Re: User Account Options

ntSecurityDescriptor is not an attribute. It cannot be viewed with ADSI
Edit. Notice that the VB example in the msdn link I gave uses the same
technique as the VBScript program I linked. Both remove the deny ACE's from
the DACL for the user. If you did not use "On Error Resume Next" (you should
not use this) and there was no error message, then the script ran and the
user should not have the deny ACE's that prevent them from changing their
password.

I remember reading about the canchpwd option of dsmod. It does the same
thing, it removes the two deny ACE's from the DACL.

It sounds like a Group Policy is being applied from a parent container (OU
or domain) that enforces the setting. You need to find where this policy is
being applied. If the problem is confined to users in one OU, I would check
the OU for any Group Policies.

The only Group Policy I can find that might apply is "User Configuration",
"System", "Logon/Logoff", "Disable Change Password". There may be another
setting I'm unaware of. The help for this setting says it removes the
"Change Password" button on the Windows Security dialog (when you use
Ctrl-Alt-Del), but still allows users to change their password when the
system prompts them.

Note, when you run the VBScript program CanChgPW.vbs, if there are no deny
ACE's in the DACL, the program will not alert you to this. It just removes
them if they are found. You could modify the program to indicate if it did
anything (if it removed ACE's). This would confirm that the ACE's are being
re-applied by some policy. To do this, modify the final If/Then clause:
===========
' If the ACE was found and removed, update the user object.
If (blnFound = True) Then
objSecDescriptor.discretionaryACL = objDACL
objUser.Put "ntSecurityDescriptor", objSecDescriptor
objUser.SetInfo
End If
==========
as follows:
========
' If the ACE was found and removed, update the user object.
If (blnFound = True) Then
objSecDescriptor.discretionaryACL = objDACL
objUser.Put "ntSecurityDescriptor", objSecDescriptor
objUser.SetInfo
Wscript.Echo "User modified so they can change their password."
Else
Wscript.Echo "Nothing changed, user can already change their password."
End If

--
Richard Mueller
Microsoft MVP Scripting and ADSI
Hilltop Lab - http://www.rlmueller.net
--

"JBP" <JBP@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:04C4C47A-E51F-48C8-B646-653C43F35236@xxxxxxxxxxxxxxxx
I tried your script but it is not doing any thing and not even getting
anything from AD with ntSecurityDescriptor object and echo says done but
when
I check account still not unchecked.

I open ADSIEDIT but it doesn't have ntSecurityDescriptor for User's
properties and not getting anything from script.

I manualy applied Default permission and inherit from Parent in AD but
after
some times about 30 minutes all permission changed with other permission
which doesn't include SELF, EVERY ONE and other.

I tried with dsquery user -samid <userid> | dsmod user canchpwd yes but
that
is also for few minutes.

Please help this is in production.

"Richard Mueller [MVP]" wrote:

JBP wrote:

We are having problem with USER CANNOT CHANGE PASSWORD option. All of a
sudden lots of users settings is set to checked so they can not change
their
password. I created a script and disabled (UNCHECKED) this settings for
enabled users but when we looked it after sometime about (30) minutes
its
enable again. So we run the script again and replicated changes to
other
DCs
but there is same thing after some time.
Most important thing is when we see AD USERS & COMPUTER it doesn't says
that
but 3rd party tools says it is enabled. We check with user and they are
not
able to change their password also.

Pl, help exusted since yesterday.

Script-->

Set objUser = GetObject("WinNT://dc1/" &
objRecordSet.Fields("sAMAccountName").Value)

If objUser.UserFlags AND ADS_UF_PASSWD_CANT_CHANGE Then
objPasswordNoChangeFlag = objUser.UserFlags XOR
ADS_UF_PASSWD_CANT_CHANGE
objUser.Put "userFlags", objPasswordNoChangeFlag
objUser.SetInfo
objFileName.WriteLine(objRecordSet.Fields("sAMAccountName").Value &
vbTab
&
objRecordSet.Fields("Name").Value & vbTab &
objRecordSet.Fields("distinguishedName").Value & vbTab & "Set to change
password")
SetUsr = SetUsr + 1
End If


Replication:
repadmin /replicate dc1 dc2 dc=mycmp,dc=com
Sync from dc1 to dc2 completed successfully.

I believe you got the idea for your script from this link:

http://www.microsoft.com/technet/scriptcenter/resources/qanda/dec04/hey1202.mspx

First, you must assign the value &H40 to the constant
ADS_UF_PASSWD_CANT_CHANGE. Next, this bit of the userFlags attribute only
works for local user accounts. For domain users the permission to change
the
password is controlled by two ACE's (Access Control Entries) in the DACL
(Discretionary Access Control List) of the security descriptor of the
user
object. To deny permission to change the password you add two deny ACE's
to
the DACL. To allow the user to change their password you remove the two
deny
ACE's. An example VBScript program to allow a user to change their
password:

http://www.rlmueller.net/Can%20Change%20PW.htm

For more, see this link:

http://msdn2.microsoft.com/en-us/library/aa746398(VS.85).aspx

--
Richard Mueller
Microsoft MVP Scripting and ADSI
Hilltop Lab - http://www.rlmueller.net
--





.