Re: User Account Options
- From: JBP <JBP@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Thu, 10 Jan 2008 14:47:02 -0800
I tried your script but it is not doing any thing and not even getting
anything from AD with ntSecurityDescriptor object and echo says done but when
I check account still not unchecked.
I open ADSIEDIT but it doesn't have ntSecurityDescriptor for User's
properties and not getting anything from script.
I manualy applied Default permission and inherit from Parent in AD but after
some times about 30 minutes all permission changed with other permission
which doesn't include SELF, EVERY ONE and other.
I tried with dsquery user -samid <userid> | dsmod user canchpwd yes but that
is also for few minutes.
Please help this is in production.
"Richard Mueller [MVP]" wrote:
JBP wrote:.
We are having problem with USER CANNOT CHANGE PASSWORD option. All of a
sudden lots of users settings is set to checked so they can not change
their
password. I created a script and disabled (UNCHECKED) this settings for
enabled users but when we looked it after sometime about (30) minutes its
enable again. So we run the script again and replicated changes to other
DCs
but there is same thing after some time.
Most important thing is when we see AD USERS & COMPUTER it doesn't says
that
but 3rd party tools says it is enabled. We check with user and they are
not
able to change their password also.
Pl, help exusted since yesterday.
Script-->
Set objUser = GetObject("WinNT://dc1/" &
objRecordSet.Fields("sAMAccountName").Value)
If objUser.UserFlags AND ADS_UF_PASSWD_CANT_CHANGE Then
objPasswordNoChangeFlag = objUser.UserFlags XOR ADS_UF_PASSWD_CANT_CHANGE
objUser.Put "userFlags", objPasswordNoChangeFlag
objUser.SetInfo
objFileName.WriteLine(objRecordSet.Fields("sAMAccountName").Value & vbTab
&
objRecordSet.Fields("Name").Value & vbTab &
objRecordSet.Fields("distinguishedName").Value & vbTab & "Set to change
password")
SetUsr = SetUsr + 1
End If
Replication:
repadmin /replicate dc1 dc2 dc=mycmp,dc=com
Sync from dc1 to dc2 completed successfully.
I believe you got the idea for your script from this link:
http://www.microsoft.com/technet/scriptcenter/resources/qanda/dec04/hey1202.mspx
First, you must assign the value &H40 to the constant
ADS_UF_PASSWD_CANT_CHANGE. Next, this bit of the userFlags attribute only
works for local user accounts. For domain users the permission to change the
password is controlled by two ACE's (Access Control Entries) in the DACL
(Discretionary Access Control List) of the security descriptor of the user
object. To deny permission to change the password you add two deny ACE's to
the DACL. To allow the user to change their password you remove the two deny
ACE's. An example VBScript program to allow a user to change their password:
http://www.rlmueller.net/Can%20Change%20PW.htm
For more, see this link:
http://msdn2.microsoft.com/en-us/library/aa746398(VS.85).aspx
--
Richard Mueller
Microsoft MVP Scripting and ADSI
Hilltop Lab - http://www.rlmueller.net
--
- Follow-Ups:
- Re: User Account Options
- From: Richard Mueller [MVP]
- Re: User Account Options
- References:
- Re: User Account Options
- From: Richard Mueller [MVP]
- Re: User Account Options
- Prev by Date: Re: Enumerating all available objectClass?
- Next by Date: User Account Security
- Previous by thread: Re: User Account Options
- Next by thread: Re: User Account Options
- Index(es):
Relevant Pages
|
