1: public static void AllowChangePassword(DirectoryEntry user)
2: {
3: user.Options.SecurityMasks = SecurityMasks.Dacl;
4:
5: // Create a Guid that identifies the Change Password right.
6: Guid changePasswordGuid =
7: new Guid("{AB721A53-1E2F-11D0-9819-00AA0040529B}");
8:
9: // Get the ActiveDirectorySecurity for the user.
10: ActiveDirectorySecurity userSecurity = user.ObjectSecurity;
11:
12: // Create a SecurityIdentifier object for "everyone".
13: SecurityIdentifier everyoneSid =
14: new SecurityIdentifier(WellKnownSidType.WorldSid, null);
15:
16: // Create a SecurityIdentifier object for "self".
17: SecurityIdentifier selfSid =
18: new SecurityIdentifier(WellKnownSidType.SelfSid, null);
19:
20: // Create an access rule to allow everyone the change password
21: // right.
22: // This is used to remove any existing access rules.
23: ActiveDirectoryAccessRule allowEveryone =
24: new ActiveDirectoryAccessRule(
25: everyoneSid,
26: ActiveDirectoryRights.ExtendedRight,
27: AccessControlType.Allow,
28: changePasswordGuid);
29:
30: // Create an access rule to deny everyone the change password right.
31: ActiveDirectoryAccessRule denyEveryone =
32: new ActiveDirectoryAccessRule(
33: everyoneSid,
34: ActiveDirectoryRights.ExtendedRight,
35: AccessControlType.Deny,
36: changePasswordGuid);
37:
38: // Create an access rule to allow self the change password right.
39: // This is used to remove any existing access rules.
40: ActiveDirectoryAccessRule allowSelf =
41: new ActiveDirectoryAccessRule(
42: selfSid,
43: ActiveDirectoryRights.ExtendedRight,
44: AccessControlType.Allow,
45: changePasswordGuid);
46:
47: // Create an access rule to deny self the change password right.
48: ActiveDirectoryAccessRule denySelf =
49: new ActiveDirectoryAccessRule(
50: selfSid,
51: ActiveDirectoryRights.ExtendedRight,
52: AccessControlType.Deny,
53: changePasswordGuid);
54:
55: // Remove any existing rule that gives "everyone" the change
56: // password right.
57: userSecurity.RemoveAccessRuleSpecific(denyEveryone);
58:
59: // Add a new access rule to deny "everyone" the change password
60: // right.
61: userSecurity.AddAccessRule(allowEveryone);
62:
63: // Remove any existing rule that gives "self" the change password
64: // right.
65: userSecurity.RemoveAccessRuleSpecific(denySelf);
66:
67: // Add a new access rule to deny "self" the change password right.
68: userSecurity.AddAccessRule(allowSelf);
69:
70: // Commit the changes.
71: user.CommitChanges();
72:
73: user.Options.SecurityMasks = SecurityMasks.None;
74: }