6.24. Setting a User’s Account Options (userAccountControl)

Problem

You want to view or update the userAccountControl attribute for a user. This attribute controls various account options, such as if the user must change their password at next logon and if the account is disabled.

Solution

Using a graphical user interface

  1. Open the Active Directory Users and Computers snap-in.

  2. In the left pane, right-click on the domain and select Find.

  3. Select the appropriate domain beside In.

  4. Beside Name, type the name of the user and click Find Now.

  5. In the Search Results, double-click on the user.

  6. Select the Account tab.

  7. Many of the userAccountControl flags can be set under Account options.

  8. Click OK after you’re done.

Using a command-line interface

The dsmod user command has several options for setting various userAccountControl flags, as shown in Table 6-2. Each switch accepts yes or no as a parameter to either enable or disable the setting.

Table 6-2. dsmod user options for setting userAccountControl

dsmod user switch

Description

-mustchpwd

Sets whether the user must change password at next logon.

-canchpwd

Sets whether the user can change his password.

-disabled

Set account status to enabled or disabled.

-reversiblepwd

Sets whether the user’s password is stored using reversible encryption.

-pwdneverexpires

Sets whether the user’s password never expires.

Using VBScript

' This code enables or disables a bit value in the userAccountControl attr.
' See Recipe 4.12 for the code for the ...

Get Active Directory Cookbook now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial