I'm currently working with a Java application that needs to connect to an Active Directory (AD) and modify the 'User Cannot Change Password' permission.

Microsoft has been kind enough to provide a step by step of how to do this using C++ or VB: http://msdn.microsoft.com/en-us/library/windows/desktop/aa746398(v=vs.85).aspx

The problem is really that I need to do this using Java. Is this possible?

The main issue is working with ACLs by querying/parsing the ntSecurityDescriptor attribute.

I'm currently using the Unboundid Ldap SDK to establish the connection and search for AD attributes, but I can change APIs if necessary.

Any help would be appreciated.

Thanks for your time.

Granting authorization is not discrib in any LDAP RFC. This part is proprietary.

In OpenLDAP Access Control List (ACL) is established by a kind of filter.

In SUN Directory (Nowdays Oracle one) ACLs are established by attributes.

In Active Directory granting authorization is done using internal in the same proprietary maner as in the NFTS file system.

The thing you can do is to execute an external program like DSACLS.EXE see Dsacls Examples

Another solution should be to map COM ADSI objects into Java this may help you (or not).