2

I am trying to prepare report of users who cannot change their password in AD. AD is installed on Window Server 2012.

Here is the method, which I thought to work but isn't working - 

    /// <summary>
    /// Check whether password of user cannot be changed.
    /// </summary>
    /// <param name="user">The DirectoryEntry object of user.</param>
    /// <returns>Return true if password cannot be changed else false.</returns>
    public static bool IsPasswordCannotBeChanged(DirectoryEntry user)
    {
        if (user.Properties.Contains("userAccountControl") &&
            user.Properties["userAccountControl"].Value != null)
        {
            var userFlags = (UserFlags)user.Properties["userAccountControl"].Value;
            return userFlags.Contains(UserFlags.PasswordCannotChange);
        }
        return false;
    }

And here is the enum UserFlags -

[Flags]
public enum UserFlags
{
    // Reference - Chapter 10 (from The .NET Developer's Guide to Directory Services Programming)

    Script = 1,                                     // 0x1
    AccountDisabled = 2,                            // 0x2
    HomeDirectoryRequired = 8,                      // 0x8
    AccountLockedOut = 16,                          // 0x10
    PasswordNotRequired = 32,                       // 0x20
    PasswordCannotChange = 64,                      // 0x40
    EncryptedTextPasswordAllowed = 128,             // 0x80
    TempDuplicateAccount = 256,                     // 0x100
    NormalAccount = 512,                            // 0x200
    InterDomainTrustAccount = 2048,                 // 0x800
    WorkstationTrustAccount = 4096,                 // 0x1000
    ServerTrustAccount = 8192,                      // 0x2000
    PasswordDoesNotExpire = 65536,                  // 0x10000 (Also 66048 )
    MnsLogonAccount = 131072,                       // 0x20000
    SmartCardRequired = 262144,                     // 0x40000
    TrustedForDelegation = 524288,                  // 0x80000
    AccountNotDelegated = 1048576,                  // 0x100000
    UseDesKeyOnly = 2097152,                        // 0x200000
    DontRequirePreauth = 4194304,                   // 0x400000
    PasswordExpired = 8388608,                      // 0x800000 (Applicable only in Window 2000 and Window Server 2003)
    TrustedToAuthenticateForDelegation = 16777216,  // 0x1000000
    NoAuthDataRequired = 33554432                   // 0x2000000
}

Can you share why 64 (for password cannot change), is not returned for user whose password cannot be changed?

Or you have a much better approach to make this work out?

EDIT-

UserFlagExtension code for making things bit fast -

public static class UserFlagExtensions
{
    /// <summary>
    /// Check if flags contains the specific user flag.
    /// </summary>
    /// <param name="haystack">The bunch of flags</param>
    /// <param name="needle">The flag to look for.</param>
    /// <returns>Return true if flag found in flags.</returns>
    public static bool Contains(this UserFlags haystack, UserFlags needle)
    {
        return (haystack & needle) == needle;
    }
}
Vikram Singh Saini
  • 1,749
  • 3
  • 22
  • 42

4 Answers4

3

After searching lot and struggling for hours, I was able to formulate working solution.

.Net 2.0 way

Please proceed to link AD .NET - User's Can't Change Password Attribute (Get/Set)

You will need to add reference to ActiveDS for making it to work. Although I hadn't get time to test it. But a lot of places it is supposed to be working. So...

Code snippet from above article- (in case article get removed)

public bool GetCantChangePassword(string userid)
 {
        bool cantChange = false;
        try
        {
            DirectoryEntry entry = new DirectoryEntry(string.Format("LDAP://{0},{1}", "OU=Standard Users,OU=Domain", "DC=domain,DC=org"));
            entry.AuthenticationType = AuthenticationTypes.Secure | AuthenticationTypes.ServerBind;
            DirectorySearcher search = new DirectorySearcher(entry);
            search.Filter = string.Format("(&(objectClass=user)(objectCategory=person)(sAMAccountName={0}))", userid);
            search.SearchScope = SearchScope.Subtree;
            SearchResult results = search.FindOne();
            if (results != null)
            {
                try
                {
                    DirectoryEntry user = results.GetDirectoryEntry();
                    ActiveDirectorySecurity userSecurity = user.ObjectSecurity;
                    SecurityDescriptor sd = (SecurityDescriptor)user.Properties["ntSecurityDescriptor"].Value;
                    AccessControlList oACL = (AccessControlList)sd.DiscretionaryAcl;

