A Complex ADSI Example
Example 26-2 is an example of a real-life problem that gets asked nearly every week in the Microsoft newsgroups: how to delegate the ability to unlock an account, reset a password, and set the flag that the account must change password on the next logon.
Example 26-2. Delegating unlock, password reset, and must change password flag
Option Explicit '************************************************************************** 'Modify these to change your trustee and target for the ACL mod '************************************************************************** Const TRUSTEE="AMER\PasswordAdmin" Const OBJPATH="ou=myOU,dc=amer,dc=mycorp,dc=com" '************************************************************************** 'Attribute, Class, Control Access Right constants '************************************************************************** Const ATTRIB_LOCKOUTTIME_GUID = "{28630EBF-41D5-11D1-A9C1-0000F80367C1}" Const ATTRIB_PWDLASTSET_GUID = "{BF967A0A-0DE6-11D0-A285-00AA003049E2}" Const CLASS_USER_GUID = "{BF967ABA-0DE6-11D0-A285-00AA003049E2}" Const CAR_RESETPWD_GUID = "{00299570-246D-11D0-A768-00AA006E0529}" '************************************************************************** 'AccessMask constants '************************************************************************** Const ADS_RIGHT_GENERIC_READ = &H80000000 Const ADS_RIGHT_GENERIC_WRITE = &H40000000 Const ADS_RIGHT_GENERIC_EXECUTE = &H20000000 Const ADS_RIGHT_GENERIC_ALL = &H10000000 Const ...Get Active Directory, 3rd Edition now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
