使用C#编写User-Account_Property [英] Programming the User-Account_Property using C#
问题描述
我不确定我是否为这篇文章选择了正确的新闻组。
我正在C#VS 2005中编写一个程序来为我们创建用户帐户
Active Directory中的学生。
这是用几年前在VS6中用C ++和
ADSI替换的程序。
我试图不在我的新程序中使用ADSI,而是专注于
DirectoryServices。
在C#中设置Active Directory的语法属性类似于:
entry.Properties [" givenName"]。value =" Jim" ;; (其中条目是
DirectoryEntry)
但是对于userAccountControl属性,必须使用枚举标识符的
组合。
请参阅 http:// msdn2.microsoft.com/en-us/library/aa772300.aspx
我不希望学生能够更改密码所以我需要使用
ADS_UF_PASSWD_CANT_CHANGE。
此标志可以读取,但不能直接设置,因为它涉及设置受托者
权限等。有一个示例程序的链接来设置此但是它在C ++中是
并且使用了我想要避免的ADSI。
当然在Framework 2.0中必须有一个很好的新方法。
是否有任何使用DirectoryServices设置的C#代码示例
ADS_UF_PASSWD_CANT_CHANGE?
我不是我想为现有的unmanag写一个包装器代码,其中包括ACE,ACL,安全描述符等
" Chris Noble" < ch ********* @ newsgroup.nospamwrote in message
news:ul ************** @ TK2MSFTNGP04.phx.gbl。 ..
>我不确定我是否为这篇文章选择了正确的新闻组。
我写的C#VS 2005中的一个程序,用于为我们的学生创建用户帐户。
目录。
这是用几年前在VS6中用C ++和ADSI替换的程序。
我试图不在我的新程序中使用ADSI,而是专注于DirectoryServices。
在C#中设置Active的语法目录属性类似于:
entry.Properties [" givenName"]。value =" Jim" ;; (其中entry是DirectoryEntry)
但是对于userAccountControl属性,必须使用
枚举标识符的组合。
请参阅 http://msdn2.microsoft.com/en- us / library / aa772300.aspx
我不希望学生能够更改密码,所以我需要使用
ADS_UF_PASSWD_CANT_CHANGE。
可以读取此标志,但不能直接设置,因为它涉及设置受托者权限等。
有一个示例程序的链接来设置此标志,但它是在C ++中并使用ADSI
我想避免。
当然在Framework 2.0中必须有一个很好的新方法。
是否有使用DirectoryServices设置ADS_UF_PASSWD_CANT_CHANGE的示例C#代码?
我不想为我现有的非托管代码编写包装器/>
ACE,ACL,安全描述符等
设置此用户无法更改密码的唯一方法属性是将用户对象上的ACE'转换为ACCESS_DENIED_ACE类型的ACE。
这可以通过使用System.Security的DirectorySecurity类来完成。 AccessControl
名称空间。
威利。
谢谢威利
但是我仍然很困惑。
在我早期的版本中,执行此操作的算法大致如下:
获取对象的安全描述符。
使用安全描述符获取对象的DACL。
创建一个ACE并添加:
访问掩码ADS_RIGHT_DS_CONTROL_ACCESS
受托人(NT Authority \\ Self)
访问类型ADS_ACE_TYPE_ACCESS_DENIED_OBJECT
设置访问标志为CHANGE_PASSWORD_GUID(无继承)
将ACE添加到DACL
为对象设置安全描述符。
我还需要做这一切。
我发现难以进行交易将旧条款纳入新条款。
我无法看到如何从DirectoryEntry获取ACE
Willy Denoyette [MVP]" < wi ************* @ telenet.bewrote in message
news:eA ************** @ TK2MSFTNGP05。 phx.gbl ...
" Chris Noble" < ch ********* @ newsgroup.nospamwrote in message
news:ul ************** @ TK2MSFTNGP04.phx.gbl。 ..