                    bool everyoneCantChange = false;
                    bool selfCantChange = false;

                    foreach (ActiveDs.AccessControlEntry ace in oACL)
                    {
                        try
                        {
                            if (ace.ObjectType.ToUpper().Equals("{AB721A53-1E2F-11D0-9819-00AA0040529B}".ToUpper()))
                            {
                                if (ace.Trustee.Equals("Everyone") && (ace.AceType == (int)ADS_ACETYPE_ENUM.ADS_ACETYPE_ACCESS_DENIED_OBJECT))
                                {
                                    everyoneCantChange = true;
                                }
                                if (ace.Trustee.Equals(@"NT AUTHORITY\SELF") && (ace.AceType == (int)ADS_ACETYPE_ENUM.ADS_ACETYPE_ACCESS_DENIED_OBJECT))
                                {
                                    selfCantChange = true;
                                }
                            }
                        }
                        catch (NullReferenceException ex)
                        {
                            //Logger.append(ex.Message);
                        }
                        catch (Exception ex)
                        {
                            Logger.append(ex);
                        }
                    }


                    if (everyoneCantChange || selfCantChange)
                    {
                        cantChange = true;
                    }
                    else
                    {
                        cantChange = false;
                    }

                    user.Close();
                }
                catch (Exception ex)
                {
                    // Log your errors!
                }
            }
            entry.Close();
        }
        catch (Exception ex)
        {
            // Log your errors!
        }
        return cantChange;
    }

.Net 4.0 way

This is how I was able to nail it down. And it was very easy to fix. However, I need to use AuthenticablePrincipal.UserCannotChangePassword Property.

Code snippet I used-

    /// <summary>
    /// Check whether password of user cannot be changed.
    /// </summary>
    /// <param name="user">The DirectoryEntry object of user.</param>
    /// <returns>Return true if password cannot be changed else false.</returns>
    public static bool IsPasswordCannotBeChanged(DirectoryEntry user)
    {
        var isUserCantChangePass = false;

        try
        {
            // 1. Get SamAccountName
            var samAccountName = Convert.ToString(user.Properties["sAMAccountName"].Value);
            if (!string.IsNullOrEmpty(samAccountName))
            {
                // 2. Prepare domain context
                using (var domainContext = new PrincipalContext(ContextType.Domain, _domain, _domainUser, _domainPass))
                {
                    // 3. Find user
                    var userPrincipal = UserPrincipal.FindByIdentity(domainContext, IdentityType.SamAccountName, samAccountName);

                    // 4. Check if user cannot change password
                    using (userPrincipal)
                        if (userPrincipal != null) isUserCantChangePass = userPrincipal.UserCannotChangePassword;
                }
            }

        }
        catch (Exception exc)
        {
            Logger.Write(exc);
        }

        return isUserCantChangePass;
    }
Vikram Singh Saini
  • 1,749
  • 3
  • 22
  • 42
1

Active directory doesn't use all of these flags. Specifically,

  • AccountLockedOut
  • PasswordCannotChange
  • PasswordExpired

Active Directory actually uses different mechanisms to control these account properties, so do not try to read them from userAccountControl! We discuss how to deal with the special cases in the upcoming sections.

-- From The .NET Developer's Guide to Directory Services User Account Management by Ryan Dunn and Joe Kaplan

The idea behind the PasswordCannotChange indicates that the password for the account cannot be change by the account itself, but to do that you actually have to deny this right (under the account Security tab)

Try using the msDS-User-Account-Control-Computed attribute to examine the ADS_UF_PASSWD_CANT_CHANGE flag. Like so:

DirectoryEntry user = ...

const string ATTRIBUTE_NAME= "msDS-User-Account-Control-Computed";
const ADS_UF_PASSWD_CANT_CHANGE = 64; // use enum for more robust code

using (user)
{
    user.RefreshCache(new string[]{ATTRIBUTE_NAME}); 

    int userFlags = (int)user.Properties[ATTRIBUTE_NAME].Value;

    bool userCantChangePassword = (userFlags & ADS_UF_PASSWD_CANT_CHANGE) == ADS_UF_PASSWD_CANT_CHANGE;

...
}
jhenderson2099
  • 956
  • 8
  • 17
  • I had to agree with your point. Same also mentioned in link [User-Account-Control Attribute](http://ldapwiki.willeke.com/wiki/User-Account-Control%20Attribute). But the solution? – Vikram Singh Saini Apr 23 '15 at 03:31
  • Well! The way you suggested should work theoretically. But as per my testing in addition to another sufferer at [MSDS-USER-ACCOUNT-CONTROL-COMPUTED NOT SO SPIFFY](http://dunnry.com/blog/2006/07/27/msDsUserAccountControlComputedNotSoSpiffy.aspx), I am still not able to fix it as the response I am getting is **0** *(zero)*. Any other ideas? – Vikram Singh Saini Apr 23 '15 at 05:37
  • Without having to switch to userprincipal, this is probably the best solution to keep everything in DirectoryEntry. – Zonus Aug 22 '16 at 17:14
1

In case anyone came here like me looking for how you might do this using .NET Core 3.1, here is the solution I came up with to get and set the PasswordCannotChange bit on the UserAccountControl attribute in AD.

I use the System.DirectoryServices.Protocols library to provide access to the LdapConnection class and the related classes and methods. I also use the System.Security.AccessControl library to work with the Security Descriptor.

Assuming you can successfully connect to the AD server to create the LdapConnection class, the rest should work.

Here is my solution to get:

public bool GetUserCannotChangePassword(string userDistinguishedName){
    using (var ldapConnection = CreateLdapConnection()) //Assuming you've connected using Admin rights
    {
        bool cantChange = false;
        
        //Get RootDomainNamingContext as searchContainer
        var r1 = (SearchResponse)ldapConnection.SendRequest(new SearchRequest("", "(objectClass=*)", SearchScope.Base));
        var searchContainer = response.Entries[0].Attributes["rootdomainnamingcontext"].GetValues(typeof(string))[0]
                                .ToString();
        
        //Set Filter to get specified user
        var filter = $"(&(objectClass=user)(!(objectClass=computer))(distinguishedName={userDistinguishedName}))";
        
        //Get the ntSecurityDescriptor attribute of the user
        var searchRequest = new SearchRequest(searchContainer, filter, SearchScope.Subtree, new[] { "ntSecurityDescriptor" });
        var searchOptions = new SearchOptionsControl(SearchOption.DomainScope);
        searchRequest.Controls.Add(searchOptions);
        var searchResponse = (SearchResponse)ldapConnection.SendRequest(searchRequest);
        var result = searchResponse.Entries.OfType<SearchResultEntry>()
            .SingleOrDefault();
            
        if (result != null)
        {
            //Parse as RawSecurityDescriptor
            RawSecurityDescriptor sd =
                new RawSecurityDescriptor((byte[]) result.Attributes["ntSecurityDescriptor"][0], 0);
            var oACL = sd.DiscretionaryAcl;

            bool everyoneCantChange = false;
            bool selfCantChange = false;

            //Loop through the Access Control Entries that are of ObjectAce type
            foreach (var ace in oACL.OfType<ObjectAce>())
            {
                if (ace?.ObjectAceType.ToString().Equals("AB721A53-1E2F-11D0-9819-00AA0040529B",
                    StringComparison.OrdinalIgnoreCase) == true) //Match on change password ACE (https://learn.microsoft.com/en-us/windows/win32/adsi/modifying-user-cannot-change-password-ldap-provider)
                {
                    if (ace.SecurityIdentifier.Value.Equals("S-1-1-0", StringComparison.OrdinalIgnoreCase) &&
                        ace.AceType == AceType.AccessDeniedObject) //Match on Everyone SecurityIdentifier
                    {
                        everyoneCantChange = true;
                    }

                    if (ace.SecurityIdentifier.Value.Equals("S-1-5-10", StringComparison.OrdinalIgnoreCase) &&
                        ace.AceType == AceType.AccessDeniedObject) //Match on Self SecurityIdentifier
                    {
                        selfCantChange = true;
                    }
                }
            }


            if (everyoneCantChange || selfCantChange)
            {
                cantChange = true;
            }
        }

        return cantChange;
    }
}

Here is my solution for set:

public bool SetUserCannotChangePassword(string userDistinguishedName, bool userCannotChangePassword)
{
    using (var ldapConnection = CreateLdapConnection()) //Assuming you've connected using Admin rights
    {
        bool success = true;
        try
        {
            //Get RootDomainNamingContext as searchContainer
            var r1 = (SearchResponse)ldapConnection.SendRequest(new SearchRequest("", "(objectClass=*)", SearchScope.Base));
            var searchContainer = response.Entries[0].Attributes["rootdomainnamingcontext"].GetValues(typeof(string))[0]
                                    .ToString();
            
