Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chris Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

AD: user cannot change password

Status
Not open for further replies.
tvbruwae

tvbruwae

Programmer
Aug 9, 2001
224
EU
Hi

I am working on a script to replicate account settings between two AD domains. One topic is the parameter "user cannot change password". The "problem" with enabling this setting is that I have two pieces of code that seem to do it:

Code: 
Const ADS_UF_PASSWD_CANT_CHANGE = &H0040
Set objUser = GetObject("WinNT://mydomain.com/UserID")
objPasswordNoChangeFlag = objUser.UserFlags OR ADS_UF_PASSWD_CANT_CHANGE
objUser.Put "userFlags", objPasswordNoChangeFlag 
objUser.SetInfo

or:

Code: 
Set objUser = GetObject("WinNT://mydomain.com/UserID")
Set objSD = objUser.Get("ntSecurityDescriptor")
Set objDACL = objSD.DiscretionaryAcl
arrTrustees = array("nt authority\self", "EVERYONE")
For Each strTrustee in arrTrustees
	Set objACE = CreateObject("AccessControlEntry")
	objACE.Trustee = strTrustee
	objACE.AceFlags = 0
	objACE.AceType = ADS_ACETYPE_ACCESS_DENIED_OBJECT
	objACE.Flags = ADS_ACEFLAG_OBJECT_TYPE_PRESENT
	objACE.ObjectType = CHANGE_PASSWORD_GUID
	objACE.AccessMask = ADS_RIGHT_DS_CONTROL_ACCESS
	objDACL.AddAce objACE
Next
objSD.DiscretionaryAcl = objDACL
objUser.Put "nTSecurityDescriptor", objSD
objUser.SetInfo

Since there is so much difference between those 2 code samples I was wondering if I can just pick either one to do what I need or if I should pay attention to some conditions? Can anyone help me out with this?

Thanks!
 
Sort by date Sort by votes
The ntSecurityDescriptor is available via LDAP: provider and is not available to WinNT: as used in the first script. Hence, the 2nd script would essentially be a non-stater. You could stick to the first approach.
 
Upvote 0 Downvote
OK, so there is no difference in what the code actually does then.. Thanks for the answer!
 
Upvote 0 Downvote
The 2nd script can be useful if your user is referenced via LDAP: provider - that's what I meant non-sta[red]r[/red]ter. Furthermore, you may perhaps not be interested at this moment, the 2nd script, though looks impressively doing "more" and grand, is in fact has a bit more hidden limitations as apply to the real. The references to nt authority\self and everyone accounts are limited to the system not being localized to any other international languages. Otherwise, you have to add many more twists to it to make it work. The first script suffers no such limitation, though, look a bit old-school in its appeal.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

bdwilcox
  • Locked
  • Question
Trying to adapt VBScript to search if machine is in an AD group 6
Replies
8
Views
1K
SoftwareRT
SoftwareRT
Z3braa
  • Locked
  • Question
Remove specific computer name in Logon Workstation from from all users in AD, with VBScript
Replies
0
Views
180
Z3braa
Z3braa
queen_mszdia
  • Locked
  • Question
invoke runas different user from inside VbScript
Replies
0
Views
190
queen_mszdia
queen_mszdia
GessWurker1
  • Locked
  • Question
problem with AD query, empty values and form field population
Replies
0
Views
131
GessWurker1
GessWurker1
Stevehewitt
  • Locked
  • Question
Update AD attribute using current user
Replies
0
Views
83
Stevehewitt
Stevehewitt

Part and Inventory Search

Sponsor

Back
Top