>>我不确定我是否为这篇文章选择了正确的新闻组。
我正在编写一个程序在C#VS 2005中为我们在Active Directory中的学生创建用户帐户。
这是用几年前在VS6中用C ++和
ADSI替换的程序。
<我试图不在我的新程序中使用ADSI,而是专注于DirectoryServices。
在C#中,设置Active Directory属性的语法如下:
entry.Properties ["给定名称"]值= QUOT。吉姆英寸; (其中条目是
DirectoryEntry)
但是对于userAccountControl属性,必须使用枚举标识符的组合。
请参阅 http://msdn2.microsoft.com/en-us/library/aa772300.aspx
我不希望学生能够更改密码,因此我需要使用ADS_UF_PASSWD_CANT_CHANGE。
此标志可以读取,但不能直接设置,因为它涉及设置<有一个示例程序的链接来设置这个
标志,但它是在C ++中并使用我想避免的ADSI。
当然必须有一个在Framework 2.0中这样做的新方法很好。
是否有任何使用DirectoryServices设置的C#代码示例
ADS_UF_PASSWD_CANT_CHANGE?
我不想必须为我现有的非托管代码编写一个包装器,其中涉及ACE,ACL,安全描述符等
设置此用户无法更改密码的唯一方法属性是通过
将用户对象上的ACE转换为ACCESS_DENIED_ACE类型的ACE。
这可以通过使用
的DirectorySecurity类来完成
System.Security.AccessControl命名空间。
Willy。
< blockquote>" Chris Noble" < ch ********* @ newsgroup.nospamwrote in message
news:eW ************** @ TK2MSFTNGP06.phx.gbl。 ..
谢谢Willy
但是我还是很困惑。
在我的早期版本执行此操作的算法大致如下:
获取对象的安全描述符。
使用安全描述符获取对象的DACL。
创建一个ACE并添加:
访问掩码ADS_RIGHT_DS_CONTROL_ACCESS
受托人(NT Authority \\ Self)
访问类型ADS_ACE_TYPE_ACCESS_DENIED_OBJECT
设置访问标志为CHANGE_PASSWORD_GUID(无继承)
将ACE添加到DACL
设置对象的安全描述符。
我还需要做这一切。
我发现很难将旧条款翻译成新条款。
我可以''看看如何从DirectoryEntry获取ACE
你需要做的是什么,除了现在在v2你有一个让它更容易上课的课程。
看看ActiveDirectorySecurity课程(而不是SystemSecurity.AccessControl中的DirectorySecurity(根据我的
之前的答案)。
这是一个C#示例(向下滚动页面):
http://msdn2.microsoft.com/en-gb/library/ms180915 .aspx
但是使用SDDL格式有更简单的方法。
Willy。
I am not sure that I have picked the right newsgroup for this post.
I am writing a program in C# VS 2005 to create user accounts for our
students in Active Directory.
This is to replace a program I wrote some years ago in VS6 using C++ and
ADSI.
I am trying not to use ADSI in my new program, focussing on
DirectoryServices instead.
In C# the syntax to set an Active Directory property is something like:
entry.Properties["givenName"].value="Jim"; (where entry is a
DirectoryEntry)
However for the userAccountControl property it is necessary to use a
combination of enumerated identifiers.
see http://msdn2.microsoft.com/en-us/library/aa772300.aspx
I do not want the students to be able to change a password so I need to use
ADS_UF_PASSWD_CANT_CHANGE.
This flag can be read, but not set directly as it involves setting trustee
rights etc. There is a link to an example program to set this flag but it is
in C++ and uses ADSI which I want to avoid.
Surely there must be a nice new clean way of doing this in Framework 2.0.
Is there any example C# code using DirectoryServices to set
ADS_UF_PASSWD_CANT_CHANGE?
I don''t want to have to write a wrapper for my existing unmanaged code which
involved ACEs, ACLs, security descriptors etc
"Chris Noble" <ch*********@newsgroup.nospamwrote in message
news:ul**************@TK2MSFTNGP04.phx.gbl...>I am not sure that I have picked the right newsgroup for this post.
I am writing a program in C# VS 2005 to create user accounts for our students in Active
Directory.
This is to replace a program I wrote some years ago in VS6 using C++ and ADSI.
I am trying not to use ADSI in my new program, focussing on DirectoryServices instead.
In C# the syntax to set an Active Directory property is something like:
entry.Properties["givenName"].value="Jim"; (where entry is a DirectoryEntry)
However for the userAccountControl property it is necessary to use a combination of
enumerated identifiers.
see http://msdn2.microsoft.com/en-us/library/aa772300.aspx
I do not want the students to be able to change a password so I need to use
ADS_UF_PASSWD_CANT_CHANGE.
