Preventing an Active Directory user from changing his/her password using DirectoryServices

Question

When creating Active Directory users from a script, I also need to set the option that they can't change their passwords. Via the administrative GUI this is easily accomplished, by checking "User cannot change password". Programmatically however, it's another story. I've found a recipe which involves interacting with the ADSI COM API, but for technical reasons I would like to accomplish the same via the .NET API (short version: I'm not able to access the ADSI COM API from my script).

I have tried to translate the aforementioned recipe to pure .NET, as can be seen in this Python snippet, but it has no effect unfortunately:

dir_entry = System.DirectoryServices.DirectoryEntry(ad_user)
obj_sec = dir_entry.ObjectSecurity
# Password GUID
guid = System.Guid(System.String("ab721a53-1e2f-11d0-9819-00aa0040529b"))
for identity in (r"NT AUTHORITY\SELF", "EVERYONE"):
    identity = System.Security.Principal.NTAccount(identity)
    access_rule = System.DirectoryServices.ActiveDirectoryAccessRule(
            identity,
            System.DirectoryServices.ActiveDirectoryRights.ExtendedRight,
            System.Security.AccessControl.AccessControlType.Deny,
            guid
            )
    obj_sec.AddAccessRule(access_rule)
dir_entry.ObjectSecurity = obj_sec
dir_entry.CommitChanges()

Would greatly appreciate any help :)

Answer 1

If you can use .NET 3.5 there's a new namespace in there called System.DirectoryServices.AccountManagment. The UserPrincipal class in that namespace will allow you to set "Cannot Change Password" simply by setting the boolean UserCannotChangePassword property to false.