Re: Checking "Reset Password" Extended Attribute in AD
From: Dave Mills (dont_at_spam.me)
Date: 10/16/04
- Previous message: Joe Richards [MVP]: "Re: Checking "Reset Password" Extended Attribute in AD"
- Maybe in reply to: Dave Mills: "Checking "Reset Password" Extended Attribute in AD"
- Next in thread: Dmitri Gavrilov [MSFT]: "Re: Checking "Reset Password" Extended Attribute in AD"
- Reply: Dmitri Gavrilov [MSFT]: "Re: Checking "Reset Password" Extended Attribute in AD"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sat, 16 Oct 2004 09:56:06 -0700
The msdn documentation really does suck for these functions!!
Yes I know the GUID is incorrect I was trying an invalid GUID to see
what would happen - it doesn't seem to care if the guid is invalid.
I've tried the Reset Password GUID at the Property set level but it made
no difference.
I tried creating a test user and the function returned that I had the
right to reset it's password, I then disabled inheritance of ACL's to
this object and the function returns false - this is the case no matter
what I put in the OBJECT_TYPE_LIST.
I found an example in the MSDN of checking a "control access right"
which is apparently what an extended right is - however it seems to be
doing more or less what I am doing - and contradicts the other
documentation which states that the top level object in OBJECT_TYPE_LIST
should be the object itself.
"Joe Richards [MVP]" <humorexpress@hotmail.com> wrote in message
news:C6D40D903EB26B46893EDE0B143F4F1901406F68@fozzy-bear.staff.stanmore.ac.uk:
> I haven't ever used this function so I am just guessing. BTW, I looked
> through
> the MSDN docs, they pretty much suck for these functions, they need some
>
> examples. Oh, I also don't do NET but tried to work through what you are
> doing
> anyway...
>
> First off
>
>
> > Dim gUSER As New Guid("bf967aba-0de6-11d0-a285-00aa00000000")
> > '00aa003049e2
> >
>
>
> I expect so, but do you know that GUID isn't correct, the part you remmed
> out
> top replace with 0's is correct.
>
> dn:CN=User,CN=Schema,CN=Configuration,DC=joe,DC=com
>
> >schemaIDGUID: {BF967ABA-0DE6-11D0-A285-00AA003049E2}
>
>
>
>
> Other than that what I would try in your shoes is to not put the Reset
> Password
> GUID into the property level of OBJECT_TYPE_LIST, I would put it into the
>
> property set level. It isn't a property, it is a special CA access right
> which
> is closer to being a property set than a property. In fact it is
> maintained in
> with the property sets.
>
> Now I am going to see if I contact someone on how "light" those docs are
> on MSDN.
>
> joe
>
>
> --
> Joe Richards Microsoft MVP Windows Server Directory Services
> www.joeware.net
>
>
>
> Dave Mills wrote:
>
> > I'm writing a web page which certain users will be able to use to reset
> >
> > student passwords, without needing the "Users and Computers" MMC page.
> >
> > I need to be able to check if the user which IIS is currently
> > impersonating has the right to reset a given user's password - my
> > instinct told me to go with the "AccessCheckByType" API function - I
> > have managed to get the impersonated user's token, and the security
> > descriptor from the User in active directory - I call AccessCheckByType
> >
> > and it returns success however it is not returning the correct results
> >
> > in status.
> >
> > Am I even correct in thinking AccessCheckByType is the correct function
> >
> > to use??
> >
> > Cheers
> >
> > Dave
> >
> > Code below:
> >
SNIP!!
- Previous message: Joe Richards [MVP]: "Re: Checking "Reset Password" Extended Attribute in AD"
- Maybe in reply to: Dave Mills: "Checking "Reset Password" Extended Attribute in AD"
- Next in thread: Dmitri Gavrilov [MSFT]: "Re: Checking "Reset Password" Extended Attribute in AD"
- Reply: Dmitri Gavrilov [MSFT]: "Re: Checking "Reset Password" Extended Attribute in AD"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