            //Set Filter to get specified user
            var filter = $"(&(objectClass=user)(!(objectClass=computer))(distinguishedName={userDistinguishedName}))";
            
            //Get the ntSecurityDescriptor attribute of the user
            var searchRequest = new SearchRequest(searchContainer, filter, SearchScope.Subtree, new[] { "ntSecurityDescriptor", "distinguishedName" });
            var searchOptions = new SearchOptionsControl(SearchOption.DomainScope);
            searchRequest.Controls.Add(searchOptions);
            var searchResponse = (SearchResponse)ldapConnection.SendRequest(searchRequest);
            var result = searchResponse.Entries.OfType<SearchResultEntry>()
                .SingleOrDefault();

            if (result != null)
            {
                try
                {
                    RawSecurityDescriptor sd =
                        new RawSecurityDescriptor((byte[]) result.Attributes["ntSecurityDescriptor"][0], 0);
                    var dn = result.Attributes["distinguishedName"][0];
                    var oACL = sd.DiscretionaryAcl;

                    int? everyoneCantChangeIndex = null;
                    ObjectAce everyoneAce = null;
                    int? selfCantChangeIndex = null;
                    ObjectAce selfAce = null;

                    for (var i = 0; i < oACL.Count; i++)
                    {
                        var oAce = oACL[i] as ObjectAce;
                        if (oAce?.ObjectAceType.ToString().Equals("AB721A53-1E2F-11D0-9819-00AA0040529B",
                            StringComparison.OrdinalIgnoreCase) == true)
                        {
                            if (oAce.SecurityIdentifier.Value.Equals("S-1-1-0",
                                StringComparison.OrdinalIgnoreCase))
                            {
                                everyoneCantChangeIndex = i;
                                everyoneAce = oAce;
                            }

                            if (oAce.SecurityIdentifier.Value.Equals("S-1-5-10",
                                    StringComparison.OrdinalIgnoreCase) &&
                                oAce.AceType == AceType.AccessDeniedObject)
                            {
                                selfCantChangeIndex = i;
                                selfAce = oAce;
                            }
                        }
                    }

                    if (everyoneCantChangeIndex.HasValue)
                    {
                        oACL.RemoveAce(everyoneCantChangeIndex.Value);
                    }

                    if (selfCantChangeIndex.HasValue)
                    {
                        if (everyoneCantChangeIndex.HasValue &&
                            everyoneCantChangeIndex.Value < selfCantChangeIndex.Value)
                        {
                            selfCantChangeIndex--; //Adjust index to ensure removing correct ACE
                        }

                        oACL.RemoveAce(selfCantChangeIndex.Value);
                    }

                    if (userCannotChangePassword)
                    {
                        oACL.InsertAce(everyoneCantChangeIndex ?? oACL.Count,
                            new ObjectAce(AceFlags.None, AceQualifier.AccessDenied,
                                everyoneAce?.AccessMask ?? 256,
                                everyoneAce?.SecurityIdentifier ??
                                new SecurityIdentifier(WellKnownSidType.WorldSid, null),
                                ObjectAceFlags.ObjectAceTypePresent,
                                everyoneAce?.ObjectAceType ??
                                new Guid("{AB721A53-1E2F-11D0-9819-00AA0040529B}"),
                                everyoneAce?.InheritedObjectAceType ?? Guid.Empty,
                                everyoneAce?.IsCallback ?? false, everyoneAce?.GetOpaque()));
                                
                        oACL.InsertAce(selfCantChangeIndex ?? oACL.Count,
                            new ObjectAce(AceFlags.None, AceQualifier.AccessDenied, selfAce?.AccessMask ?? 256,
                                selfAce?.SecurityIdentifier ??
                                new SecurityIdentifier(WellKnownSidType.SelfSid, null),
                                ObjectAceFlags.ObjectAceTypePresent,
                                selfAce?.ObjectAceType ?? new Guid("{AB721A53-1E2F-11D0-9819-00AA0040529B}"),
                                selfAce?.InheritedObjectAceType ?? Guid.Empty, selfAce?.IsCallback ?? false,
                                selfAce?.GetOpaque()));
                    }
                    else
                    {
                        oACL.InsertAce(everyoneCantChangeIndex ?? oACL.Count,
                            new ObjectAce(AceFlags.None, AceQualifier.AccessAllowed,
                                everyoneAce?.AccessMask ?? 256,
                                everyoneAce?.SecurityIdentifier ??
                                new SecurityIdentifier(WellKnownSidType.WorldSid, null),
                                ObjectAceFlags.ObjectAceTypePresent,
                                everyoneAce?.ObjectAceType ??
                                new Guid("{AB721A53-1E2F-11D0-9819-00AA0040529B}"),
                                everyoneAce?.InheritedObjectAceType ?? Guid.Empty,
                                everyoneAce?.IsCallback ?? false, everyoneAce?.GetOpaque()));
                    }

