Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

What permissions do I have to delegate in order to set UserCannotChangePassword in Active Directory through a C# UserPrincipal

This seemed to have been asked a few years ago at Constraint violation when trying to set "User Cannot Change Password" in active directory from c# but no response actually answered the question sufficiently.

I tried reviving the thread because I wanted to hear specifically from the originator as to wether he had solved the issue, but my response was deleted as it is, admittedly, an old question. I hope Resorath sees this as he may have more insight into the problem!

Basically, the problem boils down to lack of permissions.

More specifically, I have created a service account and delegated full modify permissions (checked all the boxes in the "Descendant User objects" list of the "Advanced" security settings DACL list of AD Users and Computers... including the ones that appeared after manually editing some file). Yes, this includes the ntSecurityDescriptor. Also, this includes the "Modify permissions" of the "Descendant account objects" as well.

When I create a PrincipalContext using this user, and create or load a UserPrincipal using that context, I am able to modify literally everything relating to that user except the UserCannotChangePassword property. Upon attempting to save the user, I get an A constraint violation has occured error.

Please note: When adding the service account to the DomainAdmins group, I am able to make this change. Also, if I set the account as the owner of the user object I am also able to make this change. To me, this clearly signals that there is a permission I am missing.

I have searched for hours to find information that might help me on this, and have at this point exhausted my google-fu abilities.

Here is a link to the issue I opened in the corefx github page... https://github.com/dotnet/corefx/issues/34193 This includes a sample application demonstrating the problem.

Thanks!

like image 954
Leroy Stav Avatar asked Jan 03 '19 15:01

Leroy Stav


People also ask

How do I delegate permissions to reset user passwords in Active Directory?

Open Active Directory Users and Computers. Right-click on the user or group you want to delegate, and click Delegate Control… Click Next on the Welcome Wizard. Click OK once you've made your selection, followed by Next.

What is Delegation permissions in Active Directory?

What is Active Directory (AD) Delegation? AD delegation enables you to grant users the permissions to perform tasks that require elevated permissions — without adding them to highly privileged groups like Domain Admins and Account Operators.


1 Answers

It was brought to my attention I never posted the solution I was given here. It is a bug in the corefx library and there is a fix we haven't gotten around to implementing and making a PR for in the issue I mentioned, https://github.com/dotnet/corefx/issues/34193 . If anyone else needs this then feel free to fix it yourselves as well... Hopefully by the time anyone else sees this it will have been fixed :-)

like image 111
Leroy Stav Avatar answered Oct 29 '22 13:10

Leroy Stav