Directory Programming .NET

I'm very new to System.DirectoryServices but so far so good, however ... Here's what I need to do, and I cant find any references, at least not anything that stands out, on the internet.

I am developing a simple web interface that will allow help desk staff to unlock accounts, and reset passwords. What we would like to do is this: Instead of giving the necessary permissions to the HD staff, we want to bind to AD using a service account.

Ok, easy enough, so have the service account perform the actions... Well no, we want the actual resetting, unlocking, etc to be done within the context of the actual HD user signed in. So in order to do this (because the HD user will not have permission) is to use the service account to first add the HD user to the target user's (user who needs the password reset) security groups/users. Then, once the HD user has access, the service account will allow the necessary permissions on the HD user to reset the password. A new bind will now occur within the context of the HD user's account, and password will be reset. After the reset, we will rebind under the service account, and remove the permissions, and then remove the HD user from the target user's security groups/users.

I hope I explained that well enough. I'm at a loss as to how to do this. Please help.

Also, if there's an easier way, please let me know.

Thanks,

SoC

Wow, I can't believe you are really going to do that. :) I can understand wanting to have the audit information in AD show who did the change, but it seems like a lot of hoops to go through to prevent the users from having the delegated permissions in the first place.

The key to this is modifying the DACL of the user object programmatically. This is frequently a bit of a pain, but the key is to use the ActiveDirectorySecurity class in SDS to manage the DACL.

The way that I always see that works best is to:

• Have the DACL the way it is supposed to be and "dump it out" using ActiveDirectorySecurity
• Make the change you need in the GUI and dump it out again so you can see what changed. This will tell you the AccessControlRule objects you need to add or modify to get the permissions you need

If you dig through the forum, you'll probably find a few samples showing how basic DACL modifications are done using these classes but the key is really going to be knowing exactly how to construct the rules you need so you can add and remove them.

I assume you are ok with all the switching around of security contexts required to make the rest of this work.

ActiveDirectorySecurity was what I was looking for, tyvm.  Now if I can just code some c++ and modify the msgina.dll I'll be all set.  :)  I'll let you know if I encounter any problems with ADS.  Again, thank you!

Ok, I was finally able to add a NTAccount to another user's ACL with the following code:

using (DirectoryEntry DEConnection = new DirectoryEntry(LDAP://blah.blah.blah))

{

DirectorySearcher search = new DirectorySearcher(DEConnection);

search.Filter = "(SAMAccountName=blah)";

SearchResult result = search.FindOne();

DirectoryEntry user = result.GetDirectoryEntry();

user.Options.SecurityMasks = SecurityMasks.Dacl;

ActiveDirectorySecurity adSecurity = user.ObjectSecurity;

// **********************************

System.Security.Principal.NTAccount thisAccount = new System.Security.Principal.NTAccount("foo");

ActiveDirectoryAccessRule newRule = new ActiveDirectoryAccessRule(thisAccount, ActiveDirectoryRights.WriteOwner, AccessControlType.Allow);

adSecurity.AddAccessRule(newRule);

user.CommitChanges();

// **********************************

foreach (System.Security.AccessControl.AccessRule thisRule in adSecurity.GetAccessRules(true, false, typeof(System.Security.Principal.NTAccount)))

{

System.Diagnostics.Debug.WriteLine(thisRule.IdentityReference.Value.ToString());

}

}

}

 

[Edit]  Ok I figured out how to add a rule to the acl.  So far I got the reset password allowed for the user.  How do I figure out the GUID's for the other two ACE's?  The reset password one was fairly easy, because I found that here http://msdn.microsoft.com/en-us/library/ms683985(VS.85).aspx. 

 

 

Dont mean to be spamming, but I'm growing impatient with the lack of content on the web for AD programming, or the mixing of .net 1.0 up to 3.5 ... Here's where I'm at right now.  I'm just trying to show something - anything that represents the allow read and allow write pwdLastSet permission properties.  I just want the GUID so I can add and remove them ... Or am I going about this all wrong?

 

 

foreach (System.Security.AccessControl.AccessRule thisRule in adSecurity.GetAccessRules(true, false, typeof(SecurityIdentifier)))

{

if (thisRule.IdentityReference == HDUser.Translate(typeof(SecurityIdentifier)))

{

System.Diagnostics.Debug.WriteLine(thisRule.AccessControlType.ToString() + " " + thisRule.IdentityReference.Value.ToString());

// How do I get this rules permissions properties?

}

}

 

Are you looking for the guid for the "reset password" validated right? It is actually documented in msdn ad schema ref and you can query for it to. you can also find it in code by dumping out an access rule you set through the gui. sorry i can'thelp too much right now but i can try more later tonight if you are still stuck.

Hi, and thank you for your response.  I'll be working on this tonight, so if you can, help would be fantastic.  Sorry for not being more clear... Its been about a year and a half since I've programmed. 

Here's the permissions I need to change:

Add:  Allow-Reset Password (This one I've accomplished, although I havent worked on the remove but that shouldnt be a problem)

** Add:  Allow-Read/Write-pwdLastSet

** Add:  Allow-Read/Write-lockoutTime

 

** Those are the two that I'm having difficulty with (although if I could get the GUID for those permissions, I believe I could apply them the same way I did the Reset Password)

I hope its ok I'm spamming here :)  I found the GUID for lockoutTime, and it worked.  Here's the code:

 

// Create a Guid that identifies the Change Password right.

Guid changePasswordGuid = new Guid("{AB721A53-1E2F-11D0-9819-00AA0040529B}");

Guid resetPasswordGUID = new Guid("{00299570-246d-11d0-a768-00aa006e0529}");

Guid lockoutTimeGUID = new Guid("{28630ebf-41d5-11d1-a9c1-0000f80367c1}");

//ActiveDirectoryAccessRule allowSource = new ActiveDirectoryAccessRule(HDUser, ActiveDirectoryRights.ExtendedRight, AccessControlType.Allow, resetPasswordGUID);

//adSecurity.AddAccessRule(allowSource);

ActiveDirectoryAccessRule allowSource = new ActiveDirectoryAccessRule(HDUser, ActiveDirectoryRights.WriteProperty, AccessControlType.Allow, lockoutTimeGUID);

adSecurity.AddAccessRule(allowSource);

allowSource = new ActiveDirectoryAccessRule(HDUser, ActiveDirectoryRights.ReadProperty, AccessControlType.Allow, lockoutTimeGUID);

adSecurity.AddAccessRule(allowSource);

user.CommitChanges();

Guid pwdLastSetGUID = new Guid("{bf967a0a-0de6-11d0-a285-00aa003049e2}");

Live and learn... Should have searched MSDN right off the bat .... sigh .... I got all 3 properties now :)

Hopefully you got it now. I didn't get anything done related to work last night including looking at the forum, so I wasn't much help.

One thing to note is that 2 of those are "property" GUIDs while the other, reset-pwd, is the GUID for a validated write. These are slightly different in the system and I think require you to pass in slightly different flags. Hopefully you figured that out as well.

It is fine to hard code these GUIDs. They are fixed.

Yeah, I'll have to look into that a little more. All 3 settings seem to perform as expected. When I go to implement it in my WCF host/client I'll do some research on the differences.

One question: Are there any security concerncs here in respect to binding to AD under the context of a service account with higher permissions, as opposed to using windows impersonation, and binding using the impersonated account?

I hate to jump in late here but all that ACL manipulation may create problems with replication latencies, especially in large domains/forests. You may want to consider having the service account "proxy" the modifications and keep a log of changes. You can even record pre-change and post-change results.

Thank you for jumping in, never too late. 

I think I should be ok.  Were working off the closest domain controller to the user who's password needs reset, so replication shouldnt be an issue to them  ...  Lets say a HD staff member is located closest to DC A, and they use my WCF client to initiate an unlock/reset on a user in DC B.  The AD connection is with DC B, changes should take place relatively immediately.  I dont know here, am I wrong?

Before I continue, I just want to say, with the thanks of Joe, I was able to complete the whole shabang, except one last piece... I need to force a password expire date on an individual user level, as opposed to a domain policy.  Basically, I want the recently reset password to expire in lets say 1 hour.  Is this even possible? 

If this isnt possible, I was thinking of using my WCF host to just keep an encrypted in memory collection of users that it has unlocked/reset, and after lets say an hour has passed since their reset, force the password change on next login.  Of course if the server goes down, then the memory is lost, to counter that I could do a number of things, like ... When the Host starts back up, it queries AD on the primary domain emulator, and returns all users who's passwords have been expired for more than an hour, then forces change on next login.  Or instead of keeping an in memory log, use something like a SQL database, or even .xml, or heck, even a simple text file.

 

Bad idea?  Fair?  Talk to me please.   NT Security is very new to me.

You cannot force password to expire based on anything other than password policy. If you have a 2008 native AD, you can use fine-grained password policies and assign these users to a policy with a 1 hour expiration, but you'd want to then move them out of that policy back to normal after they change their pwd so you'd need to track that.

You definitely can't just set the pwd expiration date. That doesn't work. :)

Why not just set password to change at next logon?

Because thats how the sys admin's want it :)

They would like to give the end users a little breathing room, but not too much.  What I did is just use my service to keep track of those user's who have been reset and when the now time exceeds the pwdLastSet time by more than an hour, I force a pwd expire.

It was all working until I did some code clean up, and now I get an exception (System.Runtime.InteropServices.COMException (0x80072020)) on a simple .SamAccountName = "foo" statement.  If its ok, I'd like to link to MSDN c# express forums where I posted my question about this.

http://social.msdn.microsoft.com/Forums/en-US/Vsexpressvcs/thread/b2cac8e4-f159-485c-a2a7-c2e5f9c3b13f

If you have any thoughts on this it would be great.