This flag can be read, but not set directly as it involves setting trustee rights etc.
There is a link to an example program to set this flag but it is in C++ and uses ADSI
which I want to avoid.
Surely there must be a nice new clean way of doing this in Framework 2.0.
Is there any example C# code using DirectoryServices to set ADS_UF_PASSWD_CANT_CHANGE?
I don''t want to have to write a wrapper for my existing unmanaged code which involved
ACEs, ACLs, security descriptors etc
The only way to set this "user cannot change password" property is by turning the ACE''s on
the user object into an ACCESS_DENIED_ACE type ACE.
This can be done by using the DirectorySecurity class of the System.Security.AccessControl
namespace.
Willy.
Thanks Willy
But I''m still confused.
In my earlier version the algorithm to do this went roughly like this:
Get Security Descriptor for the object.
Using the security descriptor get the DACL for the object.
Create an ACE and add:
access mask ADS_RIGHT_DS_CONTROL_ACCESS
trustee (NT Authority\\Self)
access type ADS_ACE_TYPE_ACCESS_DENIED_OBJECT
set accessflags to to CHANGE_PASSWORD_GUID (no inheritance)
add ACE to DACL
Set Security Descriptor for the object.
Do I still need to do all this.
I am finding it difficult to translate the old terms into the new ones.
I can''t see how to get to the ACEs from the DirectoryEntry
"Willy Denoyette [MVP]" <wi*************@telenet.bewrote in message
news:eA**************@TK2MSFTNGP05.phx.gbl..."Chris Noble" <ch*********@newsgroup.nospamwrote in message
news:ul**************@TK2MSFTNGP04.phx.gbl...>>I am not sure that I have picked the right newsgroup for this post.
I am writing a program in C# VS 2005 to create user accounts for our
students in Active Directory.
This is to replace a program I wrote some years ago in VS6 using C++ and
ADSI.
I am trying not to use ADSI in my new program, focussing on
DirectoryServices instead.
In C# the syntax to set an Active Directory property is something like:
entry.Properties["givenName"].value="Jim"; (where entry is a
DirectoryEntry)
However for the userAccountControl property it is necessary to use a
combination of enumerated identifiers.
see http://msdn2.microsoft.com/en-us/library/aa772300.aspx
I do not want the students to be able to change a password so I need to
use ADS_UF_PASSWD_CANT_CHANGE.
This flag can be read, but not set directly as it involves setting
trustee rights etc. There is a link to an example program to set this
flag but it is in C++ and uses ADSI which I want to avoid.
Surely there must be a nice new clean way of doing this in Framework 2.0.
Is there any example C# code using DirectoryServices to set
ADS_UF_PASSWD_CANT_CHANGE?
I don''t want to have to write a wrapper for my existing unmanaged code
which involved ACEs, ACLs, security descriptors etc
The only way to set this "user cannot change password" property is by
turning the ACE''s on the user object into an ACCESS_DENIED_ACE type ACE.
This can be done by using the DirectorySecurity class of the
System.Security.AccessControl namespace.
Willy.
"Chris Noble" <ch*********@newsgroup.nospamwrote in message
news:eW**************@TK2MSFTNGP06.phx.gbl...Thanks Willy
But I''m still confused.
In my earlier version the algorithm to do this went roughly like this:
Get Security Descriptor for the object.
Using the security descriptor get the DACL for the object.
Create an ACE and add:
access mask ADS_RIGHT_DS_CONTROL_ACCESS
trustee (NT Authority\\Self)
access type ADS_ACE_TYPE_ACCESS_DENIED_OBJECT
set accessflags to to CHANGE_PASSWORD_GUID (no inheritance)
add ACE to DACL
Set Security Descriptor for the object.
Do I still need to do all this.
I am finding it difficult to translate the old terms into the new ones.
I can''t see how to get to the ACEs from the DirectoryEntryThis is excatly what you need to do, except that now in v2 you have a class which makes it a
lot easier.
Take a look at the ActiveDirectorySecurity class (and not DirectorySecurity as per my
previous answer) in System.Security.AccessControl.
And here is a C# sample (scroll down the page):
http://msdn2.microsoft.com/en-gb/library/ms180915.aspx
but there are easier ways to do this using the SDDL format.
Willy.
这篇关于使用C#编写User-Account_Property的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
