管理使用者密碼
本主題包含管理使用者密碼的資訊及程式碼範例。
下列 C# 程式碼範例示範如何藉由叫用 IADsUser::SetPassword 方法來設定使用者密碼。如需有關 IADsUser::SetPassword 的詳細資訊,請參閱 MSDN Library (網址為 https://go.microsoft.com/fwlink/?LinkID=27252 (本頁面可能為英文)) 中的<IADsUser::SetPassword>主題。
usr.Invoke("SetPassword", SecurelyStoredPassword);
下列 C# 程式碼範例示範如何藉由叫用 IADsUser::ChangePassword 方法來變更使用者密碼。如需有關 IADsUser::ChangePassword 的詳細資訊,請參閱 MSDN Library (網址為 https://go.microsoft.com/fwlink/?LinkID=27252 (本頁面可能為英文)) 中的<IADsUser::ChangePassword>。
usr.Invoke("ChangePassword", OldSecurelyStoredPassword, NewSecurelyStoredPassword);
下列 C# 程式碼範例示範如何設定使用者密碼,以在下次登入時要求變更密碼。它會將 pwdLastSet 屬性設定為 off (-1)。如需有關 adschema pwdLastSet 屬性的詳細資訊,請參閱 MSDN Library (網址為 https://go.microsoft.com/fwlink/?LinkID=27252 (本頁面可能為英文)) 中的<pwdLastSet>或<Pwd-Last-Set attribute>。
usr.Properties["pwdLastSet"].Value = -1; // To turn on, set this value to 0.
usr.CommitChanges();
下列 Visual Basic .NET 程式碼範例示範設定 ACE 以拒絕使用者變更其密碼之權限的功能。它使用使用 COM Interop 存取 ADSI 來存取 IADsSecurityDescriptor,以取得 ntSecurityDescriptor 屬性。然後它會使用 IADsAccessControlList 從安全性描述元與 IADsAccessControlEntry 取得 DACL,以取得 AceType、AceFlags、Trustee、Flags、ObjectType 以及 AccessMask 屬性。AceType 旗標定義於 ADS_ACETYPE_ENUM 中。AceFlags 定義於 ADS_FLAGTYPE_ENUM 中。AccessMask 旗標定義於 ADS_RIGHTS_ENUM 中。
Imports System
Imports System.DirectoryServices
Imports ActiveDs
Shared Sub DenyChangePassword(User As DirectoryEntry)
Const PASSWORD_GUID As String = "{ab721a53-1e2f-11d0-9819-00aa0040529b}"
Dim trustees() As String = {"NT AUTHORITY\SELF", "EVERYONE"}
Dim sd As ActiveDs.IADsSecurityDescriptor = CType(User.Properties("ntSecurityDescriptor").Value,
ActiveDs.IADsSecurityDescriptor)
Dim acl As ActiveDs.IADsAccessControlList = CType(sd.DiscretionaryAcl,
ActiveDs.IADsAccessControlList)
Dim ace As New ActiveDs.AccessControlEntry()
Dim trustee As String
For Each trustee In trustees
ace.Trustee = trustee
ace.AceFlags = 0
ace.AceType = Fix(ActiveDs.ADS_ACETYPE_ENUM.ADS_ACETYPE_ACCESS_DENIED_OBJECT)
ace.Flags = Fix(ActiveDs.ADS_FLAGTYPE_ENUM.ADS_FLAG_OBJECT_TYPE_PRESENT)
ace.ObjectType = PASSWORD_GUID
ace.AccessMask = Fix(ActiveDs.ADS_RIGHTS_ENUM.ADS_RIGHT_DS_CONTROL_ACCESS)
acl.AddAce(ace)
Next trustee
sd.DiscretionaryAcl = acl
User.Properties("ntSecurityDescriptor").Value = sd
User.CommitChanges()
End Sub 'DenyChangePassword
下列 Visual Basic .NET 範例示範設定 ACE 以拒絕使用者變更其密碼之權限的功能。此範例使用可在 .NET Framework 2.0 使用的 Managed ACL 功能。
Imports System
Imports System.DirectoryServices
Imports System.Security.Principal
Imports System.Security.AccessControl
Sub DenyChangePassword(ByVal user As DirectoryEntry)
' Create a Guid that identifies the Change Password right.
