Check active directory attribute permission

Question

Check active directory attribute permission

Damian Brausch 1

Hello,

In my small tool, I give the service desk user the ability to reset user passwords from "Active Directory Users and Computer Console".
The user can also change some AD attributes.

Now I have a problem
Admin-User1 = can do everything
Admin-User2 = is not allowed to write the attribute "UserCannotChangePassword".

Here is an example how I do it:
PrincipalContext AdPrincipalContextUsers = new PrincipalContext(ContextType.Domain, "DC01", @"MyDom.local\Admin-User2", "PWD123");
string strDistinguishedName = "CN=Test-User1,OU=Users,OU=MYC,DC=MyDom,DC=local";

UserPrincipal objAdUser = UserPrincipal.FindByIdentity(AdPrincipalContextUsers, strDistinguishedName);
objAdUser.UserCannotChangePassword = (bool)ChkUserCannotChangePassword.IsChecked;
objAdUser.Save();

About "try, catch" I can intercept, but this is not a nice solution.

I would love to solve it like this: When the program starts I check if the Admin-UserX has permission on the attribute. The checkbox is then "checkbox.enable=true" else "checkbox.enable=false".

Now my question:
How can I check the permission on the Active Directoy attribute.

Thanks for your help.
Greeting D.Brausch

2 answers

Your answer

Answer 1

@Damian Brausch , based on my search, you could try the following code to check if a user has permission for the attribute "UserCannotChangePassword".

 public static bool IsPasswordCannotBeChanged(DirectoryEntry user)  
        {  
            var isUserCantChangePass = false;  
  
            try  
            {  
                // 1. Get SamAccountName  
                var samAccountName = Convert.ToString(user.Properties["sAMAccountName"].Value);  
                if (!string.IsNullOrEmpty(samAccountName))  
                {  
                    // 2. Prepare domain context  
                    using (var domainContext = new PrincipalContext(ContextType.Domain, _domain, _domainUser, _domainPass))  
                    {  
                        // 3. Find user  
                        var userPrincipal = UserPrincipal.FindByIdentity(domainContext, IdentityType.SamAccountName, samAccountName);  
  
                        // 4. Check if user cannot change password  
                        using (userPrincipal)  
                            if (userPrincipal != null) isUserCantChangePass = userPrincipal.UserCannotChangePassword;  
                    }  
                }  
  
            }  
            catch (Exception exc)  
            {  
                Logger.Write(exc);  
            }  
  
            return isUserCantChangePass;  
        }

I find the the code from the above answer, you could look at it if you want to know more about it.

Hope my code could help you.

Best Regards,
Jack

If the answer is the right solution, please click "Accept Answer" and upvote it.If you have extra questions about this answer, please click "Comment".

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Damian Brausch 1 Reputation point

2022-04-25T07:28:18.89+00:00

Hello Jack

I think you have misunderstood me. I don't want to query the value of "TEST-User1", but I want to find out if the user "Admin-UserX" has permission to change (write) the attribute of "TEST-User1".

I found this one: https://stackoverflow.com/questions/4931982/how-can-i-check-if-a-user-has-write-rights-in-active-directory-using-c

The value: UserCannotChangePassword represents a list of attributes:

objAdUser.UnlockAccount

objAdUser.Enabled

objAdUser.PasswordNeverExpires

objAdUser.ExpirePasswordNow
But unfortunately these are not listed under "allowedAttributesEffective".

I made a picture, hope it will show better what I mean.

Thanks
Greetings D.Brausch
Jack J Jun 25,296 Reputation points

2022-04-25T09:21:20.46+00:00

@Damian Brausch , thanks for the response,
I think you have misunderstood me. I don't want to query the value of "TEST-User1", but I want to find out if the user "Admin-UserX" has permission to change (write) the attribute of "TEST-User1".

i think that I did not misunderstand your menaing. Did you note that the 4 steps that 4. Check if user cannot change password in the code?

using (userPrincipal) if (userPrincipal != null) isUserCantChangePass = userPrincipal.UserCannotChangePassword;

I believe that the above code can detect if the user can have permission for the check . Could you have a try?
By the way, it seems that there is no options to change (write) the attribute of "TEST-User1". in your Account Option.

Answer 2

Damian Brausch 1

Hello Jack

I already have your solution I just need to (see above) flip the code.

 UserPrincipal objAdUser = UserPrincipal.FindByIdentity(AdPrincipalContextUsers, strDistinguishedName);
(bool)ChkUserCannotChangePassword.IsChecked= objAdUser.UserCannotChangePassword ;

On the AD attributes all domain users (to my knowledge) have read permissions.

The attribute "UserCannotChangePassword" can be either true or false. I can query this. But I want to query if the admin user can also write this value without changing the value.
Unfortunately I can't say I write and if it doesn't work then Catch ... (Access Denied).

It is about attribute permissions and not attribute values.

Thanks Greetings D.Brausch

Jack J Jun 25,296 Reputation points

2022-04-26T08:14:18.203+00:00

@Damian Brausch , thanks for the feedback, now I have already understood your meaning about attribute permissions. I also find a simliar question with you. Please refer to the answer.

Share via

Check active directory attribute permission

2 answers

Your answer