/// <summary>
/// 用户不能更改密码
/// </summary>
/// <param name="User"></param>
private void DenyChangePassword(DirectoryEntry User)
{
const string PASSWORD_GUID = "{ab721a53-1e2f-11d0-9819-00aa0040529b}";
string[] trustees = new string[] { @"NT AUTHORITY\SELF", "EVERYONE" };
ActiveDs.IADsSecurityDescriptor sd = (ActiveDs.IADsSecurityDescriptor)
User.Properties["ntSecurityDescriptor"].Value;
ActiveDs.IADsAccessControlList acl = (ActiveDs.IADsAccessControlList)sd.DiscretionaryAcl;
ActiveDs.IADsAccessControlEntry ace = new ActiveDs.AccessControlEntry();
foreach (string trustee in trustees)
{
ace.Trustee = trustee;
ace.AceFlags = 0;
ace.AceType = (int)ActiveDs.ADS_ACETYPE_ENUM.ADS_ACETYPE_ACCESS_DENIED_OBJECT;
ace.Flags = (int)ActiveDs.ADS_FLAGTYPE_ENUM.ADS_FLAG_OBJECT_TYPE_PRESENT;
ace.ObjectType = PASSWORD_GUID;
ace.AccessMask = (int)ActiveDs.ADS_RIGHTS_ENUM.ADS_RIGHT_DS_CONTROL_ACCESS;
acl.AddAce(ace);
}
sd.DiscretionaryAcl = acl;
User.Properties["ntSecurityDescriptor"].Value = sd;
User.CommitChanges();
}
AD 中设定用户不能修改密码方法
最新推荐文章于 2023-03-23 15:57:33 发布