September 2003
Intermediate to advanced
624 pages
15h 49m
English
Content preview from Active Directory CookbookBecome an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
Start your free trial
6.20. Preventing a User from Changing His Password
Problem
You want to disable a user’s ability to change his password.
Solution
Using a graphical user interface
Open the Active Directory Users and Computers snap-in.
In the left pane, right-click on the domain and select Find.
Select the appropriate domain beside In.
Beside Name, type the name of the user you want to modify and click Find Now.
In the Search Results, double-click on the user.
Click the Account tab.
Under Account options, check the box beside User cannot change password.
Click OK.
Using a command-line interface
> dsmod user <UserDN> -canchpwd noUsing VBScript
' This code disables a user's ability to change password
' ------ SCRIPT CONFIGURATION ------
strUserDN = "<UserDN>" ' e.g. cn=rallen,ou=Sales,dc=rallencorp,dc=com ' ------ END CONFIGURATION --------- Const ACETYPE_ACCESS_DENIED_OBJECT = 6 Const ACEFLAG_OBJECT_TYPE_PRESENT = 1 Const RIGHT_DS_CONTROL_ACCESS = 256 Const CHANGE_PASSWORD_GUID = "{ab721a53-1e2f-11d0-9819-00aa0040529b}" set objUser = GetObject("LDAP://" & strUserDN) set objSD = objUser.Get("ntSecurityDescriptor") set objDACL = objSD.DiscretionaryAcl ' Add a deny ACE for Everyone set objACE = CreateObject("AccessControlEntry") objACE.Trustee = "Everyone" objACE.AceFlags = 0 objACE.AceType = ACETYPE_ACCESS_DENIED_OBJECT objACE.Flags = ACEFLAG_OBJECT_TYPE_PRESENT objACE.ObjectType = CHANGE_PASSWORD_GUID objACE.AccessMask = RIGHT_DS_CONTROL_ACCESS objDACL.AddAce objACE ' Add a deny ACE for Self set objACE = CreateObject("AccessControlEntry") ...