Dim changePasswordGuid As New Guid("{AB721A53-1E2F-11D0-9819-00AA0040529B}")
' Get the ActiveDirectorySecurity for the user.
Dim userSecurity As ActiveDirectorySecurity = user.ObjectSecurity
' Create a SecurityIdentifier object for "everyone".
Dim everyoneSid As New SecurityIdentifier(WellKnownSidType.WorldSid, Nothing)
' Create a SecurityIdentifier object for "self".
Dim selfSid As New SecurityIdentifier(WellKnownSidType.SelfSid, Nothing)
' Create an access rule to allow everyone the change password
' right.
' This is used to remove any existing access rules.
Dim allowEveryone As New ActiveDirectoryAccessRule(everyoneSid, _
ActiveDirectoryRights.ExtendedRight, _
AccessControlType.Allow, _
changePasswordGuid)
' Create an access rule to deny everyone the change password right.
Dim denyEveryone As New ActiveDirectoryAccessRule(everyoneSid, _
ActiveDirectoryRights.ExtendedRight, _
AccessControlType.Deny, _
changePasswordGuid)
' Create an access rule to allow self the change password right.
' This is used to remove any existing access rules.
Dim allowSelf As New ActiveDirectoryAccessRule(selfSid, _
ActiveDirectoryRights.ExtendedRight, _
AccessControlType.Allow, _
changePasswordGuid)
' Create an access rule to deny self the change password right.
Dim denySelf As New ActiveDirectoryAccessRule(selfSid, _
ActiveDirectoryRights.ExtendedRight, _
AccessControlType.Deny, _
changePasswordGuid)
' Remove any existing rule that gives "everyone" the change
' password right.
userSecurity.RemoveAccessRuleSpecific(allowEveryone)
' Add a new access rule to deny "everyone" the change password
' right.
userSecurity.AddAccessRule(denyEveryone)
' Remove any existing rule that gives "self" the change password
' right.
userSecurity.RemoveAccessRuleSpecific(allowSelf)
' Add a new access rule to deny "self" the change password right.
userSecurity.AddAccessRule(denySelf)
' Commit the changes.
user.CommitChanges()
End Sub 'DenyChangePassword
下列 C# 程式碼範例示範設定 ACE 以拒絕使用者變更其密碼之權限的功能。它使用使用 COM Interop 存取 ADSI 來存取 IADsSecurityDescriptor,以取得 ntSecurityDescriptor 屬性。然後它會使用 IADsAccessControlList 從安全性描述元與 IADsAccessControlEntry 取得 DACL,以取得 AceType、AceFlags、Trustee、Flags、ObjectType 以及 AccessMask 屬性。AceType 旗標定義於 ADS_ACETYPE_ENUM 中。AceFlags 定義於 ADS_FLAGTYPE_ENUM 中。AccessMask 旗標定義於 ADS_RIGHTS_ENUM 中。
using System;
using System.DirectoryServices;
using ActiveDs;
static void DenyChangePassword(DirectoryEntry User)
{
const string PASSWORD_GUID = "{ab721a53-1e2f-11d0-9819-00aa0040529b}";
const int ADS_UF_PASSWORD_EXPIRED=0x800000;
const int ADS_UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION=0x1000000;
string[] trustees = new string[]{@"NT AUTHORITY\SELF","EVERYONE"};
ActiveDs.IADsSecurityDescriptor sd = (ActiveDs.IADsSecurityDescriptor)
User.Properties["ntSecurityDescriptor"].Value;
ActiveDs.IADsAccessControlList acl = (ActiveDs.IADsAccessControlList) sd.DiscretionaryAcl;
ActiveDs.IADsAccessControlEntry ace = new ActiveDs.AccessControlEntry();
foreach(string trustee in trustees)
{
ace.Trustee = trustee;
ace.AceFlags = 0;
ace.AceType = (int)ActiveDs.ADS_ACETYPE_ENUM.ADS_ACETYPE_ACCESS_DENIED_OBJECT;
ace.Flags = (int)ActiveDs.ADS_FLAGTYPE_ENUM.ADS_FLAG_OBJECT_TYPE_PRESENT;
ace.ObjectType = PASSWORD_GUID;
ace.AccessMask = (int)ActiveDs.ADS_RIGHTS_ENUM.ADS_RIGHT_DS_CONTROL_ACCESS;
acl.AddAce(ace);
}
sd.DiscretionaryAcl = acl;
User.Properties["ntSecurityDescriptor"].Value = sd;
User.CommitChanges();
}
下列 C# 範例示範設定 ACE 以拒絕使用者變更其密碼之權限的功能。此範例使用可在 .NET Framework 2.0 使用的 Managed ACL 功能。
using System;
using System.DirectoryServices;
using System.Security.Principal;
using System.Security.AccessControl;
static void DenyChangePassword(DirectoryEntry user)
{
// Create a Guid that identifies the Change Password right.
Guid changePasswordGuid =
new Guid("{AB721A53-1E2F-11D0-9819-00AA0040529B}");
// Get the ActiveDirectorySecurity for the user.
ActiveDirectorySecurity userSecurity = user.ObjectSecurity;
// Create a SecurityIdentifier object for "everyone".
SecurityIdentifier everyoneSid =
new SecurityIdentifier(WellKnownSidType.WorldSid, null);
// Create a SecurityIdentifier object for "self".
SecurityIdentifier selfSid =
new SecurityIdentifier(WellKnownSidType.SelfSid, null);
// Create an access rule to allow everyone the change password
// right.
// This is used to remove any existing access rules.
ActiveDirectoryAccessRule allowEveryone =
new ActiveDirectoryAccessRule(
everyoneSid,
ActiveDirectoryRights.ExtendedRight,
AccessControlType.Allow,
changePasswordGuid);
// Create an access rule to deny everyone the change password right.
ActiveDirectoryAccessRule denyEveryone =
new ActiveDirectoryAccessRule(
everyoneSid,
ActiveDirectoryRights.ExtendedRight,
AccessControlType.Deny,
changePasswordGuid);
// Create an access rule to allow self the change password right.
// This is used to remove any existing access rules.
ActiveDirectoryAccessRule allowSelf =
new ActiveDirectoryAccessRule(
selfSid,
ActiveDirectoryRights.ExtendedRight,
AccessControlType.Allow,
changePasswordGuid);
// Create an access rule to deny self the change password right.
ActiveDirectoryAccessRule denySelf =
new ActiveDirectoryAccessRule(
selfSid,
ActiveDirectoryRights.ExtendedRight,
AccessControlType.Deny,
changePasswordGuid);
// Remove any existing rule that gives "everyone" the change
// password right.
userSecurity.RemoveAccessRuleSpecific(allowEveryone);
// Add a new access rule to deny "everyone" the change password
// right.
userSecurity.AddAccessRule(denyEveryone);
// Remove any existing rule that gives "self" the change password
// right.
userSecurity.RemoveAccessRuleSpecific(allowSelf);
// Add a new access rule to deny "self" the change password right.
userSecurity.AddAccessRule(denySelf);
// Commit the changes.
user.CommitChanges();
}
下列程式碼範例示範如何將密碼設定為永不過期。它使用 Properties 方法來存取 userAccountControl 屬性,以設定定義於 ADS_USER_FLAG_ENUM 中的 ADS_UF_DONT_EXPIRE_PASSWD 旗標。
Shared Sub DontExpirePassword(User As DirectoryEntry)
Dim val As Integer
Const ADS_UF_DONT_EXPIRE_PASSWD As Integer = &H10000
val = Fix(User.Properties("userAccountControl").Value)
User.Properties("userAccountControl").Value = val Or ADS_UF_DONT_EXPIRE_PASSWD
User.CommitChanges()
End Sub 'DontExpirePassword
using System;
using System.DirectoryServices;
using ActiveDs;
static void DontExpirePassword(DirectoryEntry User)
{
int val;
const int ADS_UF_DONT_EXPIRE_PASSWD =0x10000;
val = (int) User.Properties["userAccountControl"].Value;
User.Properties["userAccountControl"].Value = val |
ADS_UF_DONT_EXPIRE_PASSWD;
User.CommitChanges();
}
請參閱
參考
概念
Send comments about this topic to Microsoft.
Copyright © 2007 by Microsoft Corporation.All rights reserved.