February 19, 2018 › Brandon's IT Blog

Directory Services–Cannot Change Password – Constraint Violation nTSecurityDescriptor

Brandon / Active Directory, ASP.NET, C# / Leave a Comment

Recently I ran into an issue where trying to enable or disable the option ‘Cannot Change Password’ in Active Directory in my C# code. Using a Domain Administrator account the code worked perfectly fine, but when it was run under a non-administrator I would get “Constrain Violation Occurred” and the following exception

"0000051B: AtrErr: DSID-030F22B2, #1:\n\t0: 0000051B: DSID-030F22B2, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 20119 (nTSecurityDescriptor)\n"

Now the user in question was delegated full control over the user object which made it more frustrating as it could be done manually within Active Directory Users and Computers. What I did find out is that if the non-administrator user was assigned the owner of the user in the security option the code would work and is what lead me to the answer.

You must have the DirectoryEntry.Options.SecurityMasks defined to SecurityMasks.Dacl for it to work for a non-administrator user.

Allow Change Password

public static void AllowChangePassword(DirectoryEntry user)
       {
           user.Options.SecurityMasks = SecurityMasks.Dacl;
  
           // Create a Guid that identifies the Change Password right.
           Guid changePasswordGuid =
               new Guid("{AB721A53-1E2F-11D0-9819-00AA0040529B}");
  
           // Get the ActiveDirectorySecurity for the user.
           ActiveDirectorySecurity userSecurity = user.ObjectSecurity;
  
           // Create a SecurityIdentifier object for "everyone".
           SecurityIdentifier everyoneSid =
               new SecurityIdentifier(WellKnownSidType.WorldSid, null);
  
           // Create a SecurityIdentifier object for "self".
           SecurityIdentifier selfSid =
               new SecurityIdentifier(WellKnownSidType.SelfSid, null);
  
           // Create an access rule to allow everyone the change password 
           // right. 
           // This is used to remove any existing access rules.
           ActiveDirectoryAccessRule allowEveryone =
               new ActiveDirectoryAccessRule(
                   everyoneSid,
                   ActiveDirectoryRights.ExtendedRight,
                   AccessControlType.Allow,
                   changePasswordGuid);
  
           // Create an access rule to deny everyone the change password right.
           ActiveDirectoryAccessRule denyEveryone =
               new ActiveDirectoryAccessRule(
                   everyoneSid,
                   ActiveDirectoryRights.ExtendedRight,
                   AccessControlType.Deny,
                   changePasswordGuid);
  
           // Create an access rule to allow self the change password right.
           // This is used to remove any existing access rules.
           ActiveDirectoryAccessRule allowSelf =
               new ActiveDirectoryAccessRule(
                   selfSid,
                   ActiveDirectoryRights.ExtendedRight,
                   AccessControlType.Allow,
                   changePasswordGuid);
  
           // Create an access rule to deny self the change password right.
           ActiveDirectoryAccessRule denySelf =
               new ActiveDirectoryAccessRule(
                   selfSid,
                   ActiveDirectoryRights.ExtendedRight,
                   AccessControlType.Deny,
                   changePasswordGuid);
  
           // Remove any existing rule that gives "everyone" the change 
           // password right.
           userSecurity.RemoveAccessRuleSpecific(denyEveryone);
  
           // Add a new access rule to deny "everyone" the change password 
           // right.
           userSecurity.AddAccessRule(allowEveryone);
  
           // Remove any existing rule that gives "self" the change password 
           // right.
           userSecurity.RemoveAccessRuleSpecific(denySelf);
  
           // Add a new access rule to deny "self" the change password right.
           userSecurity.AddAccessRule(allowSelf);
  
           // Commit the changes.
           user.CommitChanges();
  
           user.Options.SecurityMasks = SecurityMasks.None;
       }

Deny Change Password

public static void DenyChangePassword(DirectoryEntry user)
      {
          user.Options.SecurityMasks = SecurityMasks.Dacl;
          
          // Create a Guid that identifies the Change Password right.
          Guid changePasswordGuid =
              new Guid("{AB721A53-1E2F-11D0-9819-00AA0040529B}");
  
          // Get the ActiveDirectorySecurity for the user.
          ActiveDirectorySecurity userSecurity = user.ObjectSecurity;
  
          // Create a SecurityIdentifier object for "everyone".
          SecurityIdentifier everyoneSid =
              new SecurityIdentifier(WellKnownSidType.WorldSid, null);
  
          // Create a SecurityIdentifier object for "self".
          SecurityIdentifier selfSid =
              new SecurityIdentifier(WellKnownSidType.SelfSid, null);
  
          // Create an access rule to allow everyone the change password 
          // right. 
          // This is used to remove any existing access rules.
          ActiveDirectoryAccessRule allowEveryone =
              new ActiveDirectoryAccessRule(
                  everyoneSid,
                  ActiveDirectoryRights.ExtendedRight,
                  AccessControlType.Allow,
                  changePasswordGuid);
  
          // Create an access rule to deny everyone the change password right.
          ActiveDirectoryAccessRule denyEveryone =
              new ActiveDirectoryAccessRule(
                  everyoneSid,
                  ActiveDirectoryRights.ExtendedRight,
                  AccessControlType.Deny,
                  changePasswordGuid);
  
          // Create an access rule to allow self the change password right.
          // This is used to remove any existing access rules.
          ActiveDirectoryAccessRule allowSelf =
              new ActiveDirectoryAccessRule(
                  selfSid,
                  ActiveDirectoryRights.ExtendedRight,
                  AccessControlType.Allow,
                  changePasswordGuid);
  
          // Create an access rule to deny self the change password right.
          ActiveDirectoryAccessRule denySelf =
              new ActiveDirectoryAccessRule(
                  selfSid,
                  ActiveDirectoryRights.ExtendedRight,
                  AccessControlType.Deny,
                  changePasswordGuid);
  
          // Remove any existing rule that gives "everyone" the change 
          // password right.
          userSecurity.RemoveAccessRuleSpecific(allowEveryone);
  
          // Add a new access rule to deny "everyone" the change password 
          // right.
          userSecurity.AddAccessRule(denyEveryone);
  
          // Remove any existing rule that gives "self" the change password 
          // right.
          userSecurity.RemoveAccessRuleSpecific(allowSelf);
  
          // Add a new access rule to deny "self" the change password right.
          userSecurity.AddAccessRule(denySelf);
  
          // Commit the changes.
          user.CommitChanges();
  
          user.Options.SecurityMasks = SecurityMasks.None;
      }

Directory Services–Cannot Change Password – Constraint Violation nTSecurityDescriptor Read More »