修改“用户无法更改密码”(LDAP 提供程序)
用户更改自己的密码的能力是一种可以授予或拒绝的权限。 要拒绝此权限,请在用户对象的安全描述符全权访问控制列表 (DACL) 中设置两个 ACE,其 ace 类型为 ADS_ACETYPE_ACCESS_DENIED_OBJECT。 一个 ACE 拒绝授予用户权限,另一个 ACE 拒绝授予 Everyone 组权限。 这两个 ACE 都是特定于对象的拒绝 ACE,指定了用于更改密码的扩展权限的 GUID。 要授予此权限,请使用 ADS_ACETYPE_ACCESS_ALLOWED_OBJECT ace 类型来设置相同的 ACE。
以下过程介绍了如何修改或添加此权限的 ACE。
修改或添加此权限的 ACE
绑定到用户对象。
从用户对象的 ntSecurityDescriptor 属性中获取 IADsSecurityDescriptor 对象。
从 IADsSecurityDescriptor.DiscretionaryAcl 属性中获取安全描述符的 IADsAccessControlList 接口。
枚举对象的 ACE 并搜索具有 IADsAccessControlEntry.ObjectType 属性的更改密码 GUID ({AB721A53-1E2F-11D0-9819-00AA0040529B}) 的 ACE 和 IADsAccessControlEntry.Trustee 属性的“Everyone”或“NT AUTHORITY\SELF”。
注意
“Everyone”和“NT AUTHORITY\SELF”字符串会根据域中第一个域控制器的语言进行本地化。 因此,不应直接使用字符串。 应通过使用“Everyone”("S-1-1-0") 和“NT AUTHORITY\SELF”("S-1-5-10") 众所周知的安全主体的 SID 来调用 LookupAccountSid 函数,从而在运行时获取帐户名称。 读取“用户无法更改密码”(LDAP 提供程序)中的 GetSidAccountName、GetSidAccountName_Everyone 和 GetSidAccountName_Self C++ 示例函数演示了如何执行此操作。
如果用户无法更改密码,则将发现的 ACE 的 IADsAccessControlEntry.AceType 属性更改为 ADS_ACETYPE_ACCESS_DENIED_OBJECT,如果用户可以更改密码,则更改为 ADS_ACETYPE_ACCESS_ALLOWED_OBJECT。
如果未找到“Everyone”ACE,请创建一个包含下表所示属性值的新 IADsAccessControlEntry 对象,并使用 IADsAccessControlList.AddAce 方法将新条目添加到 ACL 中。
如果未找到“NT AUTHORITY\SELF”ACE,请创建一个新的 IADsAccessControlEntry 对象,其属性值与下表中显示的属性值相同,但 Trustee 属性包含 SID“S-1-5-10”("NT AUTHORITY\SELF") 的帐户名。 使用 IADsAccessControlList.AddAce 方法将条目添加到 ACL 中。
要更新对象的 ntSecurityDescriptor 属性,请使用步骤 2 中获得的同一个 IADsSecurityDescriptor 来调用 IADs.Put 方法。
使用 IADs.SetInfo 方法将本地更改提交到服务器。
如果创建了任一 ACE,则必须对 ACL 重新排序,使 ACE 按正确的顺序排列。 为此,请使用对象的 LDAP ADsPath 调用 GetNamedSecurityInfo 函数,然后使用相同的 DACL 调用 SetNamedSecurityInfo 函数。 添加 ACE 时将自动进行重新排序。
下表列出了 IADsAccessControlEntry 对象的属性值。
IADsAccessControlEntry 属性 | 值 |
---|---|
AccessMask | ADS_RIGHT_DS_CONTROL_ACCESS |
AceType | ADS_ACETYPE_ACCESS_DENIED_OBJECT(如果用户无法更改密码),或 ADS_ACETYPE_ACCESS_ALLOWED_OBJECT(如果用户可以更改密码)。 |
AceFlags | 0 |
标记 | ADS_FLAG_OBJECT_TYPE_PRESENT |
ObjectType | “{AB721A53-1E2F-11D0-9819-00AA0040529B}”,这是字符串形式的更改密码 GUID。 |
InheritedObjectType | 未使用 |
托管方 | SID“S-1-1-0”(Everyone) 的帐户名称。 |
示例代码
下面的代码示例演示了如何获取用于更改 DACL 的接口。 通过设置 ADS_SECURITY_INFO_DACL 选项,可以使用 IADsObjectOptions 接口。
注意
要使用本例中记录的代码,你需要是管理员。 如果你不是管理员,则需要添加更多代码,这些代码将使用一个接口,允许用户更改客户端缓存刷新回 Active Directory 域服务的方式。
//
// Obtain an IADsObjectOptions interface from the object whose
// DACL you wish to modify.
