Re: Checking "Reset Password" Extended Attribute in AD

From: Dmitri Gavrilov [MSFT] (dmitrig_at_online.microsoft.com)
Date: 10/17/04

  • Next message: Help: "Encryption and Certificates" 
    Date: Sat, 16 Oct 2004 16:34:11 -0600

    The guid to check is 00299570-246d-11d0-a768-00aa006e0529. It is the
    rightsGuid from
    CN=User-Force-Change-Password,CN=Extended-Rights,CN=Configuration,DC=yourdom
    ain object. Otherwise, the code looks correct.

    However, checking this on the client is not entirely correct. The token on
    the client may be different than the token on the DC. For example, the user
    could be a member of builtin admins on the IIS machine. Then, your access
    check will succeed on the client, but you could get an entirely different
    result on the server. 

    -- 
Dmitri Gavrilov
SDE, Active Directory Core
This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm
"Dave Mills" <dont@spam.me> wrote in message
news:uPcFIE6sEHA.2660@TK2MSFTNGP12.phx.gbl...
> The msdn documentation really does suck for these functions!!
> Yes I know the GUID is incorrect I was trying an invalid GUID to see
> what would happen - it doesn't seem to care if the guid is invalid.
> I've tried the Reset Password GUID at the Property set level but it made
> no difference.
> I tried creating a test user and the function returned that I had the
> right to reset it's password, I then disabled inheritance of ACL's to
> this object and the function returns false - this is the case no matter
> what I put in the OBJECT_TYPE_LIST.
>
> I found an example in the MSDN of checking a "control access right"
> which is apparently what an extended right is -  however it seems to be
> doing more or less what I am doing - and contradicts the other
> documentation which states that the top level object in OBJECT_TYPE_LIST
> should be the object itself.
>
>
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ad/ad/checking_a_control_access_right_in_an_objectampaposs_acl.asp
>
>
>
> "Joe Richards [MVP]" <humorexpress@hotmail.com> wrote in message
>
news:C6D40D903EB26B46893EDE0B143F4F1901406F68@fozzy-bear.staff.stanmore.ac.uk:
> > I haven't ever used this function so I am just guessing. BTW, I looked
> > through
> > the MSDN docs, they pretty much suck for these functions, they need some
> >
> > examples. Oh, I also don't do NET but tried to work through what you are
> > doing
> > anyway...
> >
> > First off
> >
> >
> >  > Dim gUSER As New Guid("bf967aba-0de6-11d0-a285-00aa00000000")
> >  > '00aa003049e2
> >  >
> >
> >
> > I expect so, but do you know that GUID isn't correct, the part you
remmed
> > out
> > top replace with 0's is correct.
> >
> > dn:CN=User,CN=Schema,CN=Configuration,DC=joe,DC=com
> >
> >  >schemaIDGUID: {BF967ABA-0DE6-11D0-A285-00AA003049E2}
> >
> >
> >
> >
> > Other than that what I would try in your shoes is to not put the Reset
> > Password
> > GUID into the property level of OBJECT_TYPE_LIST, I would put it into
the
> >
> > property set level. It isn't a property, it is a special CA access right
> > which
> > is closer to being a property set than a property. In fact it is
> > maintained in
> > with the property sets.
> >
> > Now I am going to see if I contact someone on how "light" those docs are
> > on MSDN.
> >
> > joe
> >
> >
> > --
> > Joe Richards Microsoft MVP Windows Server Directory Services
> > www.joeware.net
> >
> >
> >
> > Dave Mills wrote:
> >
> > > I'm writing a web page which certain users will be able to use to
reset
> > >
> > > student passwords, without needing the "Users and Computers" MMC page.
> > >
> > > I need to be able to check if the user which IIS is currently
> > > impersonating has the right to reset a given user's password - my
> > > instinct told me to go with the "AccessCheckByType" API function - I
> > > have managed to get the impersonated user's token, and the security
> > > descriptor from the User in active directory - I call
AccessCheckByType
> > >
> > > and it returns success however it is not returning the correct results
> > >
> > > in status.
> > >
> > > Am I even correct in thinking AccessCheckByType is the correct
function
> > >
> > > to use??
> > >
> > > Cheers
> > >
> > > Dave
> > >
> > > Code below:
> > >
>
> SNIP!!
>
  • Next message: Help: "Encryption and Certificates"

    Relevant Pages

    • Re: Checking "Reset Password" Extended Attribute in AD
      ... Yes I know the GUID is incorrect I was trying an invalid GUID to see ... I've tried the Reset Password GUID at the Property set level but it made ... I found an example in the MSDN of checking a "control access right" ...
      (microsoft.public.platformsdk.security)
    • Re: Unique Id
      ... this property set the GUID ... where Text is a distingued field. ... >I have an input schema, an output schema and a mapping. ...
      (microsoft.public.biztalk.general)
    • Re: KsProxy interface aggregation.
      ... >>GUID must be equal to interface IID. ... Temporary change the GUID of the property set to ...
      (microsoft.public.development.device.drivers)
    • Re: Question about property page of USBCAMD minidriver sample (usbintel)
      ... Property page GUID of PROPSETID_VIDCAP_VIDEOPROCAMP seems to be aliased as ... I don't find any information about "PageAliases". ... thanks for your sample code of property page. ... >> Sample code of USBCAMD minidriver support the property set ...
      (microsoft.public.development.device.drivers)
    • Re: Setting control value based on a SQL Select statement
      ... I don't understand what you mean by « So as an alternative I use a SQL ... Select statement where GUID = linked server GUID in the hope I can return ... The form is bound to a SQL view and the control is bound to a field ... Each time you select a client from the client combo box a GUID is ...
      (microsoft.public.access.adp.sqlserver)