活動目錄屬性

Question

從兩個人的幫助，我已經想出瞭如何使用下面的代碼設置「用戶不能更改密碼」。我現在試圖找出如何刪除該屬性。我認爲將被拒絕的國旗設置爲「允許」會起作用，但似乎什麼都不做。如果可能，我希望代碼使用DirectoryEntry，而不是PrincipalContext，因爲我不確定我的應用程序是否將在所有服務器上使用.NET 3.5。任何幫助，將不勝感激。

  string PASSWORD_GUID = "{ab721a53-1e2f-11d0-9819-00aa0040529b}"; 
      string [] trustees = {"NT AUTHORITY\\SELF", "EVERYONE"}; 

      ActiveDs.IADsSecurityDescriptor sd = (ActiveDs.IADsSecurityDescriptor)User.Properties["ntSecurityDescriptor"].Value; 
      ActiveDs.IADsAccessControlList acl = (ActiveDs.IADsAccessControlList) sd.DiscretionaryAcl; 
      ActiveDs.AccessControlEntry ace = new ActiveDs.AccessControlEntry();   


      double denied = (double)ActiveDs.ADS_ACETYPE_ENUM.ADS_ACETYPE_ACCESS_DENIED_OBJECT; 
      double objectType = (double)ActiveDs.ADS_FLAGTYPE_ENUM.ADS_FLAG_OBJECT_TYPE_PRESENT; 
      double dsControl = (double)ActiveDs.ADS_RIGHTS_ENUM.ADS_RIGHT_DS_CONTROL_ACCESS; 

      foreach (string trustee in trustees) { 
       ace.Trustee = trustee; 
       ace.AceFlags = 0;     
       ace.AceType = Convert.ToInt32(Math.Floor(denied)); 
       ace.Flags = Convert.ToInt32(Math.Floor(objectType)); 
       ace.ObjectType = PASSWORD_GUID; 
       ace.AccessMask = Convert.ToInt32(Math.Floor(dsControl)); 

       acl.AddAce(ace); 
      } 
      sd.DiscretionaryAcl = acl; 
      User.Properties["ntSecurityDescriptor"].Value 
= sd; 
      User.CommitChanges(); 

Answer 1

我更喜歡使用System.DirectoryServices.AccountManagement命名空間這種事情（需要.NET 3.5或更高，我認爲）。對於這些對象，您的通話變得更加簡單：

using (PrincipalContext pc = new PrincipalContext(ContextType.Domain, "Domain")) 
{ 
    UserPrincipal up = UserPrincipal.FindByIdentity(pc, "Domain\\User"); 
    up.UserCannotChangePassword = false; 
    up.Save(); 
}