//
long CanReadSetDACL = ADS_SECURITY_INFO_DACL;
CComPtr<IADsObjectOptions> spObjOps;
hr = pads->QueryInterface(IID_IADsObjectOptions, (void**)&spObjOps);
if(SUCCEEDED(hr))
{
//
// Set the option mask you want to change. In this case
// we want to change the objects security information, so we'll
// use the ADS_OPTION_SECURITY_MASK. Since we want to modify the
// DACL, we'll set the variant to ADS_SEDCURITY_INFO_DACL flag.
//
CComVariant svar;
svar = CanReadSetDACL;
hr = spObjOps->SetOption(ADS_OPTION_SECURITY_MASK, svar);
}
//
// The smart pointer declared for pObjOptions can be released
// or it will be destroyed and released once the pointer goes
// out of scope.
//
下面的代码示例显示了如何使用 LDAP 提供程序修改“用户无法更改密码”权限。 此代码示例使用了上文定义的 GetObjectACE 实用程序函数。
此示例使用读取“用户无法更改密码”(LDAP 提供程序)中显示的 GetSidAccountName_Everyone 和 GetSidAccountName_Self C++ 示例函数。
#include <aclapi.h>
#define CHANGE_PASSWORD_GUID_W L"{AB721A53-1E2F-11D0-9819-00AA0040529B}"
/***************************************************************************
CreateACE()
Creates an ACE and returns the IDispatch pointer for the ACE. This
pointer can be passed directly to IADsAccessControlList::AddAce.
bstrTrustee - Contains the Trustee for the ACE.
bstrObjectType - Contains the ObjectType for the ACE.
lAccessMask - Contains the AccessMask for the ACE.
lACEType - Contains the ACEType for the ACE.
lACEFlags - Contains the ACEFlags for the ACE.
lFlags - Contains the Flags for the ACE.
***************************************************************************/
IDispatch* CreateACE(BSTR bstrTrustee,
BSTR bstrObjectType,
long lAccessMask,
long lACEType,
long lACEFlags,
long lFlags)
{
HRESULT hr;
IDispatch *pDisp = NULL;
IADsAccessControlEntry *pACE = NULL;
hr = CoCreateInstance(CLSID_AccessControlEntry,
NULL,
CLSCTX_INPROC_SERVER,
IID_IADsAccessControlEntry,
(void**)&pACE);
if(SUCCEEDED(hr))
{
hr = pACE->put_Trustee(bstrTrustee);
hr = pACE->put_ObjectType(bstrObjectType);
hr = pACE->put_AccessMask(lAccessMask);
hr = pACE->put_AceType(lACEType);
hr = pACE->put_AceFlags(lACEFlags);
hr = pACE->put_Flags(lFlags);
hr = pACE->QueryInterface(IID_IDispatch, (LPVOID*)&pDisp);
pACE->Release();
}
return pDisp;
}
/***************************************************************************
ReorderACEs()
Causes the ACEs of an object DACL to be reordered properly. The ACEs are
automatically put in the proper order when they are added to the DACL.
On older systems however, this does not occur automatically, so this
function is necessary so the deny ACEs are ordered in the list before
the allow ACEs.
pwszDN - A null-terminated Unicode string that contains the LDAP
ADsPath of the DS object to reorder the DACL for.
***************************************************************************/
HRESULT ReorderACEs(LPCWSTR pwszDN)
{
HRESULT hr = E_FAIL;
DWORD dwResult;
ACL *pdacl;
PSECURITY_DESCRIPTOR psd;
dwResult = GetNamedSecurityInfoW( (LPWSTR)pwszDN,
SE_DS_OBJECT_ALL,
DACL_SECURITY_INFORMATION,
NULL,
NULL,
&pdacl,
NULL,
&psd);
if(ERROR_SUCCESS == dwResult)
{
dwResult = SetNamedSecurityInfoW( (LPWSTR)pwszDN,
SE_DS_OBJECT_ALL,
DACL_SECURITY_INFORMATION,
NULL,
NULL,
pdacl,
NULL);
LocalFree(psd);
if(ERROR_SUCCESS == dwResult)
{
hr = S_OK;
}
}
return hr;
}
/***************************************************************************
SetUserCannotChangePassword()
Sets the "User Cannot Change Password" permission using the LDAP provider
to the specified setting. To do this, find the existing
ACEs and modify the AceType. If the ACE is not found, a new one of the
proper type is created and added. The ACEs should always be present, but
it is possible that the default DACL excludes them, so this situation
will be handled correctly.
