Question : Active Directory Properties for "User Cannot Change Password"

We're running active directory on a Win2000 server. I am trying with a .net application to produce a list of all users that have the property "user cannot change password" enabled.

From what I've read I thought I would be able to obtain this by examing the userAccountControl property for the PASSWD_CANT_CHANGE value of 64. My actual results however are showing a value of 66048 which I interpret to mean DONT_EXPIRE_PASSWORD (65536) + NORMAL_ACCOUNT (512). I am getting the value of 66048 for users whether or not they have their user cannot change password flag enabled.

I am far from being an expert working with AD so any explanations or suggestions would be appreciated.

Answer : Active Directory Properties for "User Cannot Change Password"

Hey,

I have no experience at all coding in Visual Basic, all my work is with VbScript. I'll try not to let that stop me ;)

You shouldn't need this bit at all:

objUser = GetObject("LDAP://CN=JoeUser,DC=bi,DC=local")

As you should have a connection to the user object by virtue of this:

objGroupEntry = objResult.GetDirectoryEntry()

If it were VbScript I'd pass through "objGroupEntry" as a parameter into the function, then access the Security Descriptor from there. e.g.:

Function UserCannotChangePassword(oUser As DirectoryEntry) As Boolean
UserCannotChangePassword = False

Dim oSecDesc As IADsSecurityDescriptor
Dim oACL As IADsAccessControlList
Dim oACE As IADsAccessControlEntry
Dim fEveryone As Boolean
Dim fSelf As Boolean

fEveryone = False
fSelf = False

Set oSecDesc = oUser.Get("ntSecurityDescriptor")
Set oACL = oSecDesc.DiscretionaryAcl

For Each oACE In oACL
If UCase(oACE.ObjectType) = UCase(CHANGE_PASSWORD_GUID) Then
If oACE.Trustee = "Everyone" And oACE.AceType = ADS_ACETYPE_ACCESS_DENIED_OBJECT Then
fEveryone = True
End If

If oACE.Trustee = "NT AUTHORITY\SELF" And oACE.AceType = ADS_ACETYPE_ACCESS_DENIED_OBJECT Then
fSelf = True
End If
End If
Next

If fSelf And fEveryone Then
UserCannotChangePassword = True
Else
UserCannotChangePassword = False
End If
End Function

I'm not sure that'll work with VB, but it'd be fun to try :) I'm not entirely sure of the difference between an object of type IADS and a DirectoryEntry. Could you give it a try?

Chris

Random Solutions

Software to copy data, shares & permissions from one drive to another

Row lock and transaction

how to export query results to a .csv file

What is the advantage of normal format during Win XP installation?

Clear IE Browsing History on Terminal Client Machines

Microsoft Exchange could not find a certifcate...

Replication jobs showing a status of "No replicated Transactions are available" - why?

How to install PowerShell v2 (CTP 3) onto Windows Vista

ArrayList or Vector or something dynamic

Reader 8.0 default reader in IE7 with multiple Adobe installs