|
I'm having some difficulty with a routine I'm working on to update the "User cannot change password" option. It's not a simple flag, but rather an access control entry on the discretionary access control list of security discriptor of the user object. I've modified the code I've found on the MS scriptcenter for KIX, but I'm getting a "member not found error" when I attempt to reassign the security descriptor. If I comment out all the code between where I retrieve the DACL and then try to reassign it so that the code would flow as follows:
$objDACL=$objSD.DiscretionaryAcl
$objSD.DiscretionaryAcl = $objDACL
I still get the error on the assign. Any thoughts?
Here's the code I have.
$ADS_ACETYPE_ACCESS_DENIED_OBJECT=&6
$ADS_ACEFLAG_OBJECT_TYPE_PRESENT=&1
$CHANGE_PASSWORD_GUID = "{AB721A53-1E2F-11D0-9819-00AA0040529B}"
$ADS_RIGHT_DS_CONTROL_ACCESS =&100
$objUser=GetObject("LDAP://CN=TestStudent, OU=test, DC=test, DC=local")
$test=$objUser.Get("SN")
? "User:"+ $test
$objSD=$objUser.Get("ntSecurityDescriptor")
$objDACL=$objSD.DiscretionaryAcl
; This is test code to see if the ACE can be read (this works)
For Each $Ace In $objDACL
?$ACE.ObjectType+" --> "+$Ace.Acetype
If (($Ace.AceType = $ADS_ACETYPE_ACCESS_DENIED_OBJECT) AND (LCase($Ace.ObjectType) = $CHANGE_PASSWORD_GUID))
$blnACEPresent = True
EndIf
Next
If $blnACEPresent
? "ADS_UF_PASSWD_CANT_CHANGE is enabled"
Else
? "ADS_UF_PASSWD_CANT_CHANGE is disabled"
ENDIF
; Set up the new ACE entries
$aryTrustees = "nt authority\self" , "EVERYONE"
FOR EACH $strTrustee IN $aryTrustees
$objACE = CreateObject("AccessControlEntry")
$objACE.Trustee=$strTrustee
$objACEFlags=0
$objACE.AceType= $ADS_ACETYPE_ACCESS_DENIED_OBJECT
$objACE.Flags = $ADS_ACEFLAG_OBJECT_TYPE_PRESENT
$objACE.ObjectType= $CHANGE_PASSWORD_GUID
$objACE.AccessMask = $ADS_RIGHT_DS_CONTROL_ACCESS
$objDACL.AddAce($objACE)
NEXT
$objSD.DiscretionaryAcl = $objDACL
? "1:"+@error+" "+@serror
$objUser.Put("ntSecurityDescriptor", $objSD)
? "2:"+@error+" "+@serror
$objUser.SetInfo
? "3:"+@error+" "+@serror
| 
