Allows authorized users (e.g. BUILTIN\Administrators members) to
set attributes on an account, particularly "user cannot change
password".
add become_root() around updating attributes, after checking that
access has been granted.
(This used to be commit
b1ab360519a1f67f50446ca8599e5b7aa58e7db3)
return NT_STATUS_ACCESS_DENIED;
}
- status = pdb_update_sam_account(sampass);
+ status = access_check_samr_function(acc_granted, SA_RIGHT_USER_SET_ATTRIBUTES, "_samr_set_sec_obj");
+ if NT_STATUS_IS_OK(status) {
+ become_root();
+ status = pdb_update_sam_account(sampass);
+ unbecome_root();
+ }
TALLOC_FREE(sampass);