Reputation: 1692
Constraint violation when trying to set "User Cannot Change Password" in active directory from c#
I've tried multiple ways to set the flag "User cannot change password" in active directory from c#.
The following haven't worked:
- Setting "CannotChangePassword" to true on the user principle object
- Setting access rules on the user object security on the directory entry (http://urslisworld.blogspot.ca/2010/02/set-user-cannot-change-password-in-c.html)
- Directly setting the ntSecurityDescriptor (http://sourcefield.blogspot.ca/2009/12/cactivedirectory-check-user-cannot.html)
- and of course, I can't directly set the user account control property according to https://support.microsoft.com/en-us/kb/305144
The first three each give the exact same, highly cryptic error message, "Constraint Violation" with the extended message:
0000051B: AtrErr: DSID-030F20BA, #1:
0: 0000051B: DSID-030F20BA, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 20119 (nTSecurityDescriptor)
Here is the simplest case code that should have worked (option 1):
using (var context = new PrincipalContext(ContextType.Domain, myDomain, myAccountOperatorUsername, myAccountOperatorPassword))
{
using (var user = UserPrincipal.FindByIdentity(context, IdentityType.SamAccountName, userNameToChange))
{
if (user != null)
{
user.UserCannotChangePassword = true;
user.Save()
}
}
}
The powershell way of doing this works perfectly fine, using the same credentials from the same machine. In fact, it works so well I can automate it in the code and it succeeds:
using (var PowerShellInstance = PowerShell.Create())
{
PowerShellInstance.AddScript("Import-Module Active-Directory");
PowerShellInstance.AddScript("$password = ConvertTo-SecureString \"" + myAccountOperatorPassword + "\" -AsPlainText -Force");
PowerShellInstance.AddScript("$cred = new-object -typename System.Management.Automation.PSCredential -argumentlist \"" + myAccountOperatorUsername + "\", $password");
PowerShellInstance.AddScript("Set-ADAccountControl -Identity " + usernameToChange + " -CannotChangePassword $true -Credential $cred");
var PSOutput = PowerShellInstance.Invoke();
}
However the powershell way makes the deployment more complicated for something that should be accomplishable in pure c#.
Is this a problem with the domain, the environment the code is running in, or the code itself?
Upvotes: 3
Views: 2671
Answers (1)
Reputation: 11
I had the exact same problem using a very similar C# code. In my case, the account we were using to set the "User cannot change password" flag had that option marked itself. When we removed the flag from the account, the code started working.
This is something that, apparently, only affected C#. Other implementations of the solution worked fine, including PowerShell.
Upvotes: 1
Related Questions
- Validate a username and password against Active Directory?
- Can I change myself Active Directory password from LDAP (without administrative account)
- How to set password policy in Active directory or OPenDS
- Check if the User is valid user on Domain - Active Directory
- Powershell result must Set checkmark 'User must change Password'
- How to set password expiration date of Active Directory user
- What permissions does user need to validate credentials in Active Directory?
- Password Last Set Time incorrect - Active Directory