Security ID Structure Invalid , Getting this error when setting the new SecurityDescriptor for AD user properties

I am trying to set a user option in开发者_如何学编程 an AD Account, while creating the account i am trying to set the option "User Cannot Change Password".

But I am getting the error "Security ID Structure invalid" error, when trying to set the value of new security descriptor.

Here is the sample code,

            string[] trustees = new string[] { @"NT AUTHORITY\SELF", "EVERYONE" };

            IADsSecurityDescriptor sd = (IADsSecurityDescriptor)usr.Properties["ntSecurityDescriptor"].Value;
            IADsAccessControlList acl = (IADsAccessControlList)sd.DiscretionaryAcl;
            IADsAccessControlEntry ace = new AccessControlEntry();
            foreach (string trustee in trustees)    
            {
                ace.Trustee = trustee;
                ace.AceFlags = 0;
                //For remove 'User cannot change password' selection
                //ace.AceType = (int) ADS_ACETYPE_ENUM.ADS_ACETYPE_ACCESS_ALLOWED_OBJECT;
                ace.AceType = (int)ADS_ACETYPE_ENUM.ADS_ACETYPE_ACCESS_DENIED_OBJECT;
                ace.Flags = (int)ADS_FLAGTYPE_ENUM.ADS_FLAG_OBJECT_TYPE_PRESENT;
                ace.ObjectType = PASSWORD_GUID;
                ace.AccessMask = (int)ADS_RIGHTS_ENUM.ADS_RIGHT_DS_CONTROL_ACCESS;
                acl.AddAce(ace);

                ace.Trustee = trustee;
                ace.AceFlags = 0;
                ace.AceType = (int)ActiveDs.ADS_ACETYPE_ENUM.ADS_ACETYPE_ACCESS_DENIED_OBJECT;
                ace.Flags =  (int)ActiveDs.ADS_FLAGTYPE_ENUM.ADS_FLAG_OBJECT_TYPE_PRESENT;
                ace.ObjectType = PASSWORD_GUID;
                ace.AccessMask = (int)ActiveDs.ADS_RIGHTS_ENUM.ADS_RIGHT_DS_CONTROL_ACCESS;
                acl.AddAce(ace);
            }
            sd.DiscretionaryAcl = acl;                
            usr.Properties["ntSecurityDescriptor"].Value = (ActiveDs.IADsSecurityDescriptor)sd;
            usr.CommitChanges();

Any Idea why i am getting this "Security ID structure is invalid" error.

I googled and found similar codes on the web. I believe the above code should work. I did see somebody have similar complaints. It seems to be related to the account that you are using. What account are you using to run the above code?

Also, if you can use .NET 3.5 or above, try using the following code.

using (PrincipalContext context = new PrincipalContext(ContextType.Domain, "YourDomain"))
{
    UserPrincipal up = UserPrincipal.FindByIdentity(context, "Domain\\YourUser");
    up.UserCannotChangePassword = false;
    up.Save();
}