Active Directory's UAC PASSWD_CANT_CHANGE Doesn't Work #678
Replies: 3 comments 6 replies
-
Hi @kbisignani, thanks for your kind words! I'm glad you've found LdapRecord useful. The link you've posted is for ActiveDirectory UserAccountControl settings. LdapRecord allows you to manipulate these: https://ldaprecord.com/docs/core/v3/active-directory/users/#user-account-control https://ldaprecord.com/docs/core/v3/active-directory/users/#available-constants <?php
use LdapRecord\Models\ActiveDirectory\User;
use LdapRecord\Models\Attributes\AccountControl;
$user = User::find('cn=John Doe,ou=Users,dc=local,dc=com');
// Setting the UAC value manually:
$user->userAccountControl = 512; // Normal, enabled account.
// Or, using the UAC builder:
$user->userAccountControl = (new AccountControl)->setAccountIsNormal();
$user->save(); Let me know if this isn't what you're referring to so I can help you further 👍 |
Beta Was this translation helpful? Give feedback.
-
My apologies for the confusion in my original post @stevebauman . The link I posted brought you too far down on the page. If you scroll up a little, the following note is placed on the "PASSWD_CANT_CHANGE" flag:
Essentially, adding "64" to the $user->userAccountControl by manual assignment, or, programmatically, $uac->setPasswordCannotBeChanged();, won't work. According to the continuing documentation here, it looks like I need to work with the ntSecurityDescriptor and parse the IADsSecurityDescriptor... but I'm not sure that's a thing that's possible with LdapRecord. I'd be thrilled to be wrong! But this is such a niche case I'm not sure where to proceed. |
Beta Was this translation helpful? Give feedback.
-
Okay, just deleted my last reply. I combined what you sent with code from the two links you included in your post to come up with this:
That got me some extra information, including...
So... how the heck does one parse this?? lol |
Beta Was this translation helpful? Give feedback.
-
First off, thank you for this amazing resource. I've only scratched the surface of it and it's going to help save so much time in the development I'm doing.
I am working on a project to automate the creation of student accounts (an internal tool for my department). Something we prevent is the ability for students to change their passwords. There's a User Account Control flag - PASSWD_CANT_CHANGE - that's supposed to enable this, however as per Microsoft (see here: https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/useraccountcontrol-manipulate-account-properties#property-flag-descriptions), this is not how it works, and instead you need to set security descriptors on the user object.
I have a sinking feeling this isn't going to work...
Beta Was this translation helpful? Give feedback.
All reactions