pwszUserDN - A null-terminated Unicode string that contains the LDAP
ADsPath of the user object to modify.
pwszUsername - A null-terminated Unicode string that contains the user
name to use for authorization. If this is NULL, the credentials of the
current user are used.
pwszPassword - A null-terminated Unicode string that contains the
password to use for authorization. This is ignored if pwszUsername is
NULL.
fCannotChangePassword - Contains the new setting for the privilege.
Contains nonzero if the user cannot change their password or zero if
the can change their password.
***************************************************************************/
HRESULT SetUserCannotChangePassword(LPCWSTR pwszUserDN,
LPCWSTR pwszUsername,
LPCWSTR pwszPassword,
BOOL fCannotChangePassword)
{
HRESULT hr;
CComBSTR sbstrEveryone;
hr = GetSidAccountName_Everyone(&sbstrEveryone);
if(FAILED(hr))
{
return hr;
}
CComBSTR sbstrSelf;
hr = GetSidAccountName_Self(&sbstrSelf);
if(FAILED(hr))
{
return hr;
}
if(NULL == pwszUserDN)
{
return E_INVALIDARG;
}
IADs *pads;
hr = ADsOpenObject( pwszUserDN,
pwszUsername,
pwszPassword,
ADS_SECURE_AUTHENTICATION,
IID_IADs,
(LPVOID*)&pads);
if(SUCCEEDED(hr))
{
CComBSTR sbstrSecDesc = "ntSecurityDescriptor";
CComVariant svar;
hr = pads->Get(sbstrSecDesc, &svar);
if(SUCCEEDED(hr))
{
IADsSecurityDescriptor *psd;
hr = svar.pdispVal->QueryInterface(IID_IADsSecurityDescriptor, (LPVOID*)&psd);
if(SUCCEEDED(hr))
{
IDispatch *pDisp;
hr = psd->get_DiscretionaryAcl(&pDisp);
if(SUCCEEDED(hr))
{
IADsAccessControlList *pACL;
hr = pDisp->QueryInterface(IID_IADsAccessControlList, (void**)&pACL);
if(SUCCEEDED(hr))
{
BOOL fMustReorder = FALSE;
/*
Get the existing ACE for the change password permission
for Everyone. If it exists, just modify the existing
ACE. If it does not exist, create a new one and add it
to the ACL.
*/
IADsAccessControlEntry *pACEEveryone = NULL;
hr = GetObjectACE(pACL, CHANGE_PASSWORD_GUID_W, sbstrEveryone, &pACEEveryone);
if(pACEEveryone)
{
hr = pACEEveryone->put_AceType(fCannotChangePassword ?
ADS_ACETYPE_ACCESS_DENIED_OBJECT :
ADS_ACETYPE_ACCESS_ALLOWED_OBJECT);
pACEEveryone->Release();
}
else
{
IDispatch *pDispEveryone = NULL;
pDispEveryone = CreateACE(sbstrEveryone,
CComBSTR(CHANGE_PASSWORD_GUID_W),
ADS_RIGHT_DS_CONTROL_ACCESS,
fCannotChangePassword ?
ADS_ACETYPE_ACCESS_DENIED_OBJECT :
ADS_ACETYPE_ACCESS_ALLOWED_OBJECT,
0,
ADS_FLAG_OBJECT_TYPE_PRESENT);
if(pDispEveryone)
{
//add the new ACE for everyone
hr = pACL->AddAce(pDispEveryone);
pDispEveryone->Release();
fMustReorder = TRUE;
}
}
/*
Get the existing ACE for the change password permission
for Self. If it exists, just modify the existing
ACE. If it does not exist, create a new one and add it
to the ACL.
*/
IADsAccessControlEntry *pACESelf = NULL;
hr = GetObjectACE(pACL, CHANGE_PASSWORD_GUID_W, sbstrSelf, &pACESelf);
if(pACESelf)
{
hr = pACESelf->put_AceType(fCannotChangePassword ?
