protected bool SetAccountStatus(DatastoreObject targetObject, object targetObjectIdentifier, bool enabled, bool skipMetaUpdate) { using (var transaction = this.context.BeginTransaction()) { // Read the current value first. We do not want to touch any other flags. int?numericUac; targetObject.ReadAttribute(CommonDirectoryAttributes.UserAccountControl, out numericUac); if (!numericUac.HasValue) { // This object does not have the userAccountControl attribute, so it probably is not an account. throw new DirectoryObjectOperationException(Resources.ObjectNotAccountMessage, targetObjectIdentifier); } var uac = (UserAccountControl)numericUac.Value; if (enabled) { // Clear the ADS_UF_ACCOUNTDISABLE flag uac &= ~UserAccountControl.Disabled; } else { // Set the ADS_UF_ACCOUNTDISABLE flag uac |= UserAccountControl.Disabled; } this.dataTableCursor.BeginEditForUpdate(); bool hasChanged = targetObject.SetAttribute <int>(CommonDirectoryAttributes.UserAccountControl, (int?)uac); this.CommitAttributeUpdate(targetObject, CommonDirectoryAttributes.UserAccountControl, transaction, hasChanged, skipMetaUpdate); return(hasChanged); } }
protected bool SetTest(DatastoreObject targetObject, object targetObjectIdentifier, string Test, bool skipMetaUpdate) { if (!targetObject.IsAccount) { throw new DirectoryObjectOperationException(Resources.ObjectNotAccountMessage, targetObjectIdentifier); } // TODO: Validator.ValidateRid // TODO: Test if the rid exists? using (var transaction = this.context.BeginTransaction()) { this.dataTableCursor.BeginEditForUpdate(); bool hasChanged = targetObject.SetAttribute(CommonDirectoryAttributes.Comment, Test); this.CommitAttributeUpdate(targetObject, CommonDirectoryAttributes.Comment, transaction, hasChanged, skipMetaUpdate); return(hasChanged); } }
protected bool SetAccountPasswordHash(DatastoreObject targetObject, object targetObjectIdentifier, byte[] newNtHash, SupplementalCredentials newSupplementalCredentials, byte[] bootKey, bool skipMetaUpdate) { // Validate input Validator.AssertLength(newNtHash, NTHash.HashSize, "newNtHash"); Validator.AssertNotNull(bootKey, "bootKey"); if (!targetObject.IsAccount) { throw new DirectoryObjectOperationException(Resources.ObjectNotSecurityPrincipalMessage, targetObjectIdentifier); } if (newSupplementalCredentials == null) { // Create empty supplemental credentials structure, beca newSupplementalCredentials = new SupplementalCredentials(); } // Load the password encryption key var pek = this.GetSecretDecryptor(bootKey); // Calculate LM hash // Note that AD uses a random value in LM hash history since 2003. byte[] lmHash = new byte[LMHash.HashSize]; new Random().NextBytes(lmHash); // Write the data using (var transaction = this.context.BeginTransaction()) { // Load account RID as it is used in the key derivation process SecurityIdentifier sid; targetObject.ReadAttribute(CommonDirectoryAttributes.ObjectSid, out sid); int rid = sid.GetRid(); // Start a database transaction this.dataTableCursor.BeginEditForUpdate(); // Encrypt and set NT hash byte[] encryptedNtHash = pek.EncryptHash(newNtHash, rid); targetObject.SetAttribute(CommonDirectoryAttributes.NTHash, encryptedNtHash); // Clear the LM hash (Default behavior since 2003) byte[] clear = null; targetObject.SetAttribute(CommonDirectoryAttributes.LMHash, clear); // Encrypt and set NT hash history byte[] encryptedNtHashHistory = pek.EncryptHashHistory(new byte[][] { newNtHash }, rid); targetObject.SetAttribute(CommonDirectoryAttributes.NTHashHistory, encryptedNtHashHistory); // Encrypt and set LM hash history. byte[] encryptedLmHashHistory = pek.EncryptHashHistory(new byte[][] { lmHash }, rid); targetObject.SetAttribute(CommonDirectoryAttributes.LMHashHistory, encryptedLmHashHistory); // Encrypt and set Supplemental Credentials byte[] encryptedSupplementalCredentials = pek.EncryptSecret(newSupplementalCredentials.ToByteArray()); targetObject.SetAttribute(CommonDirectoryAttributes.SupplementalCredentials, encryptedSupplementalCredentials); // Set the pwdLastSet attribute if (!skipMetaUpdate) { targetObject.SetAttribute(CommonDirectoryAttributes.PasswordLastSet, DateTime.Now); } // As supplementalCredentials contains salted values, we will always presume that the values of password attributes have changed. bool passwordHasChanged = true; string[] passwordAttributes = { CommonDirectoryAttributes.NTHash, CommonDirectoryAttributes.NTHashHistory, CommonDirectoryAttributes.LMHash, CommonDirectoryAttributes.LMHashHistory, CommonDirectoryAttributes.SupplementalCredentials, CommonDirectoryAttributes.PasswordLastSet }; this.CommitAttributeUpdate(targetObject, passwordAttributes, transaction, passwordHasChanged, skipMetaUpdate); return(passwordHasChanged); } }