问题
This seemed to have been asked a few years ago at Constraint violation when trying to set "User Cannot Change Password" in active directory from c# but no response actually answered the question sufficiently.
I tried reviving the thread because I wanted to hear specifically from the originator as to wether he had solved the issue, but my response was deleted as it is, admittedly, an old question. I hope Resorath sees this as he may have more insight into the problem!
Basically, the problem boils down to lack of permissions.
More specifically, I have created a service account and delegated full modify permissions (checked all the boxes in the "Descendant User objects" list of the "Advanced" security settings DACL list of AD Users and Computers... including the ones that appeared after manually editing some file). Yes, this includes the ntSecurityDescriptor. Also, this includes the "Modify permissions" of the "Descendant account objects" as well.
When I create a PrincipalContext using this user, and create or load a UserPrincipal using that context, I am able to modify literally everything relating to that user except the UserCannotChangePassword property. Upon attempting to save the user, I get an A constraint violation has occured error.
Please note: When adding the service account to the DomainAdmins group, I am able to make this change. Also, if I set the account as the owner of the user object I am also able to make this change. To me, this clearly signals that there is a permission I am missing.
I have searched for hours to find information that might help me on this, and have at this point exhausted my google-fu abilities.
Here is a link to the issue I opened in the corefx github page... https://github.com/dotnet/corefx/issues/34193 This includes a sample application demonstrating the problem.
Thanks!
回答1:
It was brought to my attention I never posted the solution I was given here. It is a bug in the corefx library and there is a fix we haven't gotten around to implementing and making a PR for in the issue I mentioned, https://github.com/dotnet/corefx/issues/34193 . If anyone else needs this then feel free to fix it yourselves as well... Hopefully by the time anyone else sees this it will have been fixed :-)
来源:https://stackoverflow.com/questions/54025191/what-permissions-do-i-have-to-delegate-in-order-to-set-usercannotchangepassword