Problems with the "User-Account-Control"-properties ! Help !

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

From: Schmidtmayer Marc (marc.schmidtmayer_at_gb.be)
Date: 08/09/04 

Date: 9 Aug 2004 10:11:13 -0700

Hi all,

I'm writing an application where I need to show the 'status' of users
in AD.
Now I'm having trouble with the flag "User must change password at
next logon" for the "User-Account-Control"-property.

The problem is that the 'value' of the "User-Account-Control"-property
DOESN'T CHANGE whether the flag "User must change password at next
logon" is checked or not.

For example : In AD, my user has the flag "User must change password
at next logon" checked and when I check the value of the
"User-Account-Control"-property with ADSI-Edit ... it gives me 544 !!
Then I uncheck the flag "User must change password at next logon" BUT
THE VALUE DOESN'T change !!!!

I can't get the 'right' value for this !!
Other flags like "Account is disabled", etc ... do work !

Here's an extract of my script :

'*************************************************************************
    strFilter = "(&(objectclass=user)(objectcategory=person));"
    strAttrs = "name,userprincipalname,useraccountcontrol,adspath;"
    strScope = "subtree"
    
    Set objConn = CreateObject("ADODB.Connection")
    objConn.Provider = "ADsDSOObject"
    objConn.Open "Active Directory Provider"

    lPaths = UBound(as_paths())
    For lLoop = 1 To lPaths
    
        'strBase = "<LDAP://" & as_paths(lLoop) & ">;"
        strBase = "<" & as_paths(lLoop) & ">;"
        Set objRS = objConn.Execute(strBase & strFilter & strAttrs &
strScope)
        
        If Not objRS.EOF Then
            objRS.MoveFirst
            While Not objRS.EOF

                strUserNames(lTotalUsers) = objRS.Fields(0).Value
                strUserIDs(lTotalUsers) = objRS.Fields(1).Value
                lSetting = objRS.Fields(2).Value
                strtmp = "000"
                If (lSetting And ADS_UF_ACCOUNTDISABLE) =
ADS_UF_ACCOUNTDISABLE Then Mid(strtmp, 1, 1) = "1"
                If (lSetting And ADS_UF_LOCKOUT) = ADS_UF_LOCKOUT Then
Mid(strtmp, 2, 1) = "1"
                If (lSetting And ADS_UF_PWD_EXPIRED) =
ADS_UF_PWD_EXPIRED Then Mid(strtmp, 3, 1) = "1"
                strAccountSettings(lTotalUsers) = strtmp
                 strDNs(lTotalUsers) = objRS.Fields(3).Value
    
                objRS.MoveNext 'volgende
            Wend
        End If
    
    Next

'*************************************************************************

Any help is welcome !
Thanks,
Marc.

Relevant Pages

  • Re: Password change on first logon
    ... Is there a Kerberos error code in the 675 event id? ... > set default passwords on the accounts for them to logon to the directory. ... When I set the "User must change password on ... > next logon" flag they can not change their passwords. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Problems with the "User-Account-Control"-properties ! Help !
    ... I believe 544 means Normal Account and Password NOT Required, ... >Now I'm having trouble with the flag "User must change password at ... >logon" is checked or not. ...
    (microsoft.public.win2000.active_directory)
  • Re: Password Change - Force change at next logon
    ... Does this mean that selecting the "user must change password at next logon" ... flag in AD is not supported with ISA? ...
    (microsoft.public.isa.enterprise)
  • Must change password at next login.
    ... I have a Windows 2008 domain. ... If I set the flag for a user "User must change password at next login", it works perfectly if the person is on XP, but if they are using Vista, the dialog to actually key in your new pasword never displays. ... Instead on Vista workstations it just ends. ...
    (microsoft.public.windows.vista.general)
  • OWA and change password at logon issue
    ... I have a Windows 2003 and Exchange 2003 setup with a seperate Exchange FE ... I have an SSL Cert installed as well as the change password ... As soon as I uncheck the flag I can log in with the account. ... Sean M. loftus ...
    (microsoft.public.inetserver.iis)