• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2821
  • Last Modified:

Modifying Active Directory ntSecurityDescriptor property in python-ldap

Just wondering if anyone has any experience modifying the ntSecurityDescriptor property of an Active Directory object from a non-microsoft language (specifically, using python-ldap)?

I am using python-ldap to create user accounts and I need to set the "user cannot change password" property on the new accounts.  Unfortunately, the Microsoft documentation states that you cannot set this property by modifying the userAccountControl attribute directly and must instead pull the DACL object (which is contained within the ntSecurityDescriptor property), and modify a permission setting in there. They have some example code for doing it using a built-in class in Visual Basic, but I'm looking to modify this property directly from python.

Microsoft's documentation on this is here:

http://msdn.microsoft.com/en-us/library/aa746398(v=vs.85).aspx

Would greatly appreciate any assistance on this!
0
rmeany
Asked:
rmeany
  • 4
1 Solution
 
David Johnson, CD, MVPOwnerCommented:
It is a lot easier using the winnt provider
http://msdn.microsoft.com/en-us/library/aa746399%28v=vs.85%29.aspx
0
 
rmeanyAuthor Commented:
Sorry, I should have also mentioned that I am running this python on a linux server, so I have no access to win32 com objects
0
 
rmeanyAuthor Commented:
Looks like my only option is to edit the nTSecurityDescriptor byte structure directly.  I was having trouble accessing the nTSecurityDescriptor attribute until I found out that it can only be queried using an account with Domain Administrator privileges.. I don't like giving domain admin privileges to a service account, but oh well...

I found documentation describing the structure of nTSecurityDescriptor here:

http://msdn.microsoft.com/en-us/library/cc230366.aspx

I plan to write a function that pulls the DACL bytes, finds within that any ACE entry bytes representing CHANGE_PASSWORD_GUID and sets the ACE entry byte values appropriately (ADS_ACETYPE_ACCESS_DENIED_OBJECT or ADS_ACETYPE_ACCESS_ALLOWED_OBJECT) for any entries with SID bytes that match the SIDs for "Everyone" and "NT Authority\SELF"
0
 
rmeanyAuthor Commented:
0
 
rmeanyAuthor Commented:
The code I wrote allows you to read and manipulate the security descriptor on AD objects via python-ldap
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now