Can't get AD Attribute using DirectoryEntry (LAPS Attribute)

Question

I'm having this issue where I can't retrieve a AD attribute via DirectoryEntry. I can get it via DirectorySearcher, but I'm unable to get or set it via DirectoryEntry.

The attribute needed is ms-Mcs-AdmPwdExpirationTime which contains a NT TimeStamp, I have read and write to this attribute.

DirectoryEntry C# error in console

Error HRESULT E_FAIL has been returned from a call to a COM component

I've tried using the following yet still unable to retrieve the attribute.

RefreshCache (string[] propertyNames);

EDIT:

ComputerPrincipal comp = ComputerPrincipal.FindByIdentity(ctx, MachineName);
DirectoryEntry de = (DirectoryEntry)comp.GetUnderlyingObject();
if (de.Properties.Contains("ms-Mcs-AdmPwd") == true)
{
    string Password = (String)de.Properties["ms-Mcs-AdmPwd"][0];
    Password_Input.Text = Password;
    DateTime NTTime = DateTime.FromFileTime(ConvertLargeIntegerToLong(de.Properties["ms-Mcs-AdmPwdExpirationTime"].Value));
    PasswordExpiry_Value.Text = NTTime.ToString("dd/MM/yyyy hh:mm:ss");
    Console.WriteLine();
}
else
{
    Password_Input.Text = "Password not set by LAPS";
}
// down the bottom of the .cs
private static long ConvertLargeIntegerToLong(object largeInteger)
{
    var type = largeInteger.GetType();
    var highPart = Convert.ToInt32(type.InvokeMember("HighPart", BindingFlags.GetProperty, null, largeInteger, null));
    var lowPart = Convert.ToInt32(type.InvokeMember("LowPart", BindingFlags.GetProperty, null, largeInteger, null));
    return (long)highPart << 32 | (uint)lowPart;
}

are you trying to set the attribute or just read it? can we see the code that this error? — Shovers_, Dec 03 '18 at 10:30
I found a way to read it, but would be handy if I could also set it. See Post to updated code. — FingerlessGloves, Dec 03 '18 at 16:02

score 1 · Answer 1 · answered Dec 03 '18 at 17:12

For setting properties in the past I've used this for directoryentries

Path is the full LDAP path to the object but you can substitute de in your example above. Hopefully that's enough to resolve you're issue or at least point you in a direction.

Theres also some other answers here on why you might be getting that error.

And here

 public Boolean set_AD_property(string attribute_, string new_value)
    {
        this.AD_object = new DirectoryEntry(this.path_);
        this.AD_object.Properties[attribute_].Value = new_value;
        try
        {
            this.AD_object.CommitChanges();
            this.AD_object.Close();
            return true;
        }
        catch (System.Exception)
        {
            return false;
        }
    }

And for reading:

  public object get_AD_property(string attribute_)
    {
        try
        {
            using (this.AD_object = new DirectoryEntry(this.path_))
            {
                return this.AD_object.Properties[attribute_].Value;
            }
        }
        catch (ArgumentNullException x)
        {
            return new ArgumentNullException(x.Message, x);
        }
    }

Although this wont work for more complex properties like "members" or "memberOf"

Can't get AD Attribute using DirectoryEntry (LAPS Attribute)

1 Answers1