Re: User Account Security
- From: Meinolf Weber <meiweb(nospam)@gmx.de>
- Date: Fri, 11 Jan 2008 08:38:07 +0000 (UTC)
Hello JBP,
Better post this under the original posting, so that anybody could follow it and find it again.
Best regards
Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.dts-l.org/goodpost.htm
I tried your script but it is not doing any thing and not even getting
anything from AD with ntSecurityDescriptor object and echo says done
but when I check account still not unchecked.
I open ADSIEDIT but it doesn't have ntSecurityDescriptor for User's
properties and not getting anything from script.
I manualy applied Default permission and inherit from Parent in AD but
after some times about 30 minutes all permission changed with other
permission which doesn't include SELF, EVERY ONE and other.
I tried with dsquery user -samid <userid> | dsmod user canchpwd yes
but that is also for few minutes.
Please help this is in production.
"Richard Mueller [MVP]" wrote:
JBP wrote:Was this post helpful to you?
We are having problem with USER CANNOT CHANGE PASSWORD option. AllI believe you got the idea for your script from this link:
of a
sudden lots of users settings is set to checked so they can not
change
their
password. I created a script and disabled (UNCHECKED) this settings
for
enabled users but when we looked it after sometime about (30)
minutes its
enable again. So we run the script again and replicated changes to
other
DCs
but there is same thing after some time.
Most important thing is when we see AD USERS & COMPUTER it doesn't
says
that
but 3rd party tools says it is enabled. We check with user and they
are
not
able to change their password also.
Pl, help exusted since yesterday.
Script-->
Set objUser = GetObject("WinNT://dc1/" &
objRecordSet.Fields("sAMAccountName").Value)
If objUser.UserFlags AND ADS_UF_PASSWD_CANT_CHANGE Then
objPasswordNoChangeFlag = objUser.UserFlags XOR
ADS_UF_PASSWD_CANT_CHANGE
objUser.Put "userFlags", objPasswordNoChangeFlag
objUser.SetInfo
objFileName.WriteLine(objRecordSet.Fields("sAMAccountName").Value &
vbTab
&
objRecordSet.Fields("Name").Value & vbTab &
objRecordSet.Fields("distinguishedName").Value & vbTab & "Set to
change
password")
SetUsr = SetUsr + 1
End If
Replication:
repadmin /replicate dc1 dc2 dc=mycmp,dc=com
Sync from dc1 to dc2 completed successfully.
http://www.microsoft.com/technet/scriptcenter/resources/qanda/dec04/h
ey1202.mspx
First, you must assign the value &H40 to the constant
ADS_UF_PASSWD_CANT_CHANGE. Next, this bit of the userFlags attribute
only works for local user accounts. For domain users the permission
to change the password is controlled by two ACE's (Access Control
Entries) in the DACL (Discretionary Access Control List) of the
security descriptor of the user object. To deny permission to change
the password you add two deny ACE's to the DACL. To allow the user to
change their password you remove the two deny ACE's. An example
VBScript program to allow a user to change their password:
http://www.rlmueller.net/Can%20Change%20PW.htm
For more, see this link:
http://msdn2.microsoft.com/en-us/library/aa746398(VS.85).aspx
--
Richard Mueller
Microsoft MVP Scripting and ADSI
Hilltop Lab - http://www.rlmueller.net
--
Why should I rate a post?
Expand AllCollapse All
.
- References:
- User Account Security
- From: JBP
- User Account Security
- Prev by Date: RE: Phantom Running "login scripts" - Need help eliminating
- Next by Date: Re: Error with event id 604 - NTDS ISAM
- Previous by thread: User Account Security
- Next by thread: Re: How can I tell if a user has the right to query AD?
- Index(es):
Relevant Pages
|
