Detecting "user cannot change password" in windows 2000 with a script

[Meldric]

I have a need to find out what users on a Windows 2000 network have the box "User cannot change password" checked.

I know how to iterate through the users and detect the simple things such as username, dial in permissions, etc, but I am not having any luck detecting whether the &H0040 flag is set in userAccountControl is set.

A simple test case is below for our network:

dim test,testand

const UF_PASSWD_CANT_CHANGE = &H0040

set oUserObj = GetObject("LDAP://CN=A User,OU=Users,DC=TEST,DC=COM&quot

test = oUserObj.userAccountControl
testand = test and UF_PASSWD_CANT_CHANGE

MsgBox "UserAccountControl:" & Chr(9) & test
MsgBox "and:" & Chr(9) & testand

set oUserObj = Nothing
wscript.exit

Theoretically if the flag is set the testand should be a 1 and if it is not set it should be a 0. However, this is not working the value is always a 0. Any ideas on what I am doing wrong?

Thank you for your time.
Roger

 

[tsuji]

Hello, Meldric.

A couple of points you've to look into.

[1]test = oUserObj.userAccountControl
Shoud be read as :
test = oUserObj.Get("userAccountControl&quot

You can simply insert a line such as
WScript.Echo typename(test)
to monitor the correctness during debugging.

[2]testand = test and UF_PASSWD_CANT_CHANGE
The testand would take on &H0040 or &H0000 depending the particular bit is on or off. So you should anticipate either 0 or 64 in decimal value of testand.

[3] WScript.exit
WScript has no such method. Should be read as :
WScript.Quit

regards - tsuji

 

[Meldric]

Thank you for the response tsuji.

I have made the changes you recommended and I am still not getting the results expected. I know a particular user is locked out and have run the script on that user and I still get a "0" for a response. Below is the updated script:

dim test,testand

const UF_PASSWD_CANT_CHANGE = &H0040

set oUserObj = GetObject("LDAP://CN=A User,OU=Users,DC=TEST,DC=COM")

test = oUserObj.get("userAccountControl")
testand = test and UF_PASSWD_CANT_CHANGE

wscript.echo "UserAccountControl:" & Chr(9) & test
wscript.echo "and:" & Chr(9) & testand

set oUserObj = Nothing
wscript.quit

I do not see any further flaws in my scripting(as you can tell I am fairly new to scripting), but I am hoping I am missing something simple.

Thanks again for your time.

Roger

 

[Meldric]

Above message should read "cannot change password" not locked out... sorry... Working on querying both.

Roger

 

[tsuji]

Hello, again.

Do you get something out of test like normal account of something at least? Check what typename(test) gives.

If nothing abnormal there, may boil down to oUserObj. Is the container properly set? Am not ready to risk speculation in that regard.

Maybe somebody can join in?

regards - tsuji

 

[Meldric]

Tsuji

Using ADSI browser I can find the actual property in the container. Unfortunetely, documentation on the active directory is difficult to come by(at least up to date documentation). I have a book coming that may help in that regard.

There are values in userAccountControl, but the strange thing is they do not seem to be affected by *just* the "User Cannot Change Password" check box. If you check that box and "Password Never Expires" the value changes. This directly contradicts what Microsoft has on their site, but to give them credit they have said that this documentation may change at any time. Also the documentation came out way in the beginning of ADS.

I am beginning to wonder if that property is even showing what I am looking for. I am pouring through Active Directory Schema literature and everyone says this is the property I want, but emperical evidence is proving otherwise.

Thank you for your help Tsuji.

Roger