尝试设置“用户无法更改密码”时违反约束在C#的活动目录中 [英] Constraint violation when trying to set "User Cannot Change Password" in active directory from c#
问题描述
我尝试了多种方法在c#中的活动目录中设置用户无法更改密码标志。
I've tried multiple ways to set the flag "User cannot change password" in active directory from c#.
以下操作无效:
- 将 CannotChangePassword设置为true关于用户主体对象
- 在目录条目上设置关于用户对象安全性的访问规则( http://urslisworld.blogspot.ca/2010/02/set-user-cannot-change-password-in-c.html )
- 直接设置ntSecurityDescriptor( http://sourcefield.blogspot.ca/2009/12/cactivedirectory-check-user-cannot.html )
- 当然,我可以不能直接根据 https://support.microsoft.com/设置用户帐户控制属性en-us / kb / 305144
- Setting "CannotChangePassword" to true on the user principle object
- Setting access rules on the user object security on the directory entry (http://urslisworld.blogspot.ca/2010/02/set-user-cannot-change-password-in-c.html)
- Directly setting the ntSecurityDescriptor (http://sourcefield.blogspot.ca/2009/12/cactivedirectory-check-user-cannot.html)
- and of course, I can't directly set the user account control property according to https://support.microsoft.com/en-us/kb/305144
前三个分别给出了完全相同的,高度隐秘的错误消息,约束t违反,并显示以下扩展信息:
The first three each give the exact same, highly cryptic error message, "Constraint Violation" with the extended message:
0000051B: AtrErr: DSID-030F20BA, #1:
0: 0000051B: DSID-030F20BA, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 20119 (nTSecurityDescriptor)
这是应该起作用的最简单的案例代码(选项1):
Here is the simplest case code that should have worked (option 1):
using (var context = new PrincipalContext(ContextType.Domain, myDomain, myAccountOperatorUsername, myAccountOperatorPassword))
{
using (var user = UserPrincipal.FindByIdentity(context, IdentityType.SamAccountName, userNameToChange))
{
if (user != null)
{
user.UserCannotChangePassword = true;
user.Save()
}
}
}
使用同一台计算机上的相同凭据,执行此操作的powershell方式非常正常。实际上,它运行得很好,我可以在代码中使其自动化并成功:
The powershell way of doing this works perfectly fine, using the same credentials from the same machine. In fact, it works so well I can automate it in the code and it succeeds:
using (var PowerShellInstance = PowerShell.Create())
{
PowerShellInstance.AddScript("Import-Module Active-Directory");
PowerShellInstance.AddScript("$password = ConvertTo-SecureString \"" + myAccountOperatorPassword + "\" -AsPlainText -Force");
PowerShellInstance.AddScript("$cred = new-object -typename System.Management.Automation.PSCredential -argumentlist \"" + myAccountOperatorUsername + "\", $password");
PowerShellInstance.AddScript("Set-ADAccountControl -Identity " + usernameToChange + " -CannotChangePassword $true -Credential $cred");
var PSOutput = PowerShellInstance.Invoke();
}
但是,强大的方法使部署变得更加复杂
However the powershell way makes the deployment more complicated for something that should be accomplishable in pure c#.
这是域,代码运行的环境还是代码本身的问题吗?
Is this a problem with the domain, the environment the code is running in, or the code itself?
推荐答案
使用非常相似的C#代码,我遇到了完全相同的问题。在我的情况下,我们用来设置用户无法更改密码标志的帐户已将该选项标记为自己。当我们从帐户中删除该标志时,代码开始起作用。
I had the exact same problem using a very similar C# code. In my case, the account we were using to set the "User cannot change password" flag had that option marked itself. When we removed the flag from the account, the code started working.
这显然只影响C#。该解决方案的其他实现也不错,包括PowerShell。
This is something that, apparently, only affected C#. Other implementations of the solution worked fine, including PowerShell.
这篇关于尝试设置“用户无法更改密码”时违反约束在C#的活动目录中的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
