query user cannot change their password on ntSecurityDescriptor #491
viniciogomez89
started this conversation in
General
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
To get flag "User cannot change their password"
Example LDAPTools
`$sdControl = new LdapControl(LdapControlType::SD_FLAGS_CONTROL, true, LdapControl::berEncodeInt(7));
$ldap->getConnection()->setControl($sdControl);
$user = $ldap->buildLdapQuery()
->fromUsers()
->where(['username' => 'SomeUser'])
// The ntSecurityDescriptor is what describes permissions against that object...
->select('ntSecurityDescriptor')
// Paging must be set to false, otherwise it interfers with the SD Flags control we set...
->setUsePaging(false)
->getLdapQuery()
->getSingleResult();
// Instantiate a new Security Descriptor class that decodes and represents all of the AD permissions...
$sd = new SecurityDescriptor($user->get('ntSecurityDescriptor'));
// The DACL is what contains all of your ACEs, so loop through it.
// We will check specifically if this user cannot change their own password.
foreach ($sd->getDacl()->getAces() as $ace) {
// Ignore any ACEs that allow access
if ($ace->isAllowAce()) {
continue;
}
// This will check if the user is setup so they cannot change their own password...
if ((string) $ace->getTrustee() === SID::SHORT_NAME['PS'] && (string) $ace->getObjectType() === AceRights::EXTENDED['CHANGE_PASSWORD']) {
echo "User cannot change their password.".PHP_EOL;
}
}`
Beta Was this translation helpful? Give feedback.
All reactions