                    var modification = new DirectoryAttributeModification
                    {
                        Operation = DirectoryAttributeOperation.Replace,
                        Name = "ntSecurityDescriptor"
                    };

                    sd.DiscretionaryAcl = OrderRawAcl(oACL);

                    var ba = new byte[sd.BinaryLength];
                    sd.GetBinaryForm(ba, 0);
                    modification.Add(ba);

                    var modifyRequest = new ModifyRequest(dn.ToString(), modification);

                    var modifyResponse = ldapConnection.SendRequest(modifyRequest);
                    if (modifyResponse.ResultCode != ResultCode.Success)
                    {
                        success = false;
                    }
                }
                catch (Exception ex)
                {
                    success = false;
                }
            }
        }
        catch (Exception ex)
        {
            success = false;
        }

        return success;
    }
}

private RawAcl OrderRawAcl(RawAcl oAcl)
{
    // Thanks to this post for this awesome method (https://stackoverflow.com/questions/8126827/how-do-you-programmatically-fix-a-non-canonical-acl)
    
    // A canonical ACL must have ACES sorted according to the following order:
    //   1. Access-denied on the object
    //   2. Access-denied on a child or property
    //   3. Access-allowed on the object
    //   4. Access-allowed on a child or property
    //   5. All inherited ACEs 
    List<GenericAce> implicitDenyDacl = new List<GenericAce>();
    List<GenericAce> implicitDenyObjectDacl = new List<GenericAce>();
    List<GenericAce> inheritedDacl = new List<GenericAce>();
    List<GenericAce> implicitAllowDacl = new List<GenericAce>();
    List<GenericAce> implicitAllowObjectDacl = new List<GenericAce>();
    foreach (var ace in oAcl)
    {
        if ((ace.AceFlags & AceFlags.Inherited) == AceFlags.Inherited)
        {
            inheritedDacl.Add(ace);
        }
        else
        {
            switch (ace.AceType)
            {
                case AceType.AccessAllowed:
                    implicitAllowDacl.Add(ace);
                    break;

                case AceType.AccessDenied:
                    implicitDenyDacl.Add(ace);
                    break;

                case AceType.AccessAllowedObject:
                    implicitAllowObjectDacl.Add(ace);
                    break;

                case AceType.AccessDeniedObject:
                    implicitDenyObjectDacl.Add(ace);
                    break;
            }
        }
    }

    Int32 aceIndex = 0;
    RawAcl newDacl = new RawAcl(oAcl.Revision, oAcl.Count);
    implicitDenyDacl.ForEach(x => newDacl.InsertAce(aceIndex++, x));
    implicitDenyObjectDacl.ForEach(x => newDacl.InsertAce(aceIndex++, x));
    implicitAllowDacl.ForEach(x => newDacl.InsertAce(aceIndex++, x));
    implicitAllowObjectDacl.ForEach(x => newDacl.InsertAce(aceIndex++, x));
    inheritedDacl.ForEach(x => newDacl.InsertAce(aceIndex++, x));

    if (aceIndex != oAcl.Count)
    {
        throw new Exception("Reordering Access Control List unsuccessful. The number of items in the reordered list does not match the number of items submitted list.");
    }
    return newDacl;
}

This basically follows the steps detailed in this documentation: https://learn.microsoft.com/en-us/windows/win32/adsi/modifying-user-cannot-change-password-ldap-provider

Hopefully someone finds this helpful.

Tuk419200
  • 41
  • 4
0

If you can produce a list of samAccountName(s)/userid(s) that you want to process, you can run the list thru

:loopHoweverYouWant
  NET USER /DOMAIN {userid}  > log\{userid}.log

And then search the output for

User may change password     No
User may change password     Yes

NET USER also allows an admin with proper domain rights to change the setting via

NET USER {userid} /PASSWORDCHG:{YES | NO} /DOMAIN

To see a list of all options, use

NET HELP USER
englebart
  • 563
  • 4
  • 9