我必须委派什么权限才能通过C#UserPrincipal在Active Directory中设置UserCannotChangePassword [英] What permissions do I have to delegate in order to set UserCannotChangePassword in Active Directory through a C# UserPrincipal
问题描述
这似乎是几年前在尝试设置用户无法更改密码时违反约束在c#的活动目录中
,但是没有任何响应实际上可以充分回答问题。
This seemed to have been asked a few years ago at Constraint violation when trying to set "User Cannot Change Password" in active directory from c# but no response actually answered the question sufficiently.
我试图恢复该线程,因为我想专门听听发起人是否已经解决了该问题,但是我的答复被删除了,因为它是一个古老的问题。我希望Resorath能够看到这一点,因为他可能对该问题有更多的了解!
I tried reviving the thread because I wanted to hear specifically from the originator as to wether he had solved the issue, but my response was deleted as it is, admittedly, an old question. I hope Resorath sees this as he may have more insight into the problem!
基本上,问题归结为缺乏权限。
Basically, the problem boils down to lack of permissions.
更具体地说,我已经创建了一个服务帐户并委派了完全修改权限(选中 AD用户和计算机的高级安全设置DACL列表的后代用户对象列表中的所有框...包括手动编辑某些文件后出现的文件)。是的,其中包括ntSecurityDescriptor。此外,这还包括后代帐户对象的修改权限。
More specifically, I have created a service account and delegated full modify permissions (checked all the boxes in the "Descendant User objects" list of the "Advanced" security settings DACL list of AD Users and Computers... including the ones that appeared after manually editing some file). Yes, this includes the ntSecurityDescriptor. Also, this includes the "Modify permissions" of the "Descendant account objects" as well.
当我使用此用户创建PrincipalContext并使用创建或加载UserPrincipal时在那种情况下,我可以从字面上修改与该用户 的UserCannotChangePassword属性有关的所有内容。尝试保存用户时,我收到发生约束冲突错误。
When I create a PrincipalContext using this user, and create or load a UserPrincipal using that context, I am able to modify literally everything relating to that user except the UserCannotChangePassword property. Upon attempting to save the user, I get an A constraint violation has occured error.
请注意:添加时服务帐户到DomainAdmins组,我可以进行此更改。另外,如果我将帐户设置为用户对象的所有者,我也可以进行此更改。对我来说,这显然表明我缺少权限。
Please note: When adding the service account to the DomainAdmins group, I am able to make this change. Also, if I set the account as the owner of the user object I am also able to make this change. To me, this clearly signals that there is a permission I am missing.
我已经搜索了数小时,以找到可能对我有帮助的信息,并且在这一点上已经有了
I have searched for hours to find information that might help me on this, and have at this point exhausted my google-fu abilities.
这里是我在corefx github页面上打开的问题的链接... https://github.com/dotnet/corefx/issues/34193
其中包括一个演示该问题的示例应用程序。
Here is a link to the issue I opened in the corefx github page... https://github.com/dotnet/corefx/issues/34193 This includes a sample application demonstrating the problem.
谢谢!
推荐答案
它引起了我的注意,我从未发布过解决方案是在这里给我的。这是corefx库中的一个错误,对于我提到的问题 https://github.com/dotnet/corefx/issues/34193 。如果有人需要它,那么也可以自己进行修复...希望到其他人看到它时,它会被解决:-)
It was brought to my attention I never posted the solution I was given here. It is a bug in the corefx library and there is a fix we haven't gotten around to implementing and making a PR for in the issue I mentioned, https://github.com/dotnet/corefx/issues/34193 . If anyone else needs this then feel free to fix it yourselves as well... Hopefully by the time anyone else sees this it will have been fixed :-)
这篇关于我必须委派什么权限才能通过C#UserPrincipal在Active Directory中设置UserCannotChangePassword的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
