$sd = new SecurityDescriptor($user->getAttribute('ntsecuritydescriptor')[0]);
// Flip the Everyone ACE type to deny for the 'WD' SID ('WD' is the SID short name for "Everyone").
foreach ($sd->getDacl()->getAces() as $ace) {
if ((string) $ace->getTrustee() === SID::SHORT_NAME['WD'] && (string) $ace->getObjectType() === AceRights::EXTENDED['CHANGE_PASSWORD']) {
$ace->setType('OD');
}
}
// OD is short for an object deny ace type...
$ace = (new Ace('OD'))
// The SID of the user being granted the right ('PS' is the SID short name for "Principal Self").
->setTrustee('PS')
// This is an extended access right for "User cannot change password"...
->setObjectType(AceRights::EXTENDED['CHANGE_PASSWORD'])
// This sets the ACE with the "Control Access" right...
->setRights(new AceRights(AceRights::SHORT_NAME['CR']));
$sd->getDacl()->addAce($ace);
// Now set the new Security Descriptor value and save it
$user->setAttribute('ntSecurityDescriptor', $sd->toBinary());
$user->save();
LdapTools is MIT so we can port some of these utilities over and maintain credit to the original author with an @author tag.
@kbisignani was able to utilize LdapTool's
ntSecurityDescriptorto be able to update them in LdapRecord.https://github.com/DirectoryTree/LdapRecord/discussions/678#discussioncomment-8084934
LdapTools is MIT so we can port some of these utilities over and maintain credit to the original author with an
@authortag.