                ace.AceType = Convert.ToInt32(Math.Floor(denied));
                ace.Flags = Convert.ToInt32(Math.Floor(objectType));
                ace.ObjectType = PASSWORD_GUID;
                ace.AccessMask = Convert.ToInt32(Math.Floor(dsControl));

                acl.AddAce(ace);
            }
            sd.DiscretionaryAcl = acl;
            User.Properties["ntSecurityDescriptor"].Value
= sd;
            User.CommitChanges();

Answer 1

我更喜欢使用 System.DirectoryServices.AccountManagement 命名空间来处理这类事情（我认为需要 .Net 3.5 或更高版本）。使用这些对象，您的调用会变得更加简单：

using (PrincipalContext pc = new PrincipalContext(ContextType.Domain, "Domain"))
{
    UserPrincipal up = UserPrincipal.FindByIdentity(pc, "Domain\\User");
    up.UserCannotChangePassword = false;
    up.Save();
}