Modifying Active Directory ntSecurityDescriptor property in python-ldap

Posted on 2014-04-26
Medium Priority
Last Modified: 2014-05-15
Just wondering if anyone has any experience modifying the ntSecurityDescriptor property of an Active Directory object from a non-microsoft language (specifically, using python-ldap)?

I am using python-ldap to create user accounts and I need to set the "user cannot change password" property on the new accounts.  Unfortunately, the Microsoft documentation states that you cannot set this property by modifying the userAccountControl attribute directly and must instead pull the DACL object (which is contained within the ntSecurityDescriptor property), and modify a permission setting in there. They have some example code for doing it using a built-in class in Visual Basic, but I'm looking to modify this property directly from python.

Microsoft's documentation on this is here:


Would greatly appreciate any assistance on this!
Question by:rmeany
  • 4
LVL 85

Expert Comment

by:David Johnson, CD, MVP
ID: 40024775
It is a lot easier using the winnt provider

Author Comment

ID: 40024869
Sorry, I should have also mentioned that I am running this python on a linux server, so I have no access to win32 com objects

Author Comment

ID: 40024960
Looks like my only option is to edit the nTSecurityDescriptor byte structure directly.  I was having trouble accessing the nTSecurityDescriptor attribute until I found out that it can only be queried using an account with Domain Administrator privileges.. I don't like giving domain admin privileges to a service account, but oh well...

I found documentation describing the structure of nTSecurityDescriptor here:


I plan to write a function that pulls the DACL bytes, finds within that any ACE entry bytes representing CHANGE_PASSWORD_GUID and sets the ACE entry byte values appropriately (ADS_ACETYPE_ACCESS_DENIED_OBJECT or ADS_ACETYPE_ACCESS_ALLOWED_OBJECT) for any entries with SID bytes that match the SIDs for "Everyone" and "NT Authority\SELF"

Accepted Solution

rmeany earned 0 total points
ID: 40056717

Author Closing Comment

ID: 40066736
The code I wrote allows you to read and manipulate the security descriptor on AD objects via python-ldap

Featured Post

Easily Design & Build Your Next Website

Squarespace’s all-in-one platform gives you everything you need to express yourself creatively online, whether it is with a domain, website, or online store. Get started with your free trial today, and when ready, take 10% off your first purchase with offer code 'EXPERTS'.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

How to deal with a specific error when using the Enable-RemoteMailbox cmdlet to create a mailbox in the cloud-based service, for an existing user in an on-premises Active Directory.
A bad practice commonly found during an account life cycle is to set its password to an initial, insecure password. The Password Reset Tool was developed to make the password reset process easier and more secure.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.
Suggested Courses

624 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question