从两个人的帮助StackOverflow的我已经找到了如何设置使用下面的code用户不能更改密码。我现在想弄清楚如何删除属性。我以为设置拒绝标志为允许会工作，但它似乎什么也不做。我想code到使用的DirectoryEntry如果可能的话，我不知道，如果我的应用程序将使用.NET 3.5中的所有服务器上不PrincipalContext。任何帮助将是很大的AP preciated。

 字符串PASSWORD_GUID ={ab721a53-1e2f-11d0-9819-00aa0040529b};
            字符串[]受托人= {NT AUTHORITY \\ SELF，人人};

            ActiveDs.IADsSecurityDescriptor SD =（ActiveDs.IADsSecurityDescriptor）User.Properties [ntSecurityDescriptor中]值。
            ActiveDs.IADsAccessControlList ACL =（ActiveDs.IADsAccessControlList）sd.DiscretionaryAcl;
            ActiveDs.AccessControlEntry王牌=新ActiveDs.AccessControlEntry（）;


            双否认=（双）ActiveDs.ADS_ACETYPE_ENUM.ADS_ACETYPE_ACCESS_DENIED_OBJECT;
            双的objectType =（双）ActiveDs.ADS_FLAGTYPE_ENUM.ADS_FLAG_OBJECT_TYPE_ preSENT;
            双称为dscontrol =（双）ActiveDs.ADS_RIGHTS_ENUM.ADS_RIGHT_DS_CONTROL_ACCESS;

            的foreach（受托人字符串受托人）{
                ace.Trustee =受托人;
                ace.AceFlags = 0;
                ace.AceType = Convert.ToInt32（Math.Floor（拒绝））;
                ace.Flags = Convert.ToInt32（Math.Floor（的objectType））;
                ace.ObjectType = PASSWORD_GUID;
                ace.AccessMask = Convert.ToInt32（Math.Floor（称为dscontrol））;

                acl.AddAce（ACE）;
            }
            sd.DiscretionaryAcl = ACL;
            User.Properties [ntSecurityDescriptor中。价值
= SD;
            User.CommitChanges（）;
 

解决方案

我更$ P $使用System.DirectoryServices.AccountManagement命名空间这种事情PFER（需要.NET 3.5或更高版本，我认为）。您的通话变得与那些对象要简单得多：

 使用（PrincipalContext PC =新PrincipalContext（ContextType.Domain，域））
{
    UserPrincipal起来= UserPrincipal.FindByIdentity（PC，域\\用户）;
    up.UserCannotChangePassword = FALSE;
    up.Save（）;
}
 

with help from two people on stackoverflow I've figured out how to set the "user cannot change password" using the code below. I'm now trying to figure out how to remove the property. I thought setting the denied flag to "allow" would work but it seems to do nothing. I would like the code to be using DirectoryEntry and not PrincipalContext if possible as I'm not sure if my app will be using .NET 3.5 on all the servers. Any help on this would be greatly appreciated.

            string PASSWORD_GUID = "{ab721a53-1e2f-11d0-9819-00aa0040529b}";
            string [] trustees = {"NT AUTHORITY\\SELF", "EVERYONE"};

            ActiveDs.IADsSecurityDescriptor sd = (ActiveDs.IADsSecurityDescriptor)User.Properties["ntSecurityDescriptor"].Value;
            ActiveDs.IADsAccessControlList acl = (ActiveDs.IADsAccessControlList) sd.DiscretionaryAcl;
            ActiveDs.AccessControlEntry ace = new ActiveDs.AccessControlEntry();        


            double denied = (double)ActiveDs.ADS_ACETYPE_ENUM.ADS_ACETYPE_ACCESS_DENIED_OBJECT;
            double objectType = (double)ActiveDs.ADS_FLAGTYPE_ENUM.ADS_FLAG_OBJECT_TYPE_PRESENT;
            double dsControl = (double)ActiveDs.ADS_RIGHTS_ENUM.ADS_RIGHT_DS_CONTROL_ACCESS;

            foreach (string trustee in trustees) {
                ace.Trustee = trustee;
                ace.AceFlags = 0;                
                ace.AceType = Convert.ToInt32(Math.Floor(denied));
                ace.Flags = Convert.ToInt32(Math.Floor(objectType));
                ace.ObjectType = PASSWORD_GUID;
                ace.AccessMask = Convert.ToInt32(Math.Floor(dsControl));

                acl.AddAce(ace);
            }
            sd.DiscretionaryAcl = acl;
            User.Properties["ntSecurityDescriptor"].Value
= sd;
            User.CommitChanges();

I much prefer using the System.DirectoryServices.AccountManagement namespace for this kind of thing (requires .Net 3.5 or higher, I think). Your call becomes much simpler with those objects:

using (PrincipalContext pc = new PrincipalContext(ContextType.Domain, "Domain"))
{
    UserPrincipal up = UserPrincipal.FindByIdentity(pc, "Domain\\User");
    up.UserCannotChangePassword = false;
    up.Save();
}