ADS_ACETYPE_ACCESS_DENIED_OBJECT :
ADS_ACETYPE_ACCESS_ALLOWED_OBJECT);
pACESelf->Release();
}
else
{
IDispatch *pDispSelf = NULL;
pDispSelf = CreateACE(sbstrSelf,
CComBSTR(CHANGE_PASSWORD_GUID_W),
ADS_RIGHT_DS_CONTROL_ACCESS,
fCannotChangePassword ?
ADS_ACETYPE_ACCESS_DENIED_OBJECT :
ADS_ACETYPE_ACCESS_ALLOWED_OBJECT,
0,
ADS_FLAG_OBJECT_TYPE_PRESENT);
if(pDispSelf)
{
//add the new ACE for self
hr = pACL->AddAce(pDispSelf);
pDispSelf->Release();
fMustReorder = TRUE;
}
}
//update the security descriptor property
hr = pads->Put(sbstrSecDesc, svar);
//commit the changes
hr = pads->SetInfo();
if(fMustReorder)
{
ReorderACEs(pwszUserDN);
}
pACL->Release();
}
pDisp->Release();
}
psd->Release();
}
}
}
return hr;
}
下面的代码示例显示了如何使用 LDAP 提供程序修改“用户无法更改密码”权限。
注意
下面的示例仅适用于主要语言为英语的域,因为“Everyone”和“NT AUTHORITY/SELF”字符串是根据域中第一个域控制器的语言本地化的。 在 Visual Basic 中,如果不调用 LookupAccountSid 函数,就无法获取众所周知的安全主体的帐户名。 如果使用 Visual Basic,建议使用 WinNT 提供程序来修改“用户无法更改密码”权限,如修改“用户无法更改密码”(WinNT 提供程序)中所示。
'******************************************************************************
'
' SetUserCannotChangePassword
'
' Sets the "User Cannot Change Password" permission using the LDAP provider
' to the specified setting. This is accomplished by finding the existing
' ACEs and modifying the AceType. The ACEs should always be present, but
' it is possible that the default DACL excludes them. This function will not
' work correctly if both ACEs are not present.
'
' strUserDN - A string that contains the LDAP ADsPath of the user object to
' modify.
'
' strUsername - A string that contains the user name to use for
' authorization. If this is an empty string, the credentials of the current
' user are used.
'
' strPassword - A string that contains the password to use for authorization.
' This is ignored if strUsername is empty.
'
' fCannotChangePassword - Contains the new setting for the privilege.
' Contains True if the user cannot change their password or False if
' the can change their password.
'
'******************************************************************************
Sub SetUserCannotChangePassword(strUserDN As String, strUsername As String, strPassword As String, fUserCannotChangePassword As Boolean)
Dim oUser As IADs
Dim oSecDesc As IADsSecurityDescriptor
Dim oACL As IADsAccessControlList
Dim oACE As IADsAccessControlEntry
fEveryone = False
fSelf = False
If "" <> strUsername Then
Dim dso As IADsOpenDSObject
' Bind to the group with the specified user name and password.
Set dso = GetObject("LDAP:")
Set oUser = dso.OpenDSObject(strUserDN, strUsername, strPassword, 1)
Else
' Bind to the group with the current credentials.
Set oUser = GetObject(strUserDN)
End If
Set oSecDesc = oUser.Get("ntSecurityDescriptor")
Set oACL = oSecDesc.DiscretionaryAcl
' Modify the existing entries.
For Each oACE In oACL
If UCase(oACE.ObjectType) = UCase(CHANGE_PASSWORD_GUID) Then
If oACE.Trustee = "Everyone" Then
' Modify the ace type of the entry.
If fUserCannotChangePassword Then
oACE.AceType = ADS_ACETYPE_ACCESS_DENIED_OBJECT
Else
oACE.AceType = ADS_ACETYPE_ACCESS_ALLOWED_OBJECT
End If
End If
If oACE.Trustee = "NT AUTHORITY\SELF" Then
' Modify the ace type of the entry.
If fUserCannotChangePassword Then
oACE.AceType = ADS_ACETYPE_ACCESS_DENIED_OBJECT
Else
oACE.AceType = ADS_ACETYPE_ACCESS_ALLOWED_OBJECT
End If
End If
End If
Next
' Update the ntSecurityDescriptor property.
oUser.Put "ntSecurityDescriptor", oSecDesc
' Commit the changes to the server.
oUser.SetInfo
End Sub