Forum Search:
Forum.Brain-Cluster.com: Brain Cluster Technical Forum
Ultimate forum for Technical Discussions

Home » Microsoft » Windows Server » Active Directory » Re: How to uncheck Password cannot change Flag in ActiveDirectory
Re: How to uncheck Password cannot change Flag in ActiveDirectory [message #324781] Sun, 22 November 2009 10:32 Go to next message
carbooter  is currently offline carbooter  United States
Messages: 1
Registered: November 2009
Junior Member
Only 2 years later -
I also find the userAccountControl is 512 so &40 is not set even when
'user cannot change password' is set.
I came across
'http://www.activeexperts.com/activmonitor/windowsmanagement /adminscripts/usersgroups/users/#DisableUserCannotChPwd.htm
which gives a vbscript which seems to work for one user. I'll try to
adapt it for multiple users.


--
carbooter
------------------------------------------------------------ ------------
carbooter's Profile: http://forums.techarena.in/members/157163.htm
View this thread: http://forums.techarena.in/active-directory/776795.htm

http://forums.techarena.in
Re: How to uncheck Password cannot change Flag in ActiveDirectory [message #324869 is a reply to message #324781] Sun, 22 November 2009 14:40 Go to previous message
rlmueller-nospam  is currently offline rlmueller-nospam  United States
Messages: 292
Registered: July 2009
Senior Member
As you have discovered, the ADS_UF_PASSWD_CANT_CHANGE bit of the
userAccountControl attribute is not functional. It works with local accounts
and NT domains (using the WinNT provider), but not in AD. Instead, you must
deal with the nTSecurityDescriptor of the user object. You add an ACE to the
DACL to deny permission to change the password, or remove this ACE to allow
the user to change their password. I have an example program to grant
permission for a user to change their password linked here:

http://www.rlmueller.net/Can%20Change%20PW.htm

and a similar program to deny permission linked here:

http://www.rlmueller.net/Cannot%20Change%20PW.htm

--
Richard Mueller
MVP Directory Services
Hilltop Lab - http://www.rlmueller.net
--

"carbooter" <carbooter.422ena@DoNotSpam.com> wrote in message
news:carbooter.422ena@DoNotSpam.com...
>
> Only 2 years later -
> I also find the userAccountControl is 512 so &40 is not set even when
> 'user cannot change password' is set.
> I came across
> 'http://www.activeexperts.com/activmonitor/windowsmanagement /adminscripts/usersgroups/users/#DisableUserCannotChPwd.htm
> which gives a vbscript which seems to work for one user. I'll try to
> adapt it for multiple users.
>
>
> --
> carbooter
> ------------------------------------------------------------ ------------
> carbooter's Profile: http://forums.techarena.in/members/157163.htm
> View this thread: http://forums.techarena.in/active-directory/776795.htm
>
> http://forums.techarena.in
>
Previous Topic:Demote DC and DCOM error
Next Topic:AD exports
Goto Forum:
  


Current Time: Wed Jan 17 05:53:23 MST 2018

Total time taken to generate the page: 0.02095 seconds
.:: Contact :: Home ::Sitemap::.

Powered by: FUDforum 3.0.0RC2.
Copyright ©2001-2009 FUDforum Bulletin Board Software