We manage all accounts centrally, including new account requests. This has been a two step process where a network account was first created that dealt with most campus wide services and then a separate Windows domain account was created for student lab and staff use. I am trying to simplify that and I am able to create the domain account via a standard LDAP API as well as set a synchronized password. But the one thing we want to insure is that domain users only change their passwords through the centralized service and not locally from within Windows -- that way passwords stay in sync. The problem is disabling the user's ability. However, doing this requires setting an ACE in the ntSecurityDescriptor attribute of the entry. While I can do that via a vbs script, that also defeats the purpose of managing everything centrally. Is there a way to set the ACE via LDAP over the network, and does anyone have any code examples?

Thanks,
Rob