Solved

Modifying Active Directory ntSecurityDescriptor property in python-ldap

Posted on 2014-04-26
5
2,351 Views
Last Modified: 2014-05-15
Just wondering if anyone has any experience modifying the ntSecurityDescriptor property of an Active Directory object from a non-microsoft language (specifically, using python-ldap)?

I am using python-ldap to create user accounts and I need to set the "user cannot change password" property on the new accounts.  Unfortunately, the Microsoft documentation states that you cannot set this property by modifying the userAccountControl attribute directly and must instead pull the DACL object (which is contained within the ntSecurityDescriptor property), and modify a permission setting in there. They have some example code for doing it using a built-in class in Visual Basic, but I'm looking to modify this property directly from python.

Microsoft's documentation on this is here:

http://msdn.microsoft.com/en-us/library/aa746398(v=vs.85).aspx

Would greatly appreciate any assistance on this!
0
Comment
Question by:rmeany
  • 4
5 Comments
 
LVL 78

Expert Comment

by:David Johnson, CD, MVP
ID: 40024775
It is a lot easier using the winnt provider
http://msdn.microsoft.com/en-us/library/aa746399%28v=vs.85%29.aspx
0
 

Author Comment

by:rmeany
ID: 40024869
Sorry, I should have also mentioned that I am running this python on a linux server, so I have no access to win32 com objects
0
 

Author Comment

by:rmeany
ID: 40024960
Looks like my only option is to edit the nTSecurityDescriptor byte structure directly.  I was having trouble accessing the nTSecurityDescriptor attribute until I found out that it can only be queried using an account with Domain Administrator privileges.. I don't like giving domain admin privileges to a service account, but oh well...

I found documentation describing the structure of nTSecurityDescriptor here:

http://msdn.microsoft.com/en-us/library/cc230366.aspx

I plan to write a function that pulls the DACL bytes, finds within that any ACE entry bytes representing CHANGE_PASSWORD_GUID and sets the ACE entry byte values appropriately (ADS_ACETYPE_ACCESS_DENIED_OBJECT or ADS_ACETYPE_ACCESS_ALLOWED_OBJECT) for any entries with SID bytes that match the SIDs for "Everyone" and "NT Authority\SELF"
0
 

Accepted Solution

by:
rmeany earned 0 total points
ID: 40056717
0
 

Author Closing Comment

by:rmeany
ID: 40066736
The code I wrote allows you to read and manipulate the security descriptor on AD objects via python-ldap
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A set of related code is known to be a Module, it helps us to organize our code logically which is much easier for us to understand and use it. Module is an object with arbitrarily named attributes which can be used in binding and referencing. …
When we want to run, execute or repeat a statement multiple times, a loop is necessary. This article covers the two types of loops in Python: the while loop and the for loop